An unknown threat actor has exploited an email routing misconfiguration in Proofpoint’s defenses to launch a massive phishing campaign, sending millions of spoofed emails that impersonate well-known companies such as Best Buy, IBM, Nike, and Walt Disney.
Guardio Labs researcher Nati Tal revealed in a detailed report shared with The Hacker News that the attack, dubbed EchoSpoofing, began in January 2024. The flaw allowed attackers to send up to three million emails daily, peaking at 14 million in early June as Proofpoint began implementing countermeasures.
"The most notable aspect of this attack is its sophisticated spoofing method," Tal said. "It leaves almost no indication that these emails are not from the legitimate companies."
The EchoSpoofing technique involves sending emails from SMTP servers on virtual private servers (VPS), which comply with authentication methods like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). This makes the emails appear as if they are sent from trusted domains.
The attackers leveraged a “super-permissive misconfiguration flaw” in Proofpoint’s email routing configuration. This flaw allowed the spammers to use rogue Microsoft 365 tenants to relay spoofed emails through Proofpoint’s infrastructure, bypassing security filters.
Proofpoint’s servers were configured to relay outbound messages from Microsoft 365 tenants without specifying which tenants were allowed. This oversight enabled spammers to route their emails through Proofpoint’s relay servers, making them appear as legitimate communications from the targeted companies.
Details of the Attack
* Attackers utilized rotating VPS and multiple IP addresses to send bursts of thousands of spoofed emails.
* Emails were relayed through Microsoft 365 and Proofpoint’s infrastructure, receiving DKIM signatures as they passed through, further disguising them as legitimate.
* The spammers used a cracked version of PowerMTA, a legitimate email delivery software, to handle the email distribution.
Response and Mitigation
Proofpoint discovered the issue in March 2024 and has since implemented corrective measures, including a streamlined interface for customers to control which Microsoft 365 tenants can relay emails through their systems. The company has also reached out to affected customers to adjust their settings.
Proofpoint emphasized that no customer data was exposed or lost due to this campaign. They are urging VPS providers to limit large volumes of outbound email and calling for email service providers to restrict new and unverified tenants from sending bulk messages or spoofing domains they do not own.
Nati Tal advises CISOs to closely monitor their organization’s cloud services and maintain control over email systems, even when using trusted providers. “Companies must be proactive in anticipating all types of threats, not just those directly impacting their own customers but the wider public as well,” Tal said. “Service providers with significant responsibilities must ensure robust defenses to protect the broader internet infrastructure.”
