In January 2024, a significant phishing campaign, dubbed "EchoSpoofing," was uncovered exploiting weak permissions in Proofpoint's email protection service. This vulnerability enabled the distribution of millions of spoofed emails impersonating major entities like Disney, Nike, IBM, and Coca-Cola, primarily targeting Fortune 100 companies.
The campaign managed to disseminate an average of 3 million spoofed emails daily, peaking at 14 million emails in early June 2024. These emails aimed to steal sensitive personal information and incur unauthorised charges. Notably, the phishing emails included correctly configured Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) signatures, making them appear authentic to recipients.
Discovery and Mitigation Efforts
Guardio Labs played a crucial role in identifying the phishing campaign and the security gap in Proofpoint's email relay servers. In May 2024, they notified Proofpoint of the issue and collaborated on fixing it.
Execution of the EchoSpoofing Campaign
To execute this campaign, threat actors set up their own SMTP servers to create spoofed emails with manipulated headers. These emails were then relayed through Proofpoint's relay servers using compromised or rogue Microsoft Office 365 accounts. The attackers utilised Virtual Private Servers (VPS) hosted by OVHCloud and Centrilogic, registering various domains through Namecheap.
The attackers leveraged a permissive SPF record configured on domains by the email security service, enabling them to pass SPF checks and send emails through Proofpoint's servers. When configuring a domain to use Proofpoint's email gateway, the company provided an option to select various email services for relaying emails. Selecting Office 365 created an overly permissive SPF record, allowing any Office 365/Microsoft 365 account to relay email through Proofpoint's secure email service.
For DKIM, companies working with Proofpoint uploaded their DKIM private keys to the platform, ensuring emails flowing through the service were properly signed. As a result, emails passing both DKIM and SPF checks were delivered to inboxes without being flagged as spam. Major email platforms, such as Gmail, treated these emails as authentic, delivering them to inboxes rather than spam folders. The emails featured lures related to the impersonated brand, such as account expirations or renewal/payment approval requests.
Strengthening Security Measures
Proofpoint, in a coordinated report, stated they had been monitoring this campaign since March 2024. With the technical Indicators of Compromise (IOCs) shared by Guardio, Proofpoint successfully mitigated these attacks and provided new settings and advice to prevent future occurrences.
Proofpoint has published a detailed guide on adding anti-spoof checks and tightening email security. However, some organisations did not perform the necessary manual actions to prevent abuse, allowing campaigns like EchoSpoofing to materialise. To address this, Proofpoint reached out to customers with permissive settings, assisting them in securing their account configurations.
Additionally, Proofpoint introduced the 'X-OriginatorOrg' header to help verify email sources and filter out non-legitimate and unauthorised emails. A new Microsoft 365 onboarding configuration screen allows customers to set more restrictive permissions on Microsoft 365 connectors, specifying which Microsoft 365 tenants can be relayed through Proofpoint's servers.
Proofpoint has notified affected customers about the abuse of their brands in this large-scale operation. While Microsoft has been informed of the Microsoft 365 abuse, some offending accounts have remained active for over seven months.
To Sum Up
The EchoSpoofing campaign highlights the critical importance of robust email security configurations. Proofpoint's swift actions and ongoing efforts to tighten security settings demonstrate a commitment to protecting customers from sophisticated phishing attacks. Organisations are urged to review and update their email security measures to prevent similar vulnerabilities in the future.
