A major flaw in Proofpoint’s Secure Email Relay Solution was uncovered, allowing cybercriminals to send spoofed emails posing as major brands. This vulnerability, identified by Guardio Labs, has raised serious concerns about email security and the efficacy of current protective measures.
What’s Happening & Why This Matters
Discovery of the Vulnerability
Guardio Labs researchers discovered a critical exploit named “EchoSpoofing.” This flaw in Proofpoint’s email security allowed scammers to bypass protections and send emails that appeared to be from companies like Disney, IBM, Nike, and Best Buy. These spoofed emails aimed to steal sensitive information, including funds and credit card details.
Impact of the Exploit
The exploit facilitated the sending of millions of spoofed emails daily. At its peak, 14 million malicious emails were sent each day, primarily targeting the most spoofed domains, such as ibm.com, disney.com, nike.com, and bestbuy.com. This vulnerability posed severe risks, allowing attackers to execute large-scale phishing and spear-phishing campaigns, potentially compromising entire companies through high-quality social engineering.
Attackers exploited weaknesses in the Simple Mail Transfer Protocol (SMTP) used by Proofpoint’s relay servers. The lack of domain ownership verification when relaying emails through Office365 servers further facilitated the exploit. Mitigating the issue required manual rules and scripts, which many customers were unaware of. This allowed attackers to send spoofed emails through the Proofpoint relay, making the emails appear genuine.
Response and Mitigation
Guardio Labs worked with Proofpoint to address the issue by alerting affected customers and improving the default configuration process. Despite efforts to alert Microsoft about compromised Office365 accounts, these accounts remained active for over seven months, complicating mitigation efforts. As of late July, the exploit’s usage has significantly decreased, but the technical challenge of securing the outdated SMTP protocol and integrating security measures with Microsoft Exchange persists.
Guardio Labs shared with Proofpoint the exact domains being actively spoofed, and those customers were directly approached by Proofpoint engineers to make necessary changes quickly. The exploit relied on vulnerabilities in Proofpoint’s settings and the use of Virtual Private Servers (VPS) managed with software like PowerMTA, which has been previously abused on dark-web markets.
Detailed Findings
The exploit abused Proofpoint’s default settings, allowing attackers with an arsenal of SMTP servers to send spoofed emails. Most impacted companies were unaware that Proofpoint’s default settings were insecure or that they could limit the ability of Proofpoint’s outgoing email server to receive emails from any Office365 account. This combination enabled malicious actors to have their spoofed domains forwarded to Proofpoint’s server, which allowed them to send out what appeared to be genuine emails on behalf of major companies.
Guardio Labs noted that it’s possible to add rules to prevent this, but the process “is entirely manual and requires custom rules scripts and maintenance.” Many customers were not aware of this in the first place, and the default option was not secure. Since becoming aware of the flaw in March 2024, Proofpoint adjusted its Admin panel to improve the default configuration process via alerts and by “clearly describing the potential risks allowing customers to approve tenants and easily monitor for any signs of misuse.”
TF Summary: What’s Next
The discovery of this exploit reveals the ongoing challenges in securing email communications. Proofpoint has taken steps to mitigate the issue, but the need for enhanced security measures and better awareness among customers remains crucial. Continuous monitoring and collaboration between cybersecurity firms and major service providers like Microsoft are essential to prevent such vulnerabilities and future exploitations. Ensuring thorough security configurations and educating users about potential risks will be vital in safeguarding against additional threats.
— Text-to-Speech (TTS) provided by gspeech