Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others
- Reference: 1722320826
- News link: https://www.theregister.co.uk/2024/07/30/scammers_spoofed_emails/
- Source link:
As far as victims were concerned, they were getting real emails from big corporations, with properly authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures – indicating to users and their email apps that the missives were legit and trustworthy.
The fake emails would, for example, attempt to convince marks to click through to malicious sites that would try to phish their credit card details by telling them they could renew an online subscription for a special low, low price. Folks who typed in their card info would in fact be billed more than 100 times as much a month, for nothing in return.
[1]
The spam campaign ran from January to June, and at peak times reached 14 million dodgy emails within a 24-hour period, according to Guardio Security, which notified security tool maker Proofpoint in May about the exploitable weakness and assisted with subsequent mitigation efforts.
[2]
[3]
Guardio dubbed the campaign [4]EchoSpoofing – because the spam was "echoed" from email relay servers owned and operated by Proofpoint itself.
Proofpoint, which said it spotted the spam campaign in late March, conceded that miscreants abused "a small number" of its customers' Microsoft 365 accounts, and [5]added : "This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result."
[6]Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank
[7]Beware of fake CrowdStrike domains pumping out Lumma infostealing malware
[8]DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed
[9]Spam blocklist SORBS closed by its owner, Proofpoint
The spammers abused an insecure-by-default Proofpoint email routing feature to send messages with valid SPF and DKIM signatures of top corporations via Proofpoint's email relays. Large organizations such as Disney use Microsoft 365 to handle their mail, but route incoming and outgoing messages through Proofpoint's systems that act as a security filter.
Crucially, Disney's setup, with its Proofpoint filtering, ensured that its outgoing mail via Proofpoint appeared to recipients as if it was coming officially from Disney with all the correct SPF and DKIM signatures added. It's this level of trust that was abused by spammers to send out all those legit-looking messages.
[10]
Simply put, the miscreants just needed to spam out mail from one or more rogue SMTP servers and have it forward relayed via their own Microsoft 365 tenant accounts to Proofpoint.
All that mail at that point would be crudely and unconvincingly spoofed to appear to come from, say, Disney. It did not matter that these bogus messages were obviously fake and originated from non-Disney servers: Proofpoint would see them arrive from Microsoft 365, think the messages truly came from Disney, and then echo the emails with all the correct security signatures added to the spam recipients.
[11]
Flowchart of the complete EchoSpoof attack … Source: Guardio – Click to enlarge
Why would Proofpoint allow such a thing to happen? Because its affected customers had each enabled Microsoft 365 integration with Proofpoint's filtering service but not locked down who exactly could send email via that product as them. As Proofpoint put it:
The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants – but without specifying which M365 tenants to allow.
Or as Guardio explained, the routing feature was not secure by default, needed some fiddling with settings to shore it up, and Proofpoint's customers didn't realize this. "There are ways to add specific rules to [your] Proofpoint account to prevent this and other kinds of spoofing by manually filtering emails from unknown sources and other specific headers and properties.
"However, this process is entirely manual and requires custom rules, scripts, and maintenance … Most customers were not aware of this in the first place, and the default option was not secure at all."
To address this, Proofpoint said it revised its configuration system:
To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default.
Proofpoint Essentials customers are not affected, as configuration settings are already set to prevent unauthorized relay abuse.
Millions of spam messages were sent to users of Yahoo, Gmail, GMX.com, and others. And according to Guardio, they originated from virtual private servers mostly hosted on French cloud OVH and managed with the PowerMTA email delivery software.
Proofpoint, in its analysis of the campaign, published a list of Microsoft tenants used by the spammers to forward relay messages.
[12]
"As of the publication of this blog, many are still active," the email security vendor warned, noting that it has taken steps to automatically block attempts by those accounts to relay through its servers. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6
[5] https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver
[6] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/
[7] https://www.theregister.com/2024/07/25/crowdstrike_lumma_infostealer/
[8] https://www.theregister.com/2024/07/16/darkgate_malware/
[9] https://www.theregister.com/2024/06/07/sorbs_closed/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://regmedia.co.uk/2024/07/30/handout_echospoof_flowchart.jpg
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqi5x77jJLVL8IcZCHgEogAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: did not expose any Proofpoint customer data
Exactly, talk about not reading the room...
Insecure by default
How can we still have service providers delivering insecure by default set-ups in 2024?
Surely these things should be closed down by default and not let any traffic in, until the customer defines which mail servers (in this case) are valid and allowed to send traffic. It is perhaps annoying, when setting up that things don't work without configuration, but I'd rather I have to "get it to work", rather than it works for everybody who wants to impersonate me in its standard state...
Re: Insecure by default
At least the relaying function was off by default, otherwise many more clients would have been affected. It's only if you turned it on that any O365 tenant could use PP as a relay. But yeah, quite incredible that they didn't realize clients would not really want world+dog to be allowed to impersonate their domain...
Open-Relay
Wow. So as long you sent via Office-365, Spoofpoint basically acted as an open relay for many of it's customers domains. With the default 365 Integration settings.
If I was a postmaster, I'd be adding 20 points to any mail received from a Proofpoint IP.
M$
This will come as a shock to regular El Reg comment readers but I'm going to partially blame Microsoft for this. They allowed the millions of spam messages out - whether they went to Proofpoint, or directly to people's spam folders - they still let out emails pretending to be from an organisation that M$ knew did not own the 365 tenant. I guess if you are paying then you can do whatever you like.
Re: M$
I'm here to agree with you on this... Whilst I am not assocaited with PP in any way it seems the root cause of this is that MS allowed the bad guys to send emails puporting to be from the domains being spoofed. If a domain (such as wozwasere.com) is registered to an o365 tenant why are MS allowing another tenant to use the domain in their outbound mail???
did not expose any Proofpoint customer data
However, the customers of those customers (IBM, Nike, Disnet et al.) were affected in their millions.
What a bunch of weasels.