A sophisticated scam campaign has emerged, leveraging a misconfiguration in the email routing systems of the security firm Proofpoint. This has enabled a yet unidentified threat actor to dispatch millions of deceptive emails masquerading as communications from reputable corporations such as Best Buy, IBM, Nike, and Walt Disney. According to Nati Tal from Guardio Labs, “These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details.
Dubbed EchoSpoofing by cybersecurity analysts, this campaign started in January 2024 and saw the threat actor sending up to three million emails per day, with daily sends swelling to 14 million in early June. The operation’s scale suggests a significant exploitation of digital trust, utilizing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — security measures meant to verify the authenticity of the sending sources.
The mechanics of the scam are particularly concerning for small businesses and solopreneurs, who rely heavily on email communications. The EchoSpoofing technique uses a SMTP server on a virtual private server (VPS) to send messages that comply with essential email authentication standards. This allows these phishing attempts to appear legitimate, making them harder to detect.
Tal further explained, “The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from those companies.”
The broader implications of such vulnerabilities can be alarming for business owners, who must now be extra vigilant about the communications they trust. The emails are routed through adversary-controlled Microsoft 365 tenants and then relayed through Proofpoint enterprise customers’ infrastructure to reach end users. This intricate routing is the result of what Guardio calls a “super-permissive misconfiguration flaw” on Proofpoint’s servers (“pphosted.com”).
Proofpoint’s response, detailed in a coordinated disclosure report, highlights the root of the issue: “The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow.” This revelation serves as a critical reminder for businesses of all sizes to audit and secure their email routing configurations to prevent misuse.
MORE…