Phishing Campaign Exploited Proofpoint Email Protections for Spoofing

Share This Post

Threat actors have exploited an issue in Proofpoint’s email protection service to spoof well-known brands as part of a broad phishing campaign, according to a report from Guardio Labs.

As part of the campaign, the attackers were able to send millions of phishing messages per day and bypass email security protections by exploiting a misconfiguration issue where excessive permissions resulted in the abuse of Proofpoint’s service to add legitimacy to the phishing messages.

Dubbed EchoSpoofing, the vulnerability allowed attackers to relay the phishing messages through Microsoft Exchange and then Proofpoint’s service so that the emails would be properly signed and authenticated.

“When we analyzed the path those emails took to reach the victims’ inboxes, we realized they all share the same characteristics—starting at a simple SMTP server on a virtual server, going through an Office365 Online Exchange server, and later entering a domain-specific Proofpoint server that dispatches the email to the targets,” Guardio explained.

Proofpoint provides customers with easy integration of its email security service, as they only need to point their emails to its servers. From there, the service acts as a firewall, dispatching the emails to their final recipients.

The Proofpoint outgoing relay server (pphosted.com) also takes care of the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication and signature, as long as the customer has properly configured and authorized Proofpoint’s endpoint to send authenticated emails on their behalf.

Analysis of the phishing emails show they were created using attacker-controlled Office365 accounts, relayed through the Exchange server, and then delivered through the Proofpoint relay, which authenticated and signed them.

Due to how the SMTP protocol works, no authentication is used to add approved email services, as that is done through IP address only, and Proofpoint has pre-approved a list of IPs associated with known email services such as Office365.

Advertisement. Scroll to continue reading.

However, if the customer has configured a generic Office365 account, any Office365 account can interact with the Proofpoint relay server and because Exchange is configured to blindly relay emails without altering them, the threat actors exploited this super-permissive misconfiguration flaw to generate spoofed emails that Proofpoint’s servers would accept and process.

“From Proofpoint, it is ‘echoed’ back and dispatched as a fully genuine email, including DKIM and SPF checks, totally aligned with the actual domain name,” Guardio said.

For the attack to work, however, the attackers would also need a unique ID for the spoofed brand, which would be extracted from the organization’s MX record, publicly available under the DNS protocol.

“Now the attacker returns to their controlled Exchange online server and sets it up as any other Proofpoint user — add a connector to your Exchange Online Server for your outgoing emails pointing to the pphosted.com server. Now, adding to the blind-relay configuration, the attacker has a full delivery chain for perfectly spoofed emails,” Guardio notes.

The exploitation of EchoSpoofing started around January 2024, with roughly three million phishing emails sent per day, with peaks of 14 million emails observed. The campaign spoofed brands such as Disney, BestBuy, Coca-Cola, IBM, and Nike to steal victims’ funds and credit card information.

Proofpoint, which had been aware of the abuse since March, was notified in May, and engaged in a broad effort to notify its customers of the misconfigurations. However, many compromised Office365 accounts used in the remain unpatched.

Additionally, because the campaign leveraged exposed Office365 integrations, Proofpoint deployed a mitigation that used a unique vendor-specific header for Exchange to automatically append to outgoing emails, which contains the Office365 account name.

Proofpoint also deployed an update to notify customers of the potential risks associated with the permissive configurations and to allow them “to approve tenants and easily monitor for any signs of misuse”.

Related: Cisco Patches Critical Vulnerabilities in Secure Email Gateway, SSM

Related: Hacked Ethereum Foundation Account Used to Send 35,000 Phishing Emails

Related: Microsoft Email Spoofing, Snowflake Hack Ransoms, LogoFail Follow-Up

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.