An unidentified cybercriminal has been linked to a vast phishing scam that leveraged a misconfiguration in Proofpoint’s email routing system to send millions of fraudulent emails imitating well-known companies such as Best Buy, IBM, Nike, and Walt Disney.
According to Nati Tal from Guardio Labs, the threat actor exploited Proofpoint’s email relays, which were misconfigured to authenticate SPF and DKIM signatures, thus bypassing major security defenses. The scam, named EchoSpoofing, began in January 2024 and peaked in early June with up to 14 million emails sent daily.
“This EchoSpoofing method is uniquely powerful, leaving recipients almost no way to recognize the emails as fake,” Tal reported. Despite its effectiveness, the technique was surprisingly used for large-scale phishing instead of more targeted spear-phishing attacks that could compromise entire organizations through high-quality social engineering.
The attackers utilized a virtual private server (VPS) to send messages from an SMTP server. These emails complied with security measures like SPF and DKIM, making them appear legitimate. The flaw was a permissive misconfiguration in Proofpoint servers, which allowed spammers to route messages through Proofpoint’s infrastructure, giving the emails an appearance of authenticity.
The root issue was a modifiable email routing configuration on Proofpoint’s servers that didn’t specify which Microsoft 365 tenants could send outbound messages. This allowed attackers to use rogue tenants to relay emails through Proofpoint’s systems, effectively making the spoofed emails appear genuine.
The cybercriminals sent bursts of thousands of emails from various VPSs to Microsoft 365, which then relayed them through Proofpoint’s customers’ servers. This method ensured that DKIM signing was applied, enhancing the deliverability of the spam messages.
Proofpoint has since implemented corrective measures, including restricting which tenants can relay messages and working directly with affected customers to adjust their settings. The company confirmed that no customer data was exposed or lost.
To mitigate such threats, Proofpoint urges VPS providers and email service providers to limit users’ ability to send large volumes of emails from unverified tenants and to ensure domains cannot be spoofed without proven ownership.
Guardio Labs’ Tal emphasized the importance of robust cloud posture management and vigilant oversight of third-party services for cybersecurity professionals. For backbone service providers, proactive threat anticipation and comprehensive security measures are crucial to protect both customers and the wider public.
“As with any great power, there is a great responsibility,” Tal noted, underscoring the critical role of internet infrastructure companies in maintaining overall cybersecurity.
