Threat actors exploited a Proofpoint misconfiguration to send millions of spoofed phishing emails daily, leveraging legitimate Proofpoint infrastructure to bypass email security and steal financial data.
The attack, dubbed “EchoSpoofing,” abused Office365 accounts to authenticate malicious emails, impersonating major brands. While Proofpoint has mitigated the issue, the incident underscores persistent email protocol vulnerabilities and the need for ongoing cybersecurity vigilance.
Phishing attackers exploited a vulnerability in Proofpoint’s email security system to bypass traditional spoofing detection methods.
Millions of phishing emails were sent that appeared to originate from legitimate companies (e.g., Disney, IBM) and passed email authentication protocols (DKIM, SPF) because they were routed through Proofpoint’s own email relay servers (pphosted.com), which effectively masked the true sender and made the emails appear trustworthy.
Attackers are sending spoofed Disney+ account notification emails directly from Disney.com servers, which bypass authentication protocols like SPF and DKIM because they originate from legitimate Disney servers and are signed with valid DKIM keys.
It suggests a data breach at Disney, but that’s not the case. The attackers are likely abusing legitimate Disney accounts with access to these servers.
Attackers first sent spoofed emails with a fake “From” address (e.g., disney.com) through their own server. Normally, such emails would be flagged as spam, but they then tricked a compromised Office365 account to relay those emails.
Since the relaying came from a legitimate Microsoft server included in the victim’s SPF record, the email passed SPF checks. Proofpoint’s server, configured with the victim’s DKIM key, signed the emails, making them appear completely legitimate.
An attacker exploited a flaw in Proofpoint’s configuration for Microsoft Office 365. Proofpoint by default trusts any Office 365 IP to send emails, allowing the attacker’s spoofed email to be accepted.
Then they used the publicly available MX record of the target domain (e.g., disney.com) to identify the specific Proofpoint server to deliver the spoofed email to, completing the echo spoofing attack.
Attackers exploited weak permissions in Proofpoint’s email protection service to spoof emails from major brands like Disney and IBM, by compromising Office 365 accounts and configuring them to use Proofpoint’s relay servers.
By abusing Proofpoint’s permissive SPF record, the attackers were able to send millions of spoofed emails per day, and Guardio Labs discovered the campaign and alerted Proofpoint.
Proofpoint implemented a mitigation strategy that utilizes a unique vendor-specific header, X-OriginatorOrg to filter out unauthorized Office365 sources, which was tested and found to be effective.
The administrative panel of Proofpoint was also updated to notify customers of potential dangers and to enable them to keep an eye out for inappropriateness.
.webp?w=1200&resize=1200,0&ssl=1 "URL-Login-Pass Breach, Hackers Claim Breach of 900M Fresh Login Credentials")
.webp?w=1200&resize=1200,0&ssl=1 "DemandScience Data Breach 122M Unique Corporate Email Addresses Affected")
