In July, Guardio Labs reported they had detected “EchoSpoofing,” a critical in-the-wild exploit of Proofpoint’s email protection service. This sophisticated phishing campaign highlights the vulnerabilities of robust security systems and underscores the importance of comprehensive security measures of SSPM in alerting on misconfigurations in email systems that can be exploited in such attacks.

Overview of the EchoSpoofing Incident

The EchoSpoofing campaign sent perfectly authenticated spoofed emails, meaning the emails appeared to be legitimate because they successfully passed all standard email security policies like SPF and DKIM. 

SPF (Sender Policy Framework) is an email authentication protocol designed to prevent email spoofing. It allows the owner of a domain to specify which mail servers are authorized to send email on behalf of that domain.

DKIM (DomainKeys Identified Mail) is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.

Here is how the attackers managed to pass standard SPF and DKIM security policies:

• Email Relaying Exploitation: Attackers exploited a weakness in Exchange Servers to relay emails with spoofed domains, bypassing SPF policies. They used a “via Frontend Transport” header, which allowed these emails to be routed through an Office365 Online Exchange server to a Proofpoint server. When emails are routed through an Exchange server, Microsoft does not verify that the sender owns the domain, making it appear as if the emails originated from an Exchange server. This ultimately led to gaining access to the Proofpoint server.
• DKIM Signature Manipulation: A misconfiguration in Proofpoint allowed access from any Microsoft 365 Exchange tenant, rather than specifying authenticated tenant domains. This allowed attackers to gain access and extract DKIM signatures. 

These techniques allowed attackers to craft convincing phishing emails that evaded detection. While these are only some of the methods used in this campaign, they highlight the critical need for robust security configurations. Implementing unique identifiers and proper configurations can mitigate such risks, as we’ll discuss later with our X-OriginatorOrg Header Configuration security check.

For more details on the attack, you can refer to Guard.io’s explanation of the EchoSpoofing incident.

The Role of SSPM in Strengthening Email Security

SaaS Security Posture Management (SSPM) is vital in fortifying an organization’s email security framework. With the increasing complexity of phishing attacks, ensuring robust configurations in email security systems is paramount. Here are some of the ways Adaptive Shield’s security checks can enhance your defenses:

Ensures that the X-OriginatorOrg header is added to all emails sent within the organization.
How it protects against “EchoSpoofing” attacks: By configuring your outbound emails with a unique value for this header and matching it on your email security product’s access configuration (such as Proofpoint), only emails that genuinely originated from within your account are accepted. In the case of the EchoSpoofing attack, this configuration would have prevented spoofed emails from accessing Proofpoint’s email systems, thereby denying the spoofed emails authentication. If this header had been set up on both M365 and Proofpoint, the attackers would have been unable to bypass these controls.

While this specific security measure could have prevented the EchoSpoofing attack, safeguarding the entire email security domain requires addressing various potential misconfigurations. Other security checks also play a crucial role in protecting against similar attacks by ensuring robust defenses across all aspects of email security.

2. DomainKeys Identified Mail (DKIM) Settings

Verifies that DKIM is properly configured and published for all your domains.
Importance: Enabling DKIM ensures emails are cryptographically signed, allowing recipients to verify their authenticity. This prevents attackers from sending spoofed emails, as only authorized servers can generate these signatures.

Impact: Organizations can safeguard against unauthorized email spoofing and enhance trust in their communications.

3. SPF Records for Domains

Ensures that SPF records are correctly configured for all managed and verified domains.
Importance: SPF records help mail systems verify where messages from a domain are allowed to originate, reducing the risk of spoofed emails being marked as legitimate.

Impact: Proper SPF setup ensures messages are correctly identified, preventing legitimate emails from being flagged as spam and enhancing email deliverability.

4. DMARC Records for Domains

Verifies that DMARC records are published and properly configured for all your domains.
Importance: DMARC helps recipient mail systems determine the appropriate action when a message fails SPF or DKIM authentication. Integrating DMARC with SPF and DKIM provides a comprehensive defense against phishing attempts.

Impact: Organizations can significantly reduce email spoofing and phishing attacks, strengthening the trustworthiness of their domain.

Conclusion: The Crucial Need of Email Security Configurations

The EchoSpoofing incident serves as a wake-up call for organizations to scrutinize their email security configurations. Adopting a comprehensive approach through SSPM can significantly mitigate risks across all related domains, including SPF, DKIM, DMARC, and email headers.

Adaptive Shield’s SSPM platform offers comprehensive coverage for email security mechanisms, providing an array of security checks designed to secure your email environment against spoofing attacks. While the checks we’ve described are just a small part of our extensive protection suite, our platform addresses broader security needs across SaaS environments which send emails. By focusing on proper configurations and continuous monitoring, organizations can enhance their security posture and protect against sophisticated phishing campaigns like EchoSpoofing.

To learn more about how Adaptive Shield can help your organization enhance its security posture request a demo here.

The post Breach Debrief Series: EchoSpoofing Phishing Campaign Exploiting Proofpoint’s Email Protection appeared first on Adaptive Shield.

*** This is a Security Bloggers Network syndicated blog from Adaptive Shield authored by Shachar Maimon. Read the original post at: https://www.adaptive-shield.com/blog/breach-debrief-series-echospoofing-phishing-campaign-exploiting-proofpoints-email-protection/