News: 1722320826

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others

(2024/07/30)


A huge phishing campaign exploited a security blind-spot in Proofpoint's email filtering systems to send an average of three million "perfectly spoofed" messages a day purporting to be from Disney, IBM, Nike, Best Buy, and Coca-Cola – all of which are Proofpoint customers.

As far as victims were concerned, they were getting real emails from big corporations, with properly authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures – indicating to users and their email apps that the missives were legit and trustworthy.

The fake emails would, for example, attempt to convince marks to click through to malicious sites that would try to phish their credit card details by telling them they could renew an online subscription for a special low, low price. Folks who typed in their card info would in fact be billed more than 100 times as much a month, for nothing in return.

[1]

The spam campaign ran from January to June, and at peak times reached 14 million dodgy emails within a 24-hour period, according to Guardio Security, which notified security tool maker Proofpoint in May about the exploitable weakness and assisted with subsequent mitigation efforts.

[2]

[3]

Guardio dubbed the campaign [4]EchoSpoofing – because the spam was "echoed" from email relay servers owned and operated by Proofpoint itself.

Proofpoint, which said it spotted the spam campaign in late March, conceded that miscreants abused "a small number" of its customers' Microsoft 365 accounts, and [5]added : "This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result."

[6]Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

[7]Beware of fake CrowdStrike domains pumping out Lumma infostealing malware

[8]DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed

[9]Spam blocklist SORBS closed by its owner, Proofpoint

The spammers abused an insecure-by-default Proofpoint email routing feature to send messages with valid SPF and DKIM signatures of top corporations via Proofpoint's email relays. Large organizations such as Disney use Microsoft 365 to handle their mail, but route incoming and outgoing messages through Proofpoint's systems that act as a security filter.

Crucially, Disney's setup, with its Proofpoint filtering, ensured that its outgoing mail via Proofpoint appeared to recipients as if it was coming officially from Disney with all the correct SPF and DKIM signatures added. It's this level of trust that was abused by spammers to send out all those legit-looking messages.

[10]

Simply put, the miscreants just needed to spam out mail from one or more rogue SMTP servers and have it forward relayed via their own Microsoft 365 tenant accounts to Proofpoint.

All that mail at that point would be crudely and unconvincingly spoofed to appear to come from, say, Disney. It did not matter that these bogus messages were obviously fake and originated from non-Disney servers: Proofpoint would see them arrive from Microsoft 365, think the messages truly came from Disney, and then echo the emails with all the correct security signatures added to the spam recipients.

[11]

Flowchart of the complete EchoSpoof attack … Source: Guardio – Click to enlarge

Why would Proofpoint allow such a thing to happen? Because its affected customers had each enabled Microsoft 365 integration with Proofpoint's filtering service but not locked down who exactly could send email via that product as them. As Proofpoint put it:

The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants – but without specifying which M365 tenants to allow.

Or as Guardio explained, the routing feature was not secure by default, needed some fiddling with settings to shore it up, and Proofpoint's customers didn't realize this. "There are ways to add specific rules to [your] Proofpoint account to prevent this and other kinds of spoofing by manually filtering emails from unknown sources and other specific headers and properties.

"However, this process is entirely manual and requires custom rules, scripts, and maintenance … Most customers were not aware of this in the first place, and the default option was not secure at all."

To address this, Proofpoint said it revised its configuration system:

To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default.

Proofpoint Essentials customers are not affected, as configuration settings are already set to prevent unauthorized relay abuse.

Millions of spam messages were sent to users of Yahoo, Gmail, GMX.com, and others. And according to Guardio, they originated from virtual private servers mostly hosted on French cloud OVH and managed with the PowerMTA email delivery software.

Proofpoint, in its analysis of the campaign, published a list of Microsoft tenants used by the spammers to forward relay messages.

[12]

"As of the publication of this blog, many are still active," the email security vendor warned, noting that it has taken steps to automatically block attempts by those accounts to relay through its servers. ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

[5] https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver

[6] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/

[7] https://www.theregister.com/2024/07/25/crowdstrike_lumma_infostealer/

[8] https://www.theregister.com/2024/07/16/darkgate_malware/

[9] https://www.theregister.com/2024/06/07/sorbs_closed/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://regmedia.co.uk/2024/07/30/handout_echospoof_flowchart.jpg

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://whitepapers.theregister.com/



did not expose any Proofpoint customer data

Wellyboot

However, the customers of those customers (IBM, Nike, Disnet et al.) were affected in their millions.

What a bunch of weasels.

Re: did not expose any Proofpoint customer data

big_D

Exactly, talk about not reading the room...

Insecure by default

big_D

How can we still have service providers delivering insecure by default set-ups in 2024?

Surely these things should be closed down by default and not let any traffic in, until the customer defines which mail servers (in this case) are valid and allowed to send traffic. It is perhaps annoying, when setting up that things don't work without configuration, but I'd rather I have to "get it to work", rather than it works for everybody who wants to impersonate me in its standard state...

Re: Insecure by default

FrogsAndChips

At least the relaying function was off by default, otherwise many more clients would have been affected. It's only if you turned it on that any O365 tenant could use PP as a relay. But yeah, quite incredible that they didn't realize clients would not really want world+dog to be allowed to impersonate their domain...

Open-Relay

Pete Sdev

Wow. So as long you sent via Office-365, Spoofpoint basically acted as an open relay for many of it's customers domains. With the default 365 Integration settings.

If I was a postmaster, I'd be adding 20 points to any mail received from a Proofpoint IP.

M$

Bendacious

This will come as a shock to regular El Reg comment readers but I'm going to partially blame Microsoft for this. They allowed the millions of spam messages out - whether they went to Proofpoint, or directly to people's spam folders - they still let out emails pretending to be from an organisation that M$ knew did not own the 365 tenant. I guess if you are paying then you can do whatever you like.

Re: M$

Belgrat

I'm here to agree with you on this... Whilst I am not assocaited with PP in any way it seems the root cause of this is that MS allowed the bad guys to send emails puporting to be from the domains being spoofed. If a domain (such as wozwasere.com) is registered to an o365 tenant why are MS allowing another tenant to use the domain in their outbound mail???

"Yes, I am a real piece of work. One thing we learn at Ulowell is
how to flame useless hacking non-EE's like you. I am superior to you in
every way by training and expertise in the technical field. Anyone can learn
how to hack, but Engineering doesn't come nearly as easily. Actually, I'm
not trying to offend all you CS majors out there, but I think EE is one of the
hardest majors/grad majors to pass. Fortunately, I am making it."
-- "Warrior Diagnostics" (wardiag@sky.COM)

"Being both an EE and an asshole at the same time must be a terrible burden
for you. This isn't really a flame, just a casual observation. Makes me
glad I was a CS major, life is really pleasant for me. Have fun with your
chosen mode of existence!"
-- Jim Morrison (morrisj@mist.cs.orst.edu)