Cybercriminals have launched a massive phishing scam using a flaw in Proofpoint’s email security system. This allowed them to send millions of fake emails pretending to be from well-known companies like Best Buy, IBM, Nike, and Disney.
These fake emails looked completely authentic and managed to bypass most security checks. The scammers used this trick to steal people’s money and credit card information.
The attack started in January and reached its peak in June, sending up to 14 million fake emails per day. Security experts have named this attack “EchoSpoofing.”
A perfect storm of fraud
The most concerning aspect of this campaign is the sophistication of the spoofing method — these emails are remarkably convincing, making it extremely difficult for recipients to identify them as fraudulent.
The EchoSpoofing technique itself is highly effective. What’s unusual about it, though, is that it’s being employed on such a large scale rather than in targeted attacks. A more focused approach could allow attackers to impersonate specific employees, manipulate coworkers, and potentially compromise entire organizations through social engineering.
Basically, attackers were able to exploit a flaw in Proofpoint’s system that allowed them to send emails that appeared to be from legitimate companies, even though they were not.
They did this by using a virtual private server (VPS), which is a virtual machine that provides virtualized server resources on a physical server that is shared with other users. The attackers then used the VPS to send emails through a special type of server called a Simple Mail Transfer Protocol (SMTP) server. SMTP servers are responsible for sending emails over the internet.
Normally, email authentication protocols, like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), can help prevent email spoofing. These protocols allow email servers to verify the identity of the sender of an email message. However, the attackers were able to bypass these protocols because of the flaw in Proofpoint’s system.
“The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow,” Proofpoint said in a coordinated disclosure report. “Any email infrastructure that offers this email routing configuration feature can be abused by spammers.”
The fallout: Proofpoint responds
In the report, the company states they have been monitoring this campaign since March. Thanks to technical information provided by Guardio, Proofpoint was able to enhance its defenses against these attacks. The company has developed new guidelines and settings to help customers prevent similar incidents in the future.
The company has also introduced the ‘X-OriginatorOrg’ header as a tool to authenticate email sources and filter out suspicious messages. Additionally, a new Microsoft 365 onboarding process allows customers to establish more stringent permissions for Microsoft 365 connectors, reducing the risk of unauthorized email relaying through Proofpoint’s servers.
Protecting your organization
The big takeaway here is that Chief Information Security Officers (CISOs) and other leaders should hyper-prioritize the security of their organization’s cloud infrastructure, particularly when relying on third-party services for network and communication functions. This is especially true for email systems, where maintaining a feedback loop and retaining control is essential, even when trusting the email provider.
Companies that provide these critical services, such as Proofpoint, have a wide-reaching responsibility to stay ahead of threats. They need to consider how their systems could be misused and protect not only their customers but the public as well.
Email security software for MSPs are tools that help MSPs defend client networks against phishing, malware, and data breaches through features like sandboxing, encryption, and endpoint protection. Read more about the 10 best email security software for MSPs in 2024.