July 30, 2024 at 02:35AM
A large-scale phishing campaign exploited a security vulnerability in Proofpoint’s email filtering to send three million fake emails daily, appearing to be from major companies. The spammers manipulated Proofpoint’s system to send malicious emails, tricking recipients into revealing sensitive information. Guardio Security notified Proofpoint and assisted in mitigating the attack, which exploited an insecure email routing feature.
The meeting notes detail a large-scale phishing campaign named EchoSpoof, in which an exploit in Proofpoint’s email filtering system was used to send millions of fake emails purporting to be from big corporations such as Disney, IBM, Nike, Best Buy, and Coca-Cola. The emails were convincingly spoofed with valid sender authentication, leading victims to click through to malicious sites and divulge sensitive information.
The spam campaign, which ran from January to June, reached a peak of 14 million dodgy emails within a 24-hour period. The exploit, dubbed EchoSpoofing, involved spammers abusing an insecure email routing feature in Proofpoint to make their messages appear to be legitimately from well-known companies, thus bypassing the security filter.
It was noted that this exploit was possible due to a lack of secure default settings in Proofpoint’s email routing, and many customers were unaware of the need for manual configurations to prevent such spoofing. In response, Proofpoint has revised its configuration system to address the issue.
The fake emails targeted users of Yahoo, Gmail, GMX.com, and others, and originated from virtual private servers mostly hosted on French cloud OVH and managed with PowerMTA email delivery software. Additionally, Proofpoint published a list of Microsoft tenants used by the spammers to forward relay messages, with many still active at the time of analysis.
Overall, it is evident that the EchoSpoofing campaign was a significant security threat that exploited vulnerabilities in Proofpoint’s system, leading to the sending of millions of fraudulent emails. Proofpoint has taken steps to address the exploit, and it is essential for customers to be aware of the need for manual configuration to prevent such incidents in the future.