Saturday, December 14, 2024
HomeCyber Security NewsProofpoint's Email Protection Let Attackers Send Millions Of Phishing Emails

Proofpoint’s Email Protection Let Attackers Send Millions Of Phishing Emails

Published on

SIEM as a Service

Hackers use phishing emails to mislead recipients into providing personal data like usernames, passwords, credit card numbers, or social security numbers.

This method exploits human emotions and trust, allowing a threat actor to compromise an account, steal an identity, or disseminate malware with little technical skill.

Guardio Labs recently discovered “EchoSpoofing” which is a serious vulnerability in the Proofpoint email protection service used by 87% of Fortune 100 companies. 

- Advertisement - SIEM as a Service

Through this flaw, hackers could send millions of legitimate phishing emails impersonating top famous brands such as Disney and IBM without being caught, consequently stealing money or private information from unsuspecting recipients.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Proofpoint’s Email Protection

In this phishing campaign, threat actors bypassed modern email security protocols by doing the following things:-

  • Creating spoofed emails on their SMTP servers
  • Relaying them through misconfigured Office 365 accounts
  • Exploiting Proofpoint’s permissive email flow settings

This process allowed attackers to send millions of fully authenticated phishing emails, impersonating major brands like Disney and IBM. 

The emails passed SPF and DKIM checks, appearing legitimate to recipients and email security systems. 

The campaign’s goal was to steal credit card information and other sensitive data through fake branded landing pages and offers.

Abusing Proofpoint infrastructure (Source – Guardio Labs)

This exploit highlights vulnerabilities in the default configurations of popular email security services, highlighting the need for stricter custom rules and better awareness of potential misconfiguration.

This refined phishing operation exploited Misconfigured Office 365 accounts and Proofpoint’s permissive settings. For two weeks, it sent out about 3 million spoofed emails every day, with a peak of 14 million.

As many as 11 server VPS clusters running on OVH were equipped with PowerMTA software that could deliver 2.88 million emails at a time.

Spoofed domains and infiltrated Office 365 accounts were frequently changed to avoid detection, and major brands such as Disney, IBM, Best Buy, and Nike were impersonated.

Though Proof Point had known since March, in May 2024, Guardio alerted it.

Together with Guardio tracing operations back, they made customer notifications, reported compromised accounts to Microsoft & VPS providers, and implemented a novel security measure using the X-OriginatorOrg header.

Newly introduced Office365 onboarding configuration screen in Proofpoint’s admin (Source – Guardio Labs)

Due to this incident, Proof Point updated its admin panel to include clearer risk descriptions and approval processes, highlighting the need for stronger default security configurations in email protection services.

The campaign’s intricate nature, coupled with its wide coverage, demonstrates how much cybersecurity has evolved over the years and why preemptive actions have become so critical against large-scale phishing attacks.

Complexity is inherent in security enhancements, particularly for outdated systems such as SMTP and Microsoft Exchange.

Including remedies without adversely interfering with functionalities calls for deliberate actions and engagement of clients.

Proofpoint’s management of the EchoSpoofing challenge demonstrates maturity in risk management. By working with partners like Guardio to implement efficient, non-disruptive solutions, Proofpoint demonstrates its commitment to risk management.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...