Millions of perfectly spoofed emails have been sent daily as hackers took advantage of a flaw in Proofpoint’s email protection service.
An investigation by Guardio Labs researchers, working in collaboration with Proofpoint, found that the phishing attacks spoofed brands including Disney, Nike and Coca-Cola, in an attempt to steal funds and credit card details.
How Proofpoint’s Email Protection Service Was Exploited
Cybercriminals exploited a modifiable configuration setting that allowed outbound messages to be relayed from Microsoft Office365.
This enabled them to create emails mimicking official Proofpoint email relays with authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, thereby passing email security protections.
Guardio dubbed this technique ‘echospoofing’, as Proofpoint “echoed” back the spoofed emails and dispatched them as a fully genuine email.
Since the activity started in January 2024, Guardio estimated there has been a daily average of three million perfectly spoofed emails sent using the method, with some peaks reaching a daily number of 14 million. The attacks have not been attributed to a known entity to date.
Proofpoint has since adapted its default configuration processes to help its customers mitigate this risk.
In one example of a phishing email purporting to be from Disney+, the attackers used a spoofed Disney+ account notification email sent from the real disney.com domain.
No tags.
