Hackers have targeted Proofpoint to deliver millions of phishing emails, it has emerged. The campaign, named ‘EchoSpoofing,’ used vulnerabilities in the cybersecurity firm’s email protection platform to send an estimated three million messages per day between January and June 2024. To convince users that the emails were genuine, the unidentified cybercriminal organisation impersonated major companies, including IBM, Coca Cola and Disney. The vulnerabilities they exploited have now been patched, Proofpoint confirmed.
“All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity,” said the firm, adding that no customer data had been lost or exposed by the hackers. “To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default.”
Hackers manipulated Proofpoint email relay settings
Users unfortunate enough to click on the phishing emails were taken to a fake landing page matching the company branding featured in the original message, where the hackers attempted to manipulate their targets into subscribing to a fake service at an extortionate monthly rate. Extraordinarily, each message complied with authentication and security measures designed to thwart phishing emails – a coup the cybercriminals pulled off by running their phishing campaign through a compromised Proofpoint email server.
“The Proofpoint Email security solution is a kind of “Firewall” for emails,” wrote Nati Tal of Guardio Labs, which collaborated with Proofpoint to analyse and thwart the campaign. “The SMTP protocol allows an email message to travel through different points heading to your inbox, just like we’ve seen in the above sample. This is how Proofpoint offers its customers an easy integration method—just point all your organization’s outgoing and incoming emails to Proofpoint’s server.”
By manipulating what Tal went on to describe as a “super-permissive misconfiguration flaw” in outbound email relays for major companies managed by Proofpoint, however, the attackers were able to falsely legitimise phishing emails that would otherwise be consigned to users’ junk folders. While there were ways to add specific rules to Proofpoint accounts to prevent this from happening, most customers “were not aware of this in the first place, and the default option was not secure at all.”
CISOs warned to be vigilant over third-party email software
This side-channel attack, Tal continued, easily resulted in the dispatch of millions of suspect emails. Despite this, the Guardio Labs chief praised Proofpoint for responding within hours to messages alerting the cybersecurity firm about the EchoSpoofing campaign. The two companies then teamed up to respond to the threat, sharing indicators of compromise (IOCs) and contacting legitimate software companies whose products had been abused by the attacker.
Additionally, said Tal, “Proofpoint proposed a mitigation strategy utilising a unique vendor-specific header (X-OriginatorOrg) which the Exchange server automatically appends to all outgoing emails, including blindly relayed emails,” said Tal. “By using this header, customers can ensure that only emails from their own authorized Office365 tenants are accepted, effectively blocking any malicious actors from further exploiting this flow.”
CISOs should take extra care of their organisation’s cloud posture, Tal told Hacker News separately – especially when it came to auditing its use of third-party software undergirding its communications systems. “Specifically in the realm of emails,” he said, “always maintain a feedback loop and control of your own – even if you trust your email provider fully.”