An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint’s defenses to send millions of messages impersonating various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.
“These emails came from official Proofpoint email relays with authenticated SPF and DKIM signatures, bypassing key security protections – all to trick recipients and steal funds and credit card details,” Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.
The cybersecurity company named the campaign Echo spoofingThe activity is believed to have begun in January 2024, with the threat actor exploiting the flaw to send up to three million emails per day on average, a number that peaked at 14 million in early June when Proofpoint began implementing countermeasures.
“The most unique and powerful part of this domain is the spoofing method, which leaves almost no chance of realizing that it is not a real email sent by these companies,” Tal told the publication.
“This concept of EchoSpoofing is really powerful. It’s quite strange that it’s used for large-scale phishing campaigns like this instead of a boutique-style spear-phishing campaign, where an attacker can quickly impersonate any real member of the company’s team and send emails to other colleagues. Eventually, through high-quality social engineering, they can gain access to internal data or credentials and even compromise the entire company.
This technique, which involves the malicious actor sending messages from an SMTP server to a virtual private server (VPS), is notable for its compliance with authentication and security measures such as SPF and DKIM, which stand for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods designed to prevent attackers from impersonating a legitimate domain.
What this all boils down to is that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint’s enterprise customer email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX.
This is the result of what Guardio described as a “super-permissive configuration flaw” in Proofpoint servers (“pphosted.com”) that essentially allowed spammers to take advantage of the email infrastructure to send messages.
“The root cause is an editable email routing configuration feature on Proofpoint servers to allow relaying of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow,” Proofpoint said in a coordinated disclosure report shared with The Hacker News.
“Any email infrastructure that offers this email routing configuration functionality can be abused by spammers.”
In other words, an attacker can exploit this flaw to configure malicious Microsoft 365 tenants and forward spoofed email messages to Proofpoint relay servers, from where they are “bounced back” as real digital missives masquerading as customer domains.
To do this, the Exchange server’s outbound email connector is configured directly on the vulnerable endpoint “pphosted.com” associated with the client. Additionally, a hacked version of a legitimate email delivery software called PowerMTA is used to send the messages.
“The spammer used a rotating series of virtual private servers (VPS) leased from multiple providers, using many different IP addresses to launch rapid bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 for relay to Proofpoint-hosted client servers,” Proofpoint said.
“Microsoft 365 accepted these spoofed messages and sent them to these customers’ email infrastructures for relaying. When customer domains were spoofed during relaying through the corresponding customer’s email infrastructure, DKIM signing was also applied when the messages passed through the Proofpoint infrastructure, making the spam messages easier to deliver.”
It is suspected that EchoSpoofing was intentionally chosen by operators as a means to generate illegal revenue and avoid the risk of exposure for long periods of time, as directly targeting companies through this modus operandi could have significantly increased the chances of being detected, thus jeopardizing the entire system.
That being said, it is not yet clear who is behind this campaign. Proofpoint has stated that this activity does not align with any known threat groups or actors.
“In March, Proofpoint researchers identified spam campaigns relayed by a small number of Proofpoint customer email infrastructures sending spam from Microsoft 365 tenants,” the company said in a statement. “All analysis indicates that this activity was conducted by a spam actor, whose activity we do not attribute to a known entity.”
“Since discovering this spam campaign, we have worked diligently to provide remediation instructions, including implementing a simplified administrative interface that allows customers to specify which M365 tenants are allowed to relay, with all other M365 tenants being denied by default.”
Proofpoint stressed that no customer data was exposed and that none of them suffered any data loss as a result of these campaigns. The company also said that it had contacted some of its customers directly to change their settings to stop the effectiveness of the outbound relay spam activity.
“As we began blocking the spammer’s activity, they accelerated their testing and quickly moved on to other customers,” the company said. “We have an ongoing process of identifying affected customers each day, re-prioritizing outreach to correct configurations.”
To reduce spam, the organization is urging VPS providers to limit their users’ ability to send large volumes of messages from SMTP servers hosted on their infrastructure. It is also calling on email service providers to restrict the ability of newly created and free trial unverified tenants to send bulk outgoing messages, as well as prevent them from sending messages spoofing a domain they have not proven ownership of.
“The biggest takeaway from this for CISOs is to be extra careful about their organization’s cloud posture, especially when it comes to using third-party services that become the backbone of your company’s networking and communications methods,” Tal said. “Especially in the email space, always maintain a feedback loop and control over yourself, even if you completely trust your email provider.”
“As for other companies that provide these types of basic services, just like Proofpoint, they need to be vigilant and proactive in thinking about all types of possible threats first. Not only threats that directly affect their customers, but also the general public.
“It’s crucial to all of our security, and the companies that create and operate the backbone of the Internet, even if they are private, have the greatest responsibility. As someone said, in a completely different context but quite relevant here: ‘With great power comes great responsibility.'”