Security researchers have discovered an exploit that allowed threat actors to override Proofpoint email protections and sends millions of spoofed emails aimed at stealing funds and credit card details.
Proofpoint’s Secure Email Relay Solution allows customers to block unwanted phishing emails that can lead to data breaches and social engineering scams. However, malicious actors bypassed these protections through an exploit researchers have dubbed “EchoSpoofing.” that steals sensitive information.
Proofpoint says these campaigns did not expose any Proofpoint customer data, and no customer experienced any data loss as a result and also this phishing campaign is limited to phishing attacks targeting other users outside of those organizations.
Among the top spoofed domains were ibm.com, disney.com, nike.com, and bestbuy.com.
The issue was a Proofpoint vulnerability in the default settings of the relay service, which allowed non-organization members to send outgoing mail from a domain. Most impacted companies weren’t aware that Proofpoint’s default settings were insecure or that there was a way to prevent this.
Another flaw was that Microsoft 365 accounts don’t require proof of domain ownership when emails are relayed through their servers and that millions of emails can be sent daily without being blocked if they were using an Outlook server. “Gmail will never block Outlook’s servers due to rate limits as those are built to send millions of emails.
That combination enabled malicious actors armed with array of SMTP servers to have their spoofed domains forwarded to Proofpoint’s server, which in turn allowed them to send out what appeared to be genuine emails on behalf of major companies.
It’s possible to add rules to prevent this, but the process is entirely manual and requires custom rules, scripts, and maintenance, Most customers were not aware of this in the first place, and the default option was not secure at all.
Proofpoint adjusted its Admin panel to improve the default configuration process via alerts and by clearly describing the potential risks, allowing customers to approve tenants and easily monitor for any signs of misuse.
Despite Proofpoint’s efforts to alert Microsoft about compromised Office365 accounts, these accounts remained active for over seven months and counting.
This research was documented by researchers from Guardio labs.
Nice information.