Cybersecurity researchers at Guardio Labs have discovered a “critical in-the-wild exploit” that allowed cybercriminals to override email protections offered by Proofpoint, pose as major companies, and send millions of spoofed emails aimed at stealing funds and credit card details.
Proofpoint’s Secure Email Relay Solution allows customers to block unwanted phishing emails that can lead to data breaches and social engineering scams. However, malicious actors bypassed these protections through an exploit researchers have dubbed “EchoSpoofing.”
Such a vulnerability could easily be abused by cybercriminals looking to get past email filters to steal sensitive information from companies. “It can be easily converted from large-scale phishing to a boutique spear-phishing campaign where an attacker can swiftly take any real company team member identity and send emails to other co-workers,” says Nati Tal, the author of the report and head of Guardio Labs. “Eventually, through high-quality social engineering, [they can] get access to internal data or credentials and even compromise the entire company.”
In a statement to PCMag, Tal said Guardio Labs doesn’t have “any proof or trace of this being done” but also noted that only Proofpoint would be in a position to potentially capture this activity. “We understood from them that they couldn’t see any usage like this, only phishing attacks targeting other users outside of those organizations and around the world.”
Tal says Guardio Labs worked closely with Proofpoint to address the issue. “We’ve shared with Proofpoint the exact domains we see being actively spoofed; those customers were directly approached by Proofpoint engineers to make the change swift and fail-free.”
Proofpoint tells PCMag that “these campaigns did not expose any Proofpoint customer data, and no customer experienced any data loss as a result.” The company also confirmed that this phishing campaign “was indeed limited to phishing attacks targeting other users outside of those organizations.”
Among the top spoofed domains were ibm.com, disney.com, nike.com, and bestbuy.com.
(Credit: Guardio Labs)
At issue was a Proofpoint vulnerability in the default settings of the relay service, which allowed non-organization members to send outgoing mail from a domain. Most impacted companies weren’t aware that Proofpoint’s default settings were insecure—or that there was a way to prevent this, according to the report.
Another flaw was that Microsoft 365 accounts don’t require proof of domain ownership when emails are relayed through their servers and that millions of emails can be sent daily without being blocked if they were using an Outlook server. “Gmail will never block Outlook’s servers due to rate limits as those are built to send millions of emails each hour—by feature,” according to the report.
That combination enabled malicious actors armed with “an arsenal of SMTP servers” to have their spoofed domains forwarded to Proofpoint’s server, which in turn allowed them to send out what appeared to be genuine emails on behalf of major companies.
(Credit: Guardio Labs)
“An attacker needs only find a way to send spoofed emails through the Proofpoint relay, and Proofpoint will do all the rest. They needed to find a way in for that, and they did,” the report says.
It’s possible to add rules to prevent this, but the process “is entirely manual and requires custom rules, scripts, and maintenance,” the report says. “Most customers were not aware of this in the first place, and the default option was not secure at all.”
Since it became aware of the flaw in March 2024, Proofpoint adjusted its Admin panel to improve the default configuration process via alerts and by “clearly describ[ing] the potential risks, allowing customers to approve tenants and easily monitor for any signs of misuse,” Guardio Labs says.
Also used in this exploit was a “cluster of VPSs (Virtual Private Servers).” Those servers were managed with a software called PowerMTA, which is legitimate, but researchers from Guardio Labs say: “When looking around some dark-web markets, you quickly realize this is not the first time this tool is being abused:”
(Credit: Guardio Labs)
The report notes that “despite Proofpoint’s efforts to alert Microsoft about compromised Office365 accounts, these accounts remained active for over seven months and counting.”
Recommended by Our Editors
Microsoft could not be immediately reached for comment.
A Well-Orchestrated Campaign
This campaign, which researchers described as “well-orchestrated,” began in January 2024, sending an average of 2-3 million emails daily. Since then, roughly “360 million emails (180 days with 2m each day) have been sent using this method,” according to Tal.
At the exploit’s peak in early June, cybercriminals sent 14 million malicious emails daily while posing as Disney, according to the report.
The exploit is still being abused, albeit, at a much lower rate. “As of today, we see a considerable decrease in this campaign, with the last spoofed email batch (around 2M emails) sent out on July 22 and the one before that on July 12. Nothing else was sent for several days in between and since [as of July 26],” according to Tal.
Mitigating the issue hasn’t been a simple fix, “They can’t just enforce this change, as it may (and probably will) break production environments for those customers,” says Tal.
The Guardio Labs report also notes that “with ‘EchoSpoofing,’ the technical challenge lies in enhancing an old, insecure protocol like SMTP, which suffers from fragmentation and inconsistent implementation across different vendors. Moreover, integrating security measures with Microsoft Exchange, a nearly 30-year-old platform over which users have little control, adds another layer of complexity.”
Editors’ Note: This story was updated with comment from Proofpoint.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.