EchoSpoofing: Millions Targeted in Proofpoint Email Breach

StrelaStealer malware attacks - Phishing Scheme

An unknown attacker exploited a vulnerability in the email routing settings of Proofpoint to send mass fraudulent messages impersonating well-known companies such as Best Buy, IBM, Nike, and Walt Disney.

According to a researcher from Guardio Labs, the emails were sent through Proofpoint’s official servers with genuine SPF and DKIM signatures, enabling them to bypass primary security measures and deceive recipients into stealing funds and credit card information.

The campaign, dubbed EchoSpoofing, commenced in January of this year and concluded only in June when Proofpoint began taking active countermeasures. On average, the attackers sent three million emails daily, peaking at 14 million on one June day.

EchoSpoofing campaign

Overview of the phishing attack | Image Credit: Guardio Labs

The spoofing method was so unique that it left little chance of recognizing the emails as fraudulent. The attackers used SMTP servers on virtual private servers (VPS), adhering to all authentication measures, such as SPF and DKIM, making the fake emails highly convincing.

The emails were routed through Microsoft 365 clients (tenants) controlled by the attackers and then relayed through Proofpoint’s email infrastructure to users of free email services like Yahoo!, Gmail, and GMX. This was made possible by a configuration error on Proofpoint’s servers, granting the attackers elevated privileges.

The main issue lay in the ability to modify email routing settings on Proofpoint’s servers, allowing messages to be forwarded from any Microsoft 365 tenants without specifying particular allowable tenants. This enabled the attackers to set up fake tenants and send messages that were forwarded through Proofpoint’s servers, appearing authentic.

The attackers used a compromised version of the PowerMTA program for mass mailings, employing various IP addresses and VPS to send thousands of messages at once. These emails were accepted by Microsoft 365 and relayed through Proofpoint’s infrastructure with DKIM signatures, making them even more convincing.

The primary goal of the EchoSpoofing campaign was to generate illicit revenue and minimize the risk of detection, as direct contact with companies would significantly increase the chances of the scheme being uncovered. Proofpoint stated that the hackers’ activities did not align with known threats and groups. The company emphasized that customer data was not compromised and provided recommendations for identifying phishing attempts.

To reduce spam volume, Proofpoint urges VPS providers to limit the ability to send large quantities of messages from their servers and calls on email services to restrict new and unverified users’ capabilities to send mass messages and spoof domains.

Related Posts: