July 29, 2024 at 09:24AM
An unknown threat actor exploited an email routing misconfiguration in Proofpoint’s defenses to send millions of spoofed emails. The campaign, named EchoSpoofing, began in January 2024 and utilized SMTP servers on virtual private servers, bypassing major security protections. The attacker sent messages impersonating legitimate domains, and the technique eluded detection. Proofpoint has taken corrective actions to address the issue.
Based on the provided meeting notes, it appears that a significant cybersecurity threat has emerged, labeled as EchoSpoofing, which involves a threat actor exploiting a loophole in email security systems to conduct large-scale phishing campaigns. The threat actor has successfully bypassed major security protections by sending spoofed emails from authenticated servers, ultimately aiming to deceive recipients and steal sensitive information.
The technique involves sending messages from adversary-controlled Microsoft 365 tenants through Proofpoint enterprise customers’ email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX.
The root cause of this issue seems to be a misconfiguration flaw in Proofpoint servers that allowed spammers to exploit the email infrastructure. Proofpoint has issued a coordinated disclosure report detailing the nature of this loophole and has been working diligently to provide corrective instructions to their customers to mitigate the impact of the spam campaign.
The threat actor has been utilizing various tactics such as setting up rogue Microsoft 365 tenants, utilizing leased virtual private servers (VPS), and employing a cracked version of legitimate email delivery software to conduct these malicious activities.
It’s important for organizations, specifically CISOs, to take extra care of their organization’s cloud posture, particularly when utilizing third-party services for networking and communication methods, as highlighted by Guardio Labs researcher Nati Tal in the meeting notes. Additionally, there is a call for VPS providers and email service providers to implement measures to restrict the capabilities of users to send large volumes of messages and prevent them from sending messages that spoof a domain for which they do not have proven ownership.
In summary, the EchoSpoofing threat presents a significant risk to organizations and individuals using email services, emphasizing the need for continued vigilance and proactive measures to mitigate such cybersecurity threats.