Proofpoint’s Services Abused to Dispatch Millions of Phishing Emails

Guardio Labs has uncovered a significant phishing campaign called “EchoSpoofing,” which exploited Proofpoint's email protection service to dispatch millions of spoofed emails. The campaign, identified by Nati Tal, Head of Guardio Labs, used Proofpoint's infrastructure to send authenticated phishing emails from major brands, bypassing standard security measures to deceive recipients and steal sensitive information.

The discovery of this exploit highlights a critical vulnerability within Proofpoint's service, which secures 87 of the Fortune 100 companies, including Disney, IBM, Nike, Best Buy, and Coca-Cola. Attackers sent millions of emails that appeared to be from these reputable companies, complete with authenticated SPF and DKIM signatures, thereby circumventing major email security protocols.

The attackers leveraged Microsoft's Office365 accounts in conjunction with Proofpoint's email relay servers. A detailed analysis of the attack path revealed that the spoofed emails were sent from SMTP servers through Office365, eventually relayed by Proofpoint's pphosted.com servers. This allowed the phishing emails to appear legitimate, passing through all standard email authentication checks.

EchoSpoofing mechanism

The campaign began by creating spoofed emails using manipulated SMTP servers to include forged headers. These emails were then sent through Office365's Exchange server, which was configured to relay emails without altering them. The spoofed emails, appearing as if sent from genuine domains like disney.com, were then routed to Proofpoint's relay servers. Due to a permissive configuration flaw, these servers accepted and processed the spoofed emails, dispatching them to targets with valid DKIM signatures and SPF records.

Proofpoint's infrastructure, designed to act as a firewall for emails, inadvertently became a tool for the attackers. The misconfiguration allowed emails from any Office365 account to interact with the Proofpoint relay servers, enabling attackers to send spoofed emails as if they were genuine messages from the targeted brands.

Impact and response

The phishing emails directed recipients to fake landing pages mimicking official websites, such as Disney+, to steal credit card details and other sensitive information. The scale of the campaign was immense, with an estimated average of 3 million spoofed emails sent daily since January 2024, peaking at 14 million in a single day.

Guardio Labs collaborated with Proofpoint to address the issue. Proofpoint promptly took action, implementing measures to mitigate the vulnerability and protect its customers. They introduced a streamlined administrative interface allowing customers to specify which Office365 tenants were permitted to relay emails, thereby preventing unauthorized use.

While no Proofpoint customer data was exposed as a direct result of the poor configuration security in the relay service, the incident still put email recipients, potentially millions, at phishing risk.