July 29, 2024 at 09:57AM
The ‘EchoSpoofing’ phishing campaign exploited Proofpoint’s email protection service, sending millions of spoofed emails impersonating major companies. The emails aimed to steal personal info and incurred charges, while passing SPF and DKIM checks. Guardio Labs discovered and helped fix the security gap, leading to Proofpoint tightening security and introducing new measures to prevent future attacks.
Key Takeaways from the Meeting Notes:
– A significant phishing campaign called “EchoSpoofing” exploited weak permissions in Proofpoint’s email protection service to dispatch millions of spoofed emails impersonating well-known entities to target Fortune 100 companies.
– The campaign began in January 2024, with an average of 3 million spoofed emails daily and peaked at 14 million emails in early June.
– The phishing emails aimed to steal personal information and incur unauthorized charges, while appearing authentic to recipients due to properly configured SPF and DKIM signatures.
– Guardio Labs discovered the campaign and security gap in Proofpoint’s servers, and in May 2024, they notified and assisted the firm in resolving the issue.
– The threat actors utilized their own SMTP servers, compromised or rogue Microsoft Office 365 accounts, and Virtual Private Servers (VPS) from OVHCloud and Centrilogic to conduct the campaign.
– The attackers managed to pass SPF and DKIM checks, enabling the emails to bypass spam filters, with major email platforms treating them as authentic and delivering them to inboxes.
– Proofpoint tightened its security measures in response, working to mitigate the attacks and providing new settings and advice to prevent similar incidents in the future.
– The company introduced new features such as the ‘X-OriginatorOrg’ header and a Microsoft 365 onboarding configuration screen to enhance email security and restrict permissions on Microsoft 365 connectors.
– Despite efforts to notify and assist affected customers, some organizations did not take the necessary actions to prevent abuse, allowing campaigns like EchoSpoofing to occur.
– Microsoft has been notified about the Microsoft 365 abuse, but some offending accounts remain active, despite being notified.
Please let me know if you need any further information or specific details from the notes.