Threat actors have exploited vulnerabilities in Proofpoint’s relay servers to send millions of fraudulent emails impersonating major brands such as Disney, IBM, and Coca-Cola. The coordinated campaigns, known as EchoSpoofing, started in January 2024 and peaked in June.
Proofpoint provides an email security solution that acts as a firewall, routing incoming and outgoing emails through its servers. Customers, including major brands, configure their email systems to use Proofpoint’s servers for authentication.
The attackers exploited a permissive configuration in this setup, allowing any Office 365 account to relay emails through Proofpoint’s servers without additional verification.
The emails are DomainKeys Identified Mail-signed and Sender Policy Framework-approved and contain a phishing link. By clicking on the link, a user lands on the fake brand page witnessing a customer quiz followed by the purchasing page hiding the malicious message in the smallest font.
The users may or may not see the small messages announcing recurring charges of $199.90 monthly, which is the main objective of threat actors.
Upon further investigation, researchers found that the emails were sent from Proofpoint’s relay serves, designed to authenticate and secure email communications for their clients.
Incoming emails are sent directly to Proofpoint servers using the MX record on the domain’s DNS record. Outgoing emails are a bit trickier, depending on the email service used to deliver messages.
“Incoming emails are sent directly to Proofpoint servers using the MX record on the domain’s DNS record. Outgoing emails are a bit trickier, depending on the email service used to deliver messages,” explained researchers. “Specifically, if you use the Office365 business email account, you can comply by using the “Connectors” option of the Exchange server. You need to configure it to redirect your selected outbound emails to a pre-defined Proofpoint endpoint, which will do all the rest for you.”
The spoofed emails are then relayed through Microsoft Office 365 accounts. As researchers pointed out, this step is crucial because Office 365 is a trusted email service, and its servers are less likely to be flagged as spam.
The emails are configured to pass security checks by exploiting the ‘Frontend Transport’ feature, which allows for blind relaying of emails. The final step involves Proofpoint’s email relay servers. Proofpoint’s service is configured to accept emails from approved servers, including Office 365.
By exploiting a misconfiguration that does not verify specific Office 365 account ownership, the attackers ensure their emails are authenticated and delivered as legitimate.
The flaw enabled the attackers to send spoofed emails that passed all necessary authentication checks, including DKIM and SPF, making them appear as genuine communications from the targeted brands.
The attackers used PowerMTA, a high-performance email delivery software, to send millions of emails in a single batch. This tool, commonly used for legitimate purposes, was exploited to deliver spoofed emails at scale.
Upon being notified, Proofpoint began tracking the campaign and notifying affected customers. Researchers have urged organisations and individuals to utilise the X-OriginatorOrg header, a unique identifier added by Office 365 to outgoing emails. This header helps verify the source of each email and ensures only emails from authorised Office 365 tenants are accepted.
“Addressing security issues often appears straightforward theoretically, but the reality presents unexpected complexities. With “EchoSpoofing”, the technical challenge lies in enhancing an old, insecure protocol like SMTP, which suffers from fragmentation and inconsistent implementation across different vendors,” concluded researchers. “Moreover, integrating security measures with Microsoft Exchange, a nearly 30-year-old platform over which users have little control, adds another layer of complexity.”
In the News: 0Auth implementation flaw leaves millions of websites vulnerable to XSS attacks
