{"id":46022,"date":"2024-07-29T09:48:54","date_gmt":"2024-07-29T13:48:54","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=46022"},"modified":"2024-07-29T21:25:53","modified_gmt":"2024-07-30T01:25:53","slug":"proofpoint-configuration-problem-exploited-in-huge-spam-attacks","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/proofpoint-configuration-problem-exploited-in-huge-spam-attacks\/","title":{"rendered":"Proofpoint configuration problem exploited in huge spam attacks"},"content":{"rendered":"<p>Proofpoint is a commercial email security service aimed at protecting organizations. However, until recently a threat actor was able to abuse Proofpoint relay servers to spoof authenticated emails that seemed to come from brand names like Disney+, Fox News, Coca-Cola, Nike, IBM and others.<\/p>\n<p>Researchers at Guardio Labs call the technique echo spoofing, and say it has been sending millions of phony emails since January.<\/p>\n<p>\u201cThese emails echoed from official Proofpoint email relays with authenticated SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail,\u00a0a method of email authentication that helps prevent impersonating a legitimate domain signatures) thus bypassing major security protections,\u201d <a href=\"https:\/\/labs.guard.io\/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6\" target=\"_blank\" rel=\"noopener\">the researchers said in a report released Monday.<\/a><\/p>\n<p>The goal: To deceive email recipients and steal funds and credit card details.<\/p>\n<p>For example, a recipient would get an email that looked like it came from disney.com saying their Disney+ account had expired and asking them to take action. Clicking on the included link sends victims to a fake Disney page with a tempting offer.<\/p>\n<p>Spoofing the \u201cFROM\u201d address is supposed to be almost impossible if corporate email servers are configured with SPF and DKIM. However, in this email campaign the unnamed threat actor was able to get their fake messages properly signed.<\/p>\n<p>Briefly, the attacker took advantage of Proofpoint\u2019s trust in emails coming from Microsoft Office365, and a flaw in Outlook365. In the Disney+ fake emails example, the messages came from an Office365 account. Normally a sender needs to provide proof to Microsoft it owns a domain used in the FROM or sending account. But not, apparently, if the email is being relayed by another service, like Proofpoint. For its part customers using Proofpoint can trust messages coming from Outlook365 \u2013 or, more accurately, a range of IP addresses &#8212; under a configuration option for hosted services. Those messages are trusted unless a special rule is added.<\/p>\n<p>Guardio calls this a \u201csuper-permissive misconfiguration flaw.\u201d<\/p>\n<p>The attackers needed the specific hostname for each spoofed domain \u2013 for example, disney.com. But it\u2019s not hard to find: Organizations set it in their publicly available mail exchange (MX) record.<\/p>\n<p>A daily average of 3 million perfectly spoofed emails were sent this way, the researchers say.<\/p>\n<p>Proofpoint, which had started tracking this campaign, was alerted by Guardio in May and notified customers of the configuration problem. \u201cOnce the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets \u2014 realizing \u201cthe end is near,\u201d the report says.<\/p>\n<p>On the other hand some compromised Office365 accounts are still active.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Proofpoint is a commercial email security service aimed at protecting organizations. However, until recently a threat actor was able to abuse Proofpoint relay servers to spoof authenticated emails that seemed to come from brand names like Disney+, Fox News, Coca-Cola, Nike, IBM and others. Researchers at Guardio Labs call the technique echo spoofing, and say [&hellip;]<\/p>\n","protected":false},"author":17,"featured_media":46030,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16],"tags":[443,1365,275],"class_list":["post-46022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cyber-security","tag-todays-news","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=46022"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46022\/revisions"}],"predecessor-version":[{"id":46024,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46022\/revisions\/46024"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/46030"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=46022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=46022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=46022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}