An alarming new phishing campaign has emerged, linked to an unidentified threat actor exploiting a significant flaw in the email security configurations of Proofpoint, an established email security vendor. Utilizing an improperly configured routing system, the actor has dispatched millions of fraudulent emails impersonating well-known companies, including Best Buy, IBM, Nike, and Walt Disney, among others.
According to Guardio Labs researcher Nati Tal, these phishing emails originated from sanctioned Proofpoint email relays that were equipped with legitimate SPF and DKIM signatures. This authentication trick allowed the messages to circumvent robust security measures, ensnaring unsuspecting recipients in a scheme designed to pilfer their funds and sensitive credit card information. The campaign, dubbed “EchoSpoofing” by cybersecurity experts, reportedly began in January 2024 and peaked in early June when approximately 14 million emails were sent daily in an effort to exploit this loophole.
Tal highlighted the sophisticated nature of this spoofing technique, noting that it presents minimal indicators suggesting that these emails are not authentic communications from the purported companies. The method’s effectiveness raises concerns, as it could potentially lead to large-scale credential theft or other damaging breaches, given the high degree of social engineering involved. Rather than focusing on small, target-specific operations, the attackers opted for a broad, indiscriminate approach, which could have serious long-term implications for multiple organizations.
The mechanics of the attack involve the use of virtual private servers (VPS) to send emails from an SMTP server that adheres to established authentication protocols. This enhances the likelihood of delivery, further emphasizing the need for stringent security measures. Guardio indicates that the attackers have taken advantage of the permissive routing configurations on Proofpoint servers, which allowed the relay of unauthorized messages originating from Microsoft 365 tenants.
The underlying issue stems from a “super-permissive misconfiguration flaw” that essentially enabled spammers to wield the email infrastructure for their malicious activities. Proofpoint confirmed that the problematic configurations were not linked to known threat entities. While the company has been proactive in mitigating these threats by introducing corrective measures to its administrative interface, concerns over the effective control of email routing configurations remain.
The methods employed in this campaign align with several tactics outlined in the MITRE ATT&CK framework, including initial access through external remote services and evasion techniques employed via the misuse of legitimate infrastructure. These elements are crucial in understanding the broader implications of such security breaches.
While Proofpoint asserts that no customer data was compromised as a result of this campaign, it serves as a stark reminder of the vulnerabilities inherent in even the most revered security systems. The company is advocating for heightened scrutiny and greater responsibility among VPS providers and email service vendors to restrict users’ abilities to send high volumes of outbound emails and to eliminate opportunities for domain spoofing.
In conclusion, this incident underscores the pressing need for businesses to remain vigilant regarding third-party services that play a pivotal role in organizational communication. Cybersecurity experts urge businesses to maintain rigorous oversight of their email systems and configurations while continuously assessing potential threats. As the landscape of cyber threats evolves, the responsibility of safeguarding digital infrastructure becomes increasingly paramount.
