EchoSpoofing: Lessons Learned from Proofpoint Email Phishing Exploit

Imagine receiving an email from Disney+ offering an enticing deal on a subscription. The sender appears legitimate, and the email wasn’t flagged as spam. You're about to click when instinct gives you pause. That hesitation may have just saved you from falling victim to "EchoSpoofing," a sophisticated phishing technique that's now making news in the cyber community.

Recently uncovered by Guardio Labs, EchoSpoofing exploited a vulnerability in Proofpoint's email gateway which is supposed to safeguard sensitive corporate data shared via email workflows.

How did this happen? How was it fixed? And how are we moving forward?

Read on for our analysis, or watch a more technical breakdown discussion in our video series here. 

What happened? EchoSpoofers Sent Millions of Phishing Emails per Day by Exploiting Proofpoint Email Security Software

This exploit, dubbed "EchoSpoofing," allowed threat actors to dispatch millions of meticulously spoofed phishing emails using Proofpoint's own email relays.

The attack chain was surprisingly sophisticated:

1. Initial Spoofing: Attackers used a cluster of Virtual Private Servers running an enterprise-grade email delivery application called PowerMTA to create spoofed email messages, manipulating headers to impersonate legitimate brands like Disney, IBM, and Coca-Cola.

2. Microsoft 365 Exploitation: The threat actors then used over 700 Microsoft 365 tenant accounts to facilitate the attack, many of which are still active, according to Proofpoint as of this writing. The M365 Exchange servers were configured for blind relaying, allowing the spoofed headers to pass through unaltered.

3. Proofpoint Relay Abuse: The phishing emails were then directed to Proofpoint's servers. Attackers identified Proofpoint’s specific pphosted.com-hosted server for each target through public DNS records. Due to the misconfiguration in Proofpoint’s relay, it accepted inbound messages from the threat actor’s PowerMTA servers. Proofpoint allow-lists inbound mail based on its source; one option allows for a single checkbox to allow traffic from "Microsoft 365." However, no distinction is made between separate 365 tenants - if you choose to allow your own tenant, you've just inadvertently allowed all 365 tenants - including the compromised tenants mentioned above.

4. Authentication Bypass: Because they were coming from seemingly valid sources, spoofed emails received legitimate SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication from Proofpoint's servers, which further complicated the initial identification of this exploit.

• SPF: The emails appeared to come from approved IP addresses listed in the target domain's SPF record, which included Proofpoint's servers.
• DKIM: Proofpoint's servers signed the emails with the genuine DKIM keys of their customers, as these keys were stored on Proofpoint for legitimate use.

5.  Delivery: The now fully authenticated emails were dispatched to recipients' inboxes, bypassing typical security measures due to their apparent legitimacy.

Timeline of the Cyberattack

Here's how it unfolded:

• January 2024: The exploit activity began, with attackers ramping up their operations.
• Late March 2024: Proofpoint became aware of the issue, initiating internal investigations.
• May 2024: Guardio Labs and Proofpoint started collaborating to address the exploit. Active mitigation efforts and customer notifications commenced.
• Early June 2024: The phishing campaign's activity markedly declined, indicating that mitigation efforts were taking effect.

All told, the exploit remained active for approximately six months before it was effectively mitigated.

The Scale of the Attack

At its peak, the EchoSpoofing campaign was sending an estimated 14 million fraudulent emails per day. The attackers' infrastructure was impressive, utilizing a network of compromised M365 accounts, SMTP servers, and sophisticated email delivery software to maintain their high-volume operation.

X-Headers: The Proofpoint Patch

The core of Proofpoint’s fix involved using a specific X-header called "X-OriginatorOrg." Microsoft Exchange servers automatically append this header to all outgoing emails, including those that are blindly relayed. This header contains the distinct M365 account name, or "tenant," providing a reliable means to verify the true source of each email.

By implementing filtering based on this X-header, Proofpoint customers can now ensure that only emails from their own authorized M365 tenants are accepted. This effectively prevents malicious actors from continuing to exploit Proofpoint's email security customers.

X-headers aren’t a silver bullet, and security will never be perfect.

At Virtru, we've long used X-headers as a standard practice for deploying and configuring email gateways. We also know that the absolute best email security comes from a combination of defense in depth, flexible deployment options (server and client-side controls), and ease of use for senders and recipients.

Lessons Learned from Proofpoint

This EchoSpoofing attack taught everyone some hard lessons, including:

Response and Remediation:  The attack kicked off in January. Proofpoint caught wind of it in March but it wasn't until June that the fix was applied. Meanwhile, frustrated customers took to Reddit to vent their frustrations. The takeaway is we need to get better at spotting trouble early, communicating clearly, and fixing issues.

Making Security User-Friendly: Yes, customers need flexibility in their email setups. But what good is flexibility if it leaves the door wide open for attackers? This incident showed us that we need to strike a balance: robust default settings, easy-to-use controls, and crystal-clear explanations of what each setting means for security.

Email Providers Need to Step Up: Email service providers must tighten the reins on new accounts. Limiting mass emails from fresh or unverified accounts and cracking down on domain spoofing aren't just good ideas – they're essential for keeping the email ecosystem healthy.

Stay on Your Toes. The fact that many of the Proofpoint-identified M365 tenant accounts that initiated this exploit are active as of this writing is a stark reminder that cybersecurity is a never-ending job. We can't afford to let our guard down, even for a moment.

The Virtru Standard

At Virtru, we've always believed in staying ahead of potential threats. That's why we've used X-headers as part of our security toolkit from day one.

Our Virtru Data Protection Gateway automatically secures sensitive data shared via email and SaaS apps without disrupting your team's workflow. For those using our hosted Gateway, it's already configured to prevent EchoSpoofing-type attacks. If you're hosting the Gateway yourself, we provide clear guidelines to ensure it's set up correctly, and our team is always available to help you fine-tune your defenses.

Beyond email, we also offer applications to protect your files and data wherever they go. Our goal is to keep your sensitive information safe without complicating your day-to-day operations.

If you're worried about your current email security or want to see how Virtru's approach differs, contact our team today.

Watch Our Full Breakdown

In our latest episode of Hash It Out, Product and Engineering experts Mike Morper and Trevor Foskett dive into the technical side of the exploit. Watch it for free on demand.