Phishers exploited Proofpoint weakness to spoof emails from IBM, Nike, and more
- by nlqip
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint.
Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to route emails on behalf of its customers.
“EchoSpoofing”
The bypass turned out to have two parts to it. The first was to beat the SPF IP-to-domain check, which was achieved by sending their spoofed emails from an SMTP server in their control through an Office365 account. This stops spoofing when email originates on those accounts but not, crucially, when relaying emails from external SMTP servers.
Source link
lol
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint. Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA