Phishers exploited Proofpoint weakness to spoof emails from IBM, Nike, and more
- by nlqip
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint.
Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to route emails on behalf of its customers.
“EchoSpoofing”
The bypass turned out to have two parts to it. The first was to beat the SPF IP-to-domain check, which was achieved by sending their spoofed emails from an SMTP server in their control through an Office365 account. This stops spoofing when email originates on those accounts but not, crucially, when relaying emails from external SMTP servers.
Source link
lol
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint. Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to…
Recent Posts
- Google says “Enhanced protection” feature in Chrome now uses AI
- Scammers target UK senior citizens with Winter Fuel Payment texts
- Malicious PyPI package with 37,000 downloads steals AWS keys
- Microsoft says recent Windows 11 updates break SSH connections
- Hands on with AI features in Windows 11 Paint and Notepad