A massive phishing campaign dubbed “EchoSpoofing” exploited now-fixed, weak permissions in Proofpoint’s email protection service to dispatch millions of spoofed emails impersonating big entities like Disney, Nike, IBM, and Coca-Cola, to target Fortune 100 companies.

The campaign started in January 2024, disseminating an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June.

The phishing emails were designed to steal sensitive personal information and incur unauthorized charges. They also included properly configured Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) signatures, making them appear authentic to the recipients.

Guardio Labs helped discover the phishing campaign and security gap in Proofpoint’s email relay servers. In May 2024, they notified the firm and helped them fix it.

The EchoSpoofing campaign

To conduct the campaign, threat actors set up their own SMTP servers to create spoofed emails with manipulated headers and then relayed them through Proofpoint’s relay servers using compromised or rogue Microsoft Office 365 accounts.

The attackers used Virtual Private Servers (VPS) hosted by OVHCloud and Centrilogic to send those emails and used various domains registered through Namecheap.

The threat actors could pass SPF checks and send emails through Proofpoint’s servers due to a very permissive SPF record configured on domains by the email security services.

When configuring a domain to use Proofpoint’s email gateway, the company provides a configuration option to select the various email services through which you wish to allow email to be relayed.

When Office 365 is selected, an overly permissive SPF record was created, allowing any Office 365/Microsoft 365 account to relay email through Proofpoint’s secure email service.

include:spf.protection.outlook.com include:spf-00278502.pphosted.com

On the default setting, no specific accounts or tenants can be specified. Instead, Proofpoint trusted any Office 365 IP address range, meaning any account could use its relay.

For DKIM, when a company works with Proofpoint, it uploads its DKIM private keys to the platform so that emails flowing through the service are properly signed.

As the emails now passed both the DKIM and SPF checks, they were allowed to be delivered to inboxes without being flagged as spam.

Guardio Labs explains that major email platforms such as Gmail treated these emails as authentic, and instead of sending them to people’s spam folders, they delivered them to their inboxes.

The emails featured lures related to the impersonated brand, claiming account expirations, or renewal/payment approval requests.

Proofpoint tightens security

In a coordinated report from Proofpoint, the company says they had been monitoring this campaign since March,

With the technical IOCs shared by Guardio, Proofpoint was further able to mitigate these attacks and provide new settings and advice on how to prevent them in the future.

The company has a detailed guide on how users can add anti-spoof checks and tighten up their email security, but some organizations didn’t perform any of those manual actions to prevent abuse, allowing campaigns like EchoSpoofing to materialize.

Proofpoint reached out to customers with permissive settings to help them secure the configuration of their accounts.

The company introduced the ‘X-OriginatorOrg’ header to help verify the email source and filter out non-legitimate and unauthorized emails.

Also, a new Microsoft 365 onboarding configuration screen allows customers to configure more restrictive permissions on Microsoft 365 connectors. These permissions specify the Microsoft 365 tenants that can be relayed through Proofpoint’s servers.

Finally, Proofpoint has notified affected customers that phishing actors successfully abused their brands in a large-scale operation.

Although Microsoft has also been notified about the Microsoft 365 abuse, the offending accounts remain active, some for over seven months.