An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint’s defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.
“These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details,” Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.
The cybersecurity company has given the campaign the name EchoSpoofing. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures.
“The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from those companies,” Tal told the publication.
“This EchoSpoofing concept is really powerful. It’s kind of strange it is being used for large-scale phishing like this instead of a boutique spear-phishing campaign – where an attacker can swiftly take any real company team member’s identity and send emails to other co-workers – eventually, through high-quality social engineering, get access to internal data or credentials and even compromise the entire company.
The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that it complies with authentication and security measures such as SPF and DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from imitating a legitimate domain.
It all goes back to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint enterprise customers’ email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX.
This is the result of what Guardio described as a “super-permissive misconfiguration flaw” in Proofpoint servers (“pphosted.com”) that essentially allowed spammers to take advantage of the email infrastructure to send the messages.
“The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow,” Proofpoint said in a coordinated disclosure report shared with The Hacker News.
“Any email infrastructure that offers this email routing configuration feature can be abused by spammers.”
Put differently, an attacker can weaponize the shortcoming to set up rogue Microsoft 365 tenants and deliver spoofed email messages to Proofpoint’s relay servers, from where they are “echoed back” as genuine digital missives impersonating the customers’ domains.
This, in turn, is accomplished by configuring the Exchange Server’s outgoing email connector directly to the vulnerable pphosted.com endpoint associated with the customer. Furthermore, a cracked version of a legitimate email delivery software called PowerMTA is used for sending the messages.
“The spammer used a rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to Proofpoint-hosted customer servers,” Proofpoint said.
“Microsoft 365 accepted these spoofed messages and sent them to these customers’ email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer’s email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable.”
It’s being suspected that EchoSpoofing was intentionally chosen by the operators as a way to generate illegal revenue as well as avoid the risk of exposure for extended periods of time, as directly targeting the companies via this modus operandi could have drastically increased the chances of getting detected, effectively imperiling the entire scheme.
That having said, it’s currently not clear who is behind the campaign. Proofpoint said the activity does not overlap with any known threat actor or group.
“In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants,” it said in a statement. “All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity.”
“Since discovering this spam campaign, we have worked diligently to provide corrective instructions, including implementing a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default.”
Proofpoint emphasized that no customer data was exposed, nor did any of them experience loss of data, as a result of these campaigns. It further noted that it reached out to some of its customers directly to change their settings to stop the effectiveness of the outbound relay spam activity.
“As we started to block the spammer’s activity, the spammer accelerated its testing and moved quickly to other customers,” the company pointed out. “We established a continuous process of identifying the customers affected each day, re-prioritizing outreach to fix configurations.”
To cut down on spam, it’s urging VPS providers to limit their users’ ability to send large volumes of messages from SMTP servers hosted on their infrastructure. It’s also calling on email service providers to restrict the capabilities of free trial and newly created unverified tenants to send bulk outbound email messages as well as prevent them from sending messages that spoof a domain for which they do not have proven ownership.
“For CISOs, the main takeaway here is to take extra care of their organization’s cloud posture – specifically with the use of 3rd party services that become the backbone of your company’s networking and communication methods,” Tal said. “Specifically in the realm of emails, always maintain a feedback loop and control of your own – even if you trust your email provider fully.”
“And as for other companies providing this kind of backbone services – just like Proofpoint did, they must be vigilant and proactive in thinking of all possible types of threats in the first place. Not only threats that directly affect their customers but the wider public as well.
“This is crucial for the safety of all of us and companies that create and operate the backbone of the internet, even if privately held, have the highest responsibility on it. Just like one said, in a different context entirely yet so relevant here: ‘With great powers, comes great responsibility.'”
