A massive phishing campaign in the first half of 2024 utilized a flaw in Proofpoint’s email protection service and Microsoft 365 to send millions of near-undetectable emails impersonating blue chip companies. The campaign, known as “EchoSpoofing,” took advantage of a misconfiguration in Proofpoint’s secure email gateway (SEG) that allowed hackers to sign and verify credit-card scam emails as if they came from legitimate corporate accounts.
The loophole in Proofpoint’s SEG allowed the attacker to forge emails mimicking major corporations such as Disney, Best Buy, ESPN, IBM, Coca Cola, Nike, and Fox News. By setting up their own Simple Mail Transfer Protocol (SMTP) server on a virtual server, the attacker could send out emails with fake “From” headers, fooling recipients into thinking they were legitimate. The emails were then relayed through Microsoft 365 to known Proofpoint customers, exploiting a toggle in Proofpoint’s SEG that trusted any emails routing through Microsoft Office 365.
Despite Proofpoint’s efforts to patch the vulnerability, the campaign persisted, with forged emails increasing in number to millions per week and occasionally surpassing ten million. The attacker’s operational awareness and strategy of using different domains and Office365 accounts made it difficult to detect and mitigate the attacks. However, after implementing a vendor-specific header for outgoing emails, Proofpoint was able to restrict the 365 accounts allowed to send emails on behalf of customers to their own, effectively shutting down the campaign.
The incident highlighted the importance of diligence in corporate email security and the need for companies to implement secure email controls like DMARC monitoring. Negligence on the part of businesses, like leaving super-permissive settings enabled, can pave the way for sophisticated phishing attacks that impersonate reputable brands. Organizations need to be vigilant in monitoring their email distribution for anomalies and implementing logging and data tracking to detect suspicious activity.
The potential for more targeted spear phishing attacks by sophisticated actors poses a significant threat to government and defense services, underscoring the importance of robust email security measures. As the cybersecurity landscape continues to evolve, organizations must stay ahead of cyber threats and prioritize email security to protect sensitive information and prevent data breaches.