Black Arrow Cyber Advisory 30 July 2024 – Proofpoint “EchoSpoofing” Phishing Campaign

Executive summary

A recent phishing incident involved scammers spoofing emails from well-known companies like Disney, IBM, Nike, Best Buy, and Coca-Cola. These emails, which appeared to be legitimate emails sent from the companies’ domains due to authenticated SPF and DKIM signatures, aimed to deceive recipients into providing their credit card details by offering fake subscription renewals. The campaign, dubbed “EchoSpoofing,” ran from January to June 2024, peaking at 14 million emails in a single day. The campaign was successful due to a misconfiguration on the client’s side Proofpoint Server. Proofpoint has since made the misconfiguration less likely by introducing a streamlined administrative interface that allows customers to specify which Microsoft 365 tenants are permitted to relay emails for their domain, through Proofpoint’s servers.

Technical Summary

The phishing campaign exploited a configuration oversight by customers of Proofpoint’s email filtering systems. Attackers took advantage of an insecure-by-default email routing feature, which allowed outbound messages to be relayed from any Microsoft 365 tenant, including those that were not a part of the organisations that were being spoofed. This enabled them to send spoofed emails with valid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, making the emails appear legitimate to recipients.  Proofpoint has since updated its configuration processes to prevent unauthorised relay abuse by default and confirmed that no customer data was compromised. Additionally, Proofpoint has launched an outreach program to notify affected customers and mitigate the risk.

What is the takeaway from this?

While all of the controls, such as SPF, DKIM, and the tool itself, worked individually, this campaign highlights several important lessons:

1. Awareness and Vigilance: Even if tools are designed to verify users and originate from large organisations like Disney, IBM, and Coca-Cola, employees and users must always be vigilant. They should look out for signs of malicious intent, such as a sense of urgency as in the case of the fake subscription renewals included in these malicious emails.

2. Constant Evolution of Threats: Attackers are continuously seeking new ways to exploit and bypass the tools and controls we put in place to protect our organisations.

3. Configuration Matters: In this case, the root cause of the issue was an overlooked default configuration setting not limiting email relay to only trusted tenants. This allowed billions of phishing emails to be sent. Proper configuration and regular reviews of security settings are crucial to prevent such vulnerabilities.

Further information on the research can be found here:

https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity