Guardio Labs uncovers critical EchoSpoofing exploit in Proofpoint's email security, impacting millions & exposing major brands to phishing attacks.

Continue reading
Guardio Labs identified "EchoSpoofing," a critical in-the-wild exploit that compromised Proofpoint's email protection service, a cornerstone for 87 of the Fortune 100 companies.
This vulnerability allowed threat actors to launch a massive phishing campaign, dispatching millions of convincingly spoofed emails that leveraged the trusted reputations of Proofpoint's high-profile clients, including major brands like Disney, IBM, and Coca-Cola.
These emails, seemingly originating from official Proofpoint email relays and bearing authenticated SPF and DKIM signatures, bypassed major security protections, deceiving recipients and potentially compromising sensitive financial data.
EchoSpoofing exploited a combination of vulnerabilities in core email authentication protocols – Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and crucially, Domain-based Message Authentication, Reporting, and Conformance (DMARC).
By manipulating Proofpoint's email relay servers and leveraging compromised Microsoft Office365 accounts, attackers could inject spoofed "FROM" headers into emails, making them appear to originate from legitimate domains. These emails, convincingly signed with authentic DKIM keys and passing DMARC checks, bypassed conventional spam filters and reached millions of unsuspecting inboxes.
EchoSpoofing emails were meticulously crafted to mimic legitimate notifications or promotional offers from trusted brands. These emails often included fake Disney+ offers or account notifications, luring victims to phishing pages designed to harvest sensitive financial data or credentials.
The emails' effectiveness lies in their technical authenticity. The "FROM" header accurately displayed the targeted domain, the content was signed with the domain's genuine DKIM key, and they even passed DMARC authentication checks. This trifecta of forged legitimacy fooled both email providers and recipients into believing the emails were genuine.
Behind EchoSpoofing was a extensive and sophisticated infrastructure. Attackers leveraged PowerMTA, a high-performance email delivery software often abused in spam and phishing campaigns. Operating from a network of virtual private servers (VPSs) hosted on providers like OVH, they were able to send a daily average of 3 million emails, with peaks reaching up to 14 million.
The attackers' tactics were cunning and evasive. They rotated domains and Office365 accounts, sent emails in bursts to avoid detection, and even monitored the success of their campaign by tracking the opening of malicious links. Evidence from their PowerMTA logs suggests they operated across a cluster of 11 servers, using cracked license keys obtained from illicit sources.
Upon notification by Guardio Labs in May 2024, Proofpoint swiftly mobilized to address the exploit. However, they faced significant challenges due to the complexity of the issue and the need to avoid disrupting customers' email operations. The exploit had been active since January, giving attackers a considerable head start.
Proofpoint initiated a multi-pronged response, including direct customer outreach, configuration updates, and collaboration with security researchers. A key mitigation strategy was introducing a new feature leveraging the `X-OriginatorOrg` header, a unique identifier added by Microsoft Exchange to outgoing emails. This allowed customers to filter emails based on their legitimate Office365 tenants, effectively blocking spoofed messages.
Guardio Labs has been instrumental in discovering the exploit and validating the effectiveness of Proofpoint's mitigation strategies. They rigorously tested the proposed solutions, including the use of the `X-OriginatorOrg` header, to ensure their robustness against potential bypass techniques. Their thorough analysis and collaboration with Proofpoint were instrumental in neutralizing the threat.
While Proofpoint's swift action helped mitigate the immediate threat, the EchoSpoofing incident had a significant impact. Major brands faced potential reputational damage and financial losses due to the phishing emails sent in their name. The exploit also raised broader concerns about the security of email infrastructure and the need for continuous vigilance.
EchoSpoofing serves as a stark reminder that email security is an ongoing battle. It underscores the need for:
The EchoSpoofing incident serves as a stark reminder of the importance of collaboration and ongoing vigilance in the cybersecurity landscape. By working together, security researchers, vendors, and organizations can proactively identify and address vulnerabilities, safeguarding both individual users and businesses from sophisticated threats.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation