An unknown threat actor has been linked to a massive fraud campaign that used an email routing misconfiguration in email security provider Proofpoint’s defenses to send millions of messages spoofed to various popular companies such as Best Buy, IBM, Nike, and Walt Disney. among others.
“These emails echoed off official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing basic security protections – all to trick recipients and steal funds and credit card data,” the Guardio Labs researcher said Nati Tal in a detailed report shared with The Hacker News.
The cybersecurity company named the campaign EchoSpoofing. Activity is believed to have begun in January 2024, with the threat using the loophole to send an average of three million emails per day, a number that peaked at 14 million in early June when Proofpoint began rolling out countermeasures.
“The most unique and powerful part of this domain is the spoofing method — leaving almost no chance to know that it’s not a real email sent by these companies,” Tal told the publication.
“This concept of EchoSpoofing is really powerful. It’s strange that it’s used for large-scale phishing like this, rather than a boutique phishing campaign – where an attacker can quickly take the identity of any team member of a real company and send emails to other -employees – after all, through high-quality social engineering, gain access to internal data or credentials and even compromise the entire company.
The technique, which involves the threat sending the messages from an SMTP server to a virtual private server (VPS), is notable for the fact that it meets authentication and security measures such as SPF and DKIM, which stand for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from impersonating a legitimate domain.
It all comes back to the fact that these messages are routed from various Microsoft 365 tenants controlled by an adversary, which are then passed through the email infrastructures of Proofpoint’s enterprise customers to reach users of free email providers such as Yahoo!, Gmail and GMX.
This is the result of what Guardio described as a “super-permissive misconfiguration flaw” in Proofpoint’s (“pphosted.com”) servers, which essentially allowed spammers to take advantage of the email infrastructure to send the messages.
“The root cause is a modifiable email routing configuration feature on Proofpoint’s servers to allow outgoing messages to be forwarded to organizations from Microsoft 365 tenants, but without specifying which M365 tenants to allow,” Proofpoint said in a coordinated report for disclosure shared with The Hacker News.
“Any email infrastructure that offers this feature to configure email routing can be abused by spammers.”
In other words, an attacker could use the flaw as a weapon to set up rogue Microsoft 365 clients and deliver fake email messages to Proofpoint’s relay servers, where they “bounce back” as real digital messages impersonating the clients’ domains .
This in turn is achieved by configuring the Exchange Server Outbound Email Connector directly to the vulnerable “pphosted.com” endpoint connected to the client. Additionally, the cracked version of a legitimate email delivery software called PowerMTA is used to send the messages.
“The spammer used a rotating series of leased Virtual Private Servers (VPS) from several vendors, using many different IP addresses, to initiate rapid bursts of thousands of messages at once from their SMTP servers, sent to Microsoft 365 to be forwarded to Proofpoint- hosted client servers,” Proofpoint said.
“Microsoft 365 received these spoofed messages and sent them to these customers’ email infrastructures to be relayed. When customer domains were spoofed during transit through the customer’s respective email infrastructure, DKIM signing was also applied as the messages passed through Proofpoint’s infrastructure, making spam messages more deliverable.”
EchoSpoofing is suspected to be deliberately chosen by operators as a way to generate illegal revenue as well as to avoid the risk of exposure for extended periods of time, as targeting companies directly through this modus operandi can dramatically increase the chances of detection , effectively jeopardizing the entire scheme.
That being said, it is currently unclear who is behind the campaign. Proofpoint said the activity did not overlap with a known threat actor or group.
“In March, Proofpoint researchers identified spam campaigns being transmitted through a small number of Proofpoint customer email infrastructure by sending spam from Microsoft 365 tenants,” it said in a statement. “All analysis indicates that this activity was carried out by a spam actor whose activity we do not attribute to a known individual.”
“Since we discovered this spam campaign, we have worked diligently to provide remedial instructions, including implementing a streamlined administrative interface for customers to specify which M365 customers are allowed to relay, with all other M365 customers denied by default.” “
Proofpoint emphasized that no customer data was exposed, nor did any of them experience data loss as a result of these campaigns. He also noted that he contacted some of his customers directly to change their settings to stop the outbound spam activity from being effective.
“When we started blocking the spammer’s activity, he accelerated his testing and quickly moved on to other customers,” the company said. “We have established an ongoing process of identifying affected customers on a daily basis, re-prioritizing coverage to correct configurations.”
To reduce spam, he urges VPS providers to limit their users’ ability to send large volumes of messages from SMTP servers hosted on their infrastructure. It also calls on email service providers to limit the ability of free trial and newly created unverified tenants to send bulk outgoing email messages, and to prevent them from sending messages that spoof a domain they have no proven ownership of.
“For CISOs, the key here is to take extra care of their organization’s cloud position — specifically with the use of third-party services that become the backbone of your company’s networking and communications methods,” Tal said. “Specifically in the realm of email, always maintain feedback and self-control – even if you fully trust your email provider.”
“And as for other companies providing this kind of support service – just like Proofpoint did, they need to be vigilant and proactive in considering all possible types of threats in the first place. Not only threats that directly affect their customers, but the general public as well.
“This is critical to the safety of us all, and the companies that build and operate the backbone of the Internet, even if they are private, bear the greatest responsibility for it.” Just as it was said, in a completely different context, but so relevant here: “With great power comes great responsibility.”
