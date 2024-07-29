Some malicious cybercriminals have been linked to a massive scam campaign, called EchoSpoofing, that exploited a misconfiguration of email routing in email security vendor Proofpoint’s defenses to send millions of spoofed messages, impersonating popular companies such as Best Buy, IBM, Nike, and Walt Disney, among others.

What we know about the EchoSpoofing phishing campaign

“These emails were sent from official Proofpoint email relays with signatures SPF and DKIM authenticatedthus bypassing key security protections — all to trick recipients and steal funds and credit card details“, has declared Guardio Labs researcher Nati Tal in a detailed report on the EchoSpoofing cyber scam campaign.

The EchoSpoofing campaign activity is believed to have begun in January 2024, with the cybercriminal exploiting the vulnerability to send up to three million emails per day on average.a number that peaked at 14 million in early June when Proofpoint began implementing countermeasures.

“The most unique and powerful point of this domain is the spoofing method — leaving almost no chance to realize that it is not an authentic email sent by those companies.“, Tal said in the release about EchoSpoofing.

Regarding EchoSpoofing, Tal then added: “This EchoSpoofing concept is really powerful. It’s kind of strange that it’s being used for large-scale phishing like this, instead of a boutique spear-phishing campaign — where an attacker can quickly take on the identity of any team member of a real company and send emails to other colleagues — eventually, through high-quality social engineering, gain access to internal data or credentials and even compromise the entire company.”

How EchoSpoofing Technique Works

The technique, which involves the cybercriminal (or group of hackers) sending messages from an SMTP server to a virtual private server (VPS), is notable for the fact that it complies with the Authentication measures and security features like SPF and DKIM, which are acronyms for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods designed to prevent attackers from impersonating a legitimate domain.

It all comes down to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through the email infrastructure of Proofpoint’s enterprise customers to reach users of free email providers such as Yahoo!, Gmail, and GMX.

This is the result of what Guardio described as an “extremely permissive misconfiguration” in Proofpoint’s (“pphosted.com”) servers that essentially allowed spammers to exploit the email infrastructure to send messages.

“The root cause is a changeable email routing configuration feature on Proofpoint servers to allow relaying of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow.“, has said Proofpoint in a disclosure report on the EchoSpoofing campaign and added: “Any email infrastructure that offers this email routing configuration feature can be abused by spammers.“

Example graph of how the EchoSpoofing campaign works

In other words, an attacker can exploit this vulnerability to set up rogue Microsoft 365 tenants and send spoofed email messages to Proofpoint’s relay servers, where they are ‘returned’ as genuine digital missives impersonating customer domains.

This, in turn, is accomplished by configuring the Exchange server’s outbound email connector directly with the vulnerable pphosted.com endpoint associated with the client. Additionally, a cracked version of a legitimate email delivery software is used. called PowerMTA to send messages.

EchoSpoofing Campaign Exploiting Office 365

“The spammer used a rotating series of virtual private servers (VPS) rented from different vendors, using many different IP addresses to initiate rapid bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to customer servers hosted by Proofpoint.“, Proofpoint said, also regarding the EchoSpoofing campaign.

“Microsoft 365 accepted these spoofed messages and sent them to these customers’ email infrastructures for re-launch. When customer domains were spoofed during relay through the customer’s corresponding email infrastructure, DKIM signing was also applied as the messages transited through Proofpoint’s infrastructure, making the spam messages more deliverable..”

Why EchoSpoofing was chosen

It is suspected that EchoSpoofing was intentionally chosen by the operators as a way to generate illegal revenue and avoid the risk of exposure for extended periods, as directly targeting companies with this modus operandi could have drastically increased the chances of detection, putting the entire operation at risk.

It is currently unclear who is behind the campaign: Proofpoint said the activity does not overlap with any known individual or group of cyber threats.

“In March, Proofpoint researchers identified spam campaigns being transmitted through the email infrastructure of a small number of Proofpoint customers by sending spam from Microsoft 365 tenants“, the company said in a statement. “All analyses indicate that this activity was conducted by a single spam author, whose activity we do not attribute to a known entity..”

“Since we discovered this spam campaign, we have been working diligently to provide corrective guidance, including implementing a simplified administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default..”

Proofpoint stressed that no customer data was exposed, nor have any of them suffered any data loss, due to these campaigns; also noted that it has directly contacted some of its customers to change their settings to stop the effectiveness of outbound relay spam activity.

“While we started to block the spammer’s activity, the spammer accelerated his tests and quickly moved on to other clients.“, the company stressed. “We have established an ongoing process to identify impacted customers each day, prioritizing contact to correct configurations..”

To reduce spam, VPS providers are being urged to limit users’ ability to send large volumes of messages from SMTP servers hosted on their infrastructure. Email service providers are also being asked to limit the ability of free trial tenants and newly created, unverified tenants to send outgoing bulk emails, as well as prevent them from sending messages that spoof a domain they have no proven ownership of.

“For CISOs, the key lesson here is to pay close attention to your organization’s cloud posture — especially with the use of third-party services that become the backbone of your company’s networking and communications methods.,” said Tal who added: “Especially in the email space, always maintain your own feedback and control loop — even if you have complete trust in your email provider.“

And for other companies that provide these types of backbone services (just like Proofpoint did), they need to be vigilant in thinking about all types of possible threats first: not only threats that directly affect their customers, but also the wider public.

“This is crucial to the safety of all of us, and the companies that create and operate the backbone of the Internet, even if privately held, bear the greatest responsibility. Just as someone said, in a completely different context but so relevant here: ‘with great power, comes great responsibility.‘“