Proofpoint configuration problem exploited in huge spam attacks

Share post:

Proofpoint is a commercial email security service aimed at protecting organizations. However, until recently a threat actor was able to abuse Proofpoint relay servers to spoof authenticated emails that seemed to come from brand names like Disney+, Fox News, Coca-Cola, Nike, IBM and others.

Researchers at Guardio Labs call the technique echo spoofing, and say it has been sending millions of phony emails since January.

“These emails echoed from official Proofpoint email relays with authenticated SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail, a method of email authentication that helps prevent impersonating a legitimate domain signatures) thus bypassing major security protections,” the researchers said in a report released Monday.

The goal: To deceive email recipients and steal funds and credit card details.

For example, a recipient would get an email that looked like it came from disney.com saying their Disney+ account had expired and asking them to take action. Clicking on the included link sends victims to a fake Disney page with a tempting offer.

Spoofing the “FROM” address is supposed to be almost impossible if corporate email servers are configured with SPF and DKIM. However, in this email campaign the unnamed threat actor was able to get their fake messages properly signed.

Briefly, the attacker took advantage of Proofpoint’s trust in emails coming from Microsoft Office365, and a flaw in Outlook365. In the Disney+ fake emails example, the messages came from an Office365 account. Normally a sender needs to provide proof to Microsoft it owns a domain used in the FROM or sending account. But not, apparently, if the email is being relayed by another service, like Proofpoint. For its part customers using Proofpoint can trust messages coming from Outlook365 – or, more accurately, a range of IP addresses — under a configuration option for hosted services. Those messages are trusted unless a special rule is added.

Guardio calls this a “super-permissive misconfiguration flaw.”

The attackers needed the specific hostname for each spoofed domain – for example, disney.com. But it’s not hard to find: Organizations set it in their publicly available mail exchange (MX) record.

A daily average of 3 million perfectly spoofed emails were sent this way, the researchers say.

Proofpoint, which had started tracking this campaign, was alerted by Guardio in May and notified customers of the configuration problem. “Once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing “the end is near,” the report says.

On the other hand some compromised Office365 accounts are still active.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

Researchers Jailbreak DeepSeek AI, Expose System Prompt and Raise Security Concerns

Security researchers at Wallarm have successfully jailbroken DeepSeek, a recently released open-source AI model from China. The jailbreak...

New SMS Phishing Scam Targets U.S. Toll Road Users with Fake Payment Alerts

Brian Krebs of the Krebs on Security blog did a big piece leading with how residents across the...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways