A flaw in Proofpoint’s anti-phishing platform allowed a hacker to send millions of spam emails

Phishing campaigns were undertaken by a malicious actor through an exploited configuration of Proofpoint’s anti-phishing platform, allowing a malicious actor to send spam emails according to the firm.

Dubbed “EchoSpoofing,” a report from Guardio Labs estimated that cyber criminals could have sent an approximate daily average of three million emails a day - with peak daily numbers reaching as high as 14 million - though Proofpoint maintained that the campaigns were undertaken by “one spam actor.”

Guardio’s research revealed that these fake emails appeared in customer inboxes from big-name Proofpoint clients such as Disney and Coca-Cola and were “properly signed and authenticated” with legitimate Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures.

Proofpoint’s platform was labeled as the “enabler” of this campaign in the report, with the fake emails all dispatched to target customers from domain-specific Proofpoint servers. 

The cybersecurity firm noted, however, that “any email infrastructure” offering the same email routing configuration could be targeted and abused by spammers.

Guardio - with whom Proofpoint has been collaborating on the response - said Proofpoint assigns outgoing emails from a company with SPF and DKIM authentications.  

The prospective cyber criminal then only needs to “find a way to send spoofed emails through the Proofpoint relay, and Proofpoint will do all the rest.”

“The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow,” Proofpoint’s Threat Research Team said. 

Proofpoint flaw enabled rapid-fire malicious email spamming

As part of the spam campaign, the attacker created fake emails before initiating “quick bursts of thousands of messages” at a time to Microsoft 365 to be “relayed to Proofpoint-hosted customer servers.” 

Microsoft 365 then accepted these “spoofed messages,”, before sending them to customers’ email infrastructures to be relayed. 

“When customer domains were spoofed while relaying through the matching customer’s email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable,” Proofpoint said. 

“This specific email routing configuration abused by the spammer allowed outbound messages to be sent from a customer’s Microsoft 365 tenant for relay through their infrastructure, but it did not limit the Microsoft tenants allowed to relay,” the firm added. 

The routing configuration utilized by the spammer allowed outbound messages to be sent from customers’ Microsoft 365 tenants for relay, though there was no limit on the tenants allowed to relay. 

From Proofpoint, the email is “echoed” back to customers as what appears to be an entirely genuine email, hence the term “EchoSpoofing” according to Guardio.

“The attacker exploits this super-permissive misconfiguration flaw, adding it to the blind relay on the Office365 instance to generate any spoofed email, deliver it to Proofpoint’s servers, and have it accepted and processed,” Nati Tal, Head of Guardio Labs, said. 

In an effort to resolve the issue, Proofpoint deployed a “streamlined administrative interface” so that its customers could specify what emails were allowed to relay with more clarity. 

Proofpoint added that its ‘Essentials’ customers are not affected as their configuration settings are already set to prevent “unauthorized relay abuse.” Similarly, the firm stated that no customer data was either lost or exposed as a result of the issue.