Massive Scam Campaign Exploiting Email Security Vendor Proofpoint’s Defenses Detected

Cybersecurity researchers have uncovered a massive scam campaign dubbed EchoSpoofing, where threat actors exploited an email routing misconfiguration in Proofpoint’s defenses to send millions of phishing emails spoofing popular companies like Best Buy, IBM, and Nike. This campaign, which began in January 2024, saw the threat actor sending up to three million emails per day on average, peaking at 14 million in June.

The unique aspect of EchoSpoofing is the sophisticated spoofing method used, making it difficult to differentiate the phishing emails from genuine ones. The threat actor leveraged SPF and DKIM authentication measures to bypass security protections, deceiving recipients and attempting to steal funds and credit card details.

Furthermore, the messages were routed through adversary-controlled Microsoft 365 tenants before being relayed through Proofpoint’s servers to reach users of free email providers like Yahoo!, Gmail, and GMX. This exploit highlighted a super-permissive misconfiguration flaw in Proofpoint servers, allowing spammers to abuse the email infrastructure.

Notably, the campaign was designed to generate illegal revenue while avoiding detection, as targeting companies directly could have increased the risk of exposure. Proofpoint has taken steps to address the issue, emphasizing that no customer data was exposed. The company is urging VPS providers and email service providers to implement measures to prevent similar attacks in the future.

As cybersecurity threats continue to evolve, organizations are advised to review their cloud infrastructure security and maintain control over third-party services to prevent such malicious activities. Additionally, service providers are encouraged to proactively identify and mitigate potential threats to safeguard both their customers and the wider public.