A massive phishing campaign, named “EchoSpoofing,” has just been uncovered, revealing a significant vulnerability in Proofpoint’s email protection service. The news, reported an hour ago, highlights how attackers exploited this flaw to send millions of spoofed emails, posing as major brands like Disney and IBM.
The recent “EchoSpoofing” phishing campaign revealed a significant vulnerability in ProofPoints email security systems, leading to them being exploited and having them dispatch millions of perfectly spoofed emails. This sophisticated attack, uncovered by Guardio Labs, primarily targeted Proofpoint’s email protection service, a security measure used by many Fortune 100 companies. The campaign has highlighted critical gaps in email authentication protocols, including SPF, DKIM, and DMARC, which were manipulated to give fraudulent emails an appearance of legitimacy.
How the Attack Happened
The EchoSpoofing campaign was uncovered by Nati Tal, Head of Guardio Labs, who detailed the exploitation of Proofpoint’s infrastructure. The attackers managed to send spoofed emails that appeared to come from well-known brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. The emails were relayed through Proofpoint’s email servers, utilizing authenticated SPF and DKIM signatures. These signatures are typically used to verify the sender’s domain, ensuring that emails are genuinely from the listed sender. However, in this case, they were used to bypass security protection.
The attackers utilized misconfigured email relays, specifically exploiting Proofpoint’s “pphosted.com” servers, to send these spoofed emails. By setting up rogue Microsoft Office365 tenants and using these to relay emails through Proofpoint’s system, they could send messages that appeared entirely legitimate. This method of attack was so effective because it leveraged the same infrastructure used by real companies to send their emails, making it extremely difficult to distinguish the spoofed emails from genuine ones.
The Role of SPF, DKIM, and DMARC
SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are key components of email authentication. SPF allows domain owners to specify which IP addresses are authorized to send emails on their behalf. DKIM, on the other hand, uses cryptographic signatures to verify that the email content has not been altered and confirms the email’s origin.
In the EchoSpoofing campaign, the attackers managed to align their spoofed emails with the SPF and DKIM settings of the targeted domains. This alignment tricked receiving email servers into accepting the messages as legitimate. DMARC (Domain-based Message Authentication, Reporting & Conformance) policies, which build on SPF and DKIM, also failed to flag these messages as suspicious, as the emails passed all required authentication checks.
The Exploitation of Proofpoint’s Infrastructure
The Proofpoint system, designed to act as an email firewall, inadvertently became a tool for attackers due to a “super-permissive misconfiguration flaw.” This flaw allowed emails from unverified Microsoft Office365 tenants to be relayed through Proofpoint’s servers. Consequently, the attackers could use Proofpoint’s infrastructure to send emails that appeared to be from reputable companies, complete with DKIM signatures and SPF approval. This abuse of the system meant that even the most tech-savvy users could be fooled by the spoofed email.
Conclusion and Recommendations
The EchoSpoofing campaign underscores the critical need for rigorous security measures in email infrastructure. It also highlights the importance of ongoing vigilance and cooperation within the cybersecurity community to safeguard against sophisticated threats. Proofpoint has since addressed the issue by implementing stricter configurations and alerting customers about potential vulnerabilities.
Organisations are advised to regularly review and update their email security protocols, including SPF, DKIM, and DMARC settings although it is not clear that this would have helped in this particular situation.
Additionally, companies using third-party email security services should work closely with providers to ensure all potential vulnerabilities are identified and mitigated. Regular security audits, testing of configurations, and comprehensive employee training on recognising phishing attempts are also essential steps in maintaining a robust defense against ever evolving cyber threats.
For more detailed information on the EchoSpoofing campaign and how it was carried out, you can read the original reports from Guardio Labs post here:
https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6
