Proofpoint Email Routing Vulnerability Exploited to Distribute Millions of Fake Phishing Emails
A mysterious cybercriminal has been associated with a large-scale fraudulent operation that took advantage of an email routing error in the email security provider Proofpoint’s systems to dispatch millions of fabricated emails mimicking various prominent companies like Best Buy, IBM, Nike, and Walt Disney, among others.
“These forged emails originated from legitimate Proofpoint email relays with validated SPF and DKIM certifications, thus skirting significant security measures — all with the intention to mislead recipients and pilfer finances and credit card information,” stated Nati Tal, a researcher from Guardio Labs, in a comprehensive report shared with The Hacker News.
This hacking scheme has been dubbed as EchoSpoofing by the cybersecurity firm. The operation is suspected to have commenced in January 2024, with the threat actor leveraging the loophole to dispatch up to three million emails daily on average, reaching a peak of 14 million in early June as Proofpoint started implementing countermeasures.
“The most distinct and potent feature of this method is the spoofing technique – leaving almost no room for detecting that these are not genuine emails sent by those corporations,” remarked Tal to the media outlet.
“The concept of EchoSpoofing is truly potent. It’s curious that it has been employed for large-scale phishing like this instead of a targeted spear-phishing campaign – where an attacker could swiftly assume any real team member’s identity from a company and communicate with other colleagues, potentially gaining access to internal data or credentials and even compromising the whole organization.
The approach, wherein the threat actor transmits the messages through an SMTP server on a virtual private server (VPS), stands out for its compliance with validation and security protocols such as SPF and DKIM, which are abbreviations for Sender Policy Framework and DomainKeys Identified Mail, respectively, and pertain to authentication methods designed to prevent impostors from mimicking a legitimate domain.
At the heart of the issue is the rerouting of these emails from various hostile-controlled Microsoft 365 domains, which are then directed through Proofpoint’s enterprise clients’ email systems to reach users of free email services like Yahoo!, Gmail, and GMX.
This stems from what Guardio categorized as an “exceptionally permissive misconfiguration flaw” in Proofpoint servers (“pphosted.com”) that essentially permitted spammers to exploit the email infrastructure for sending these emails.
“The main cause is a configurable email routing setting on Proofpoint servers that enabled the relaying of outbound messages from Microsoft 365 domains, without specifying the specific Microsoft 365 domains to authorize,” explained Proofpoint in a coordinated reporting shared with The Hacker News.
“Any email system providing this email routing setting can be manipulated by spammers.”
In simpler terms, an attacker could exploit this weakness to create rogue Microsoft 365 domains and send fraudulent email messages to Proofpoint’s relay servers, which would then “echo back” these messages as authentic communications appearing to be from the customers’ domains.
This was facilitated by tweaking the Exchange Server’s outgoing email connector to link directly to the vulnerable pphosted.com endpoint related to the customer. Additionally, a compromised version of a legitimate email delivery tool called PowerMTA was utilized for transmitting the messages.
“The spammer utilized a rotating set of leased virtual private servers (VPS) from different providers, employing multiple IP addresses to deliver rapid bursts of thousands of messages at once from their SMTP servers, transmitted to Microsoft 365 for relay to Proofpoint-hosted customer servers,” said Proofpoint.
“Microsoft 365 approved these counterfeit messages and forwarded them to these customers’ email systems for relaying. When customer…Domains were forged during their transit through the corresponding customer’s email system, alongside the implementation of DKIM signing as the messages passed through the Proofpoint infrastructure, effectively enhancing the spam messages’ deliverability.”
It is suspected that the EchoSpoofing approach was deliberately selected by the perpetrators to generate illegal profits and evade the risk of exposure for prolonged durations. Directly targeting the companies using this method could have significantly heightened the risk of detection, ultimately jeopardizing the entire operation.
Nevertheless, the identity of the parties behind the campaign remains unclear. Proofpoint has indicated that the activity does not align with any recognized threat actor or group.
“In March, Proofpoint researchers uncovered spam campaigns being transmitted through a limited number of Proofpoint customers’ email systems by sending spam from Microsoft 365 accounts,” as stated in their report. “All indications suggest that this activity was orchestrated by a single spam actor, whose identity remains undisclosed.”
“Following the discovery of this spam campaign, we have diligently worked to offer rectification guidelines, including the implementation of a simplified administrative interface for customers to specify authorized M365 accounts for relaying, with all other M365 accounts restricted by default.”
Proofpoint has emphasized that no client data was compromised, and no data loss occurred as a consequence of these campaigns. They have also reached out to some customers directly to adjust their settings to prevent the continuation of the outbound relay spam operations.
“As we commenced blocking the spam activities, the perpetrator expedited their testing and swiftly shifted their focus to alternate customers,” highlighted the company. “We have established a continuous process of daily identification of affected customers, re-prioritizing outreach efforts to rectify configurations.”
In order to mitigate spam, there is a call to VPS providers to restrict their users’ capacity to send high volumes of messages through SMTP servers hosted on their systems. Additionally, email service providers are urged to limit the functionalities of free trial and newly established unverified accounts from sending mass outbound emails and prevent them from sending messages that falsely claim ownership of a domain.
“For CISOs, the key lesson here is to exercise extra caution regarding your organization’s cloud posture – particularly in utilizing third-party services that underpin your company’s networking and communication infrastructure,” mentioned Tal. “Especially when it comes to email communications, always maintain oversight and control of your resources – even if you place full trust in your email service provider.”
“And for other companies offering foundational services like this – akin to what Proofpoint has done – it is important to remain vigilant and proactive in anticipating all forms of threats. Not just those directly impacting your clients but also the broader public at large.
“This responsibility is paramount for the collective safety of us all, and companies that shape and operate the backbone of the internet, regardless of ownership, bear the utmost responsibility. Just like the saying goes, in a somewhat different context but equally relevant here: ‘With great power comes great responsibility.'”
About Author
