Proofpoint is a commercial email security service aimed at protecting organizations. However, until recently a threat actor was able to abuse Proofpoint relay servers to spoof authenticated emails that seemed to come from brand names like Disney+, Fox News, Coca-Cola, Nike, IBM and others.
Researchers at Guardio Labs call the technique echo spoofing, and say it has been sending millions of phony emails since January.
“These emails echoed from official Proofpoint email relays with authenticated SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail, a method of email authentication that helps prevent impersonating a legitimate domain signatures) thus bypassing major security protections,” the researchers said in a report released Monday.
The goal: To deceive email recipients and steal funds and credit card details.
For example, a recipient would get an email that looked like it came from disney.com saying their Disney+ account had expired and asking them to take action. Clicking on the included link sends victims to a fake Disney page with a tempting offer.
Spoofing the “FROM” address is supposed to be almost impossible if corporate email servers are configured with SPF and DKIM. However, in this email campaign the unnamed threat actor was able to get their fake messages properly signed.
Briefly, the attacker took advantage of Proofpoint’s trust in emails coming from Microsoft Office365, and a flaw in Outlook365. In the Disney+ fake emails example, the messages came from an Office365 account. Normally a sender needs to provide proof to Microsoft it owns a domain used in the FROM or sending account. But not, apparently, if the email is being relayed by another service, like Proofpoint. For its part customers using Proofpoint can trust messages coming from Outlook365 – or, more accurately, a range of IP addresses — under a configuration option for hosted services. Those messages are trusted unless a special rule is added.
Guardio calls this a “super-permissive misconfiguration flaw.”
The attackers needed the specific hostname for each spoofed domain – for example, disney.com. But it’s not hard to find: Organizations set it in their publicly available mail exchange (MX) record.
A daily average of 3 million perfectly spoofed emails were sent this way, the researchers say.
Proofpoint, which had started tracking this campaign, was alerted by Guardio in May and notified customers of the configuration problem. “Once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing “the end is near,” the report says.
On the other hand some compromised Office365 accounts are still active.
