Phishers exploited Proofpoint weakness to spoof emails from IBM, Nike, and more
- by nlqip
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint.
Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to route emails on behalf of its customers.
“EchoSpoofing”
The bypass turned out to have two parts to it. The first was to beat the SPF IP-to-domain check, which was achieved by sending their spoofed emails from an SMTP server in their control through an Office365 account. This stops spoofing when email originates on those accounts but not, crucially, when relaying emails from external SMTP servers.
Source link
lol
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint. Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to…
Recent Posts
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues
- Microsoft Exchange adds warning to emails abusing spoofing flaw
- Fortinet Releases Security Updates for Multiple Products | CISA
- D-Link won’t fix critical bug in 60,000 exposed EoL modems
- Stellar Startup Cloud Vendors To Know In 2024