A massive phishing campaign dubbed “EchoSpoofing” has exploited a critical vulnerability in Proofpoint’s email protection service, allowing cybercriminals to send millions of perfectly spoofed phishing emails impersonating major brands.
The exploit, uncovered by cybersecurity firm Guardio Labs, affected Proofpoint’s system used by 87 of the Fortune 100 companies.
This massive scale of the attack not only posed a substantial threat to major corporations and their reputations but also highlighted the vulnerabilities in existing email security protocols.
The sophisticated attack leveraged Proofpoint’s infrastructure to dispatch emails that appeared to come from well-known companies such as Disney, IBM, Nike, Best Buy, and Coca-Cola.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
These fraudulent messages bypassed major security protections by utilizing authenticated SPF and DKIM signatures, making them indistinguishable from legitimate communications.
Nati Tal, Head of Guardio Labs, explained, “This flaw can easily transition from widespread phishing to targeted spear-phishing attacks, allowing an assailant to quickly impersonate any legitimate employee and send deceptive emails to colleagues.”
The exploit took advantage of several vulnerabilities, including a permissive configuration in Proofpoint’s system that allowed emails from any Office365 account to be relayed through their servers. Cybercriminals used clusters of Virtual Private Servers (VPS) and a high-performance email delivery software called PowerMTA to orchestrate the campaign.
The attack campaign began in January 2024, sending an average of 2-3 million emails daily. At its peak in early June, the operation dispatched up to 14 million malicious emails per day while masquerading as Disney. Guardio Labs estimates that approximately 360 million phishing emails have been sent using this technique over 180 days.
Upon discovery, Guardio Labs collaborated with Proofpoint to address the vulnerability. Proofpoint has since updated its admin panel to enhance the default configuration process, alerting customers about potential risks and enabling them to approve specific tenants.
Proofpoint implemented a mitigation strategy using the unique vendor-specific header X-OriginatorOrg. This header, automatically appended by Exchange servers, contains the distinct Office365 account name or “tenant,” allowing for reliable verification of email sources.
Proofpoint ensured that any spoofed X-OriginatorOrg headers were stripped from outgoing emails, adding an extra layer of security to the mitigation approach.
While the volume of attacks has significantly decreased since the discovery, with the last major batch of spoofed emails sent on July 22, the incident serves as a stark reminder of the evolving nature of cyber threats and the importance of robust email security measures.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo