Reading Time: 3 min

It is not a secret that email authentication can be pretty vulnerable. This is especially true when emails are forwarded with modified headers, changed subject lines, or removed attachments. These minor changes can compromise an email’s DKIM signature.

Various Secure Email Gateways (SEGs), such as Proofpoint, have been introduced to address this issue. These SEGs can tackle the authentication issues of altered emails by re-authenticating them. While this method is good enough to mitigate authentication failures, it raises new risks.

Unfortunately, a vulnerability was noticed in Proofpoint’s email relay service, in March 2024. It has allowed various malicious actors to exploit a configuration setting. This proofpoint email routing flaw enabled attackers to send millions of spoofed messages.

In this article, you will learn everything about EchoSpoofing and Proofpoint’s recent email routing exploit. 

Understanding Proofpoint’s Email Routing Exploit

Malicious actors found a way to exploit a vulnerability in Proofpoint’s email relay service, a configuration setting that accepts emails from any Microsoft 365 tenant. After receiving these emails, Proofpoint re-authenticates them by adding a new and valid DKIM signature.

The flaw in the configuration settings allows the perpetrators to spoof any domain name. This lets them send emails that appear to come from legitimate sources, in a series of phishing campaigns called “EchoSpoofing”.

What is EchoSpoofing?

The exploit has been named “EchoSpoofing” by Gaurdio Labs. It is a technique by which attackers send emails from SMTP servers. These SMTP servers are hosted on Virtual Private Servers (VPS), and the sent messages easily pass to email authentication checks, including SPF and DKIM. These EchoSpoofing emails mimic legitimate emails from trusted senders.

Microsoft 365 allows emails to be sent from any domain of the user’s choice. While notorious for enabling emails to be sent from even suspicious-looking tenants, the hackers in the EchoSpoofing exploit utilized this flaw to route messages from attacker-controlled Office 365 tenants. Proofpoint customers authorizing Microsoft 365 as a legitimate sender, inadvertently landed themselves in trouble. These attacker-controlled Office 365 tenants got a free pass to relay the EchoSpoofing emails through Proofpoint’s relay service with a tag of authentication and valid DKIM signatures. 

Proofpoint, in their article explaining the attack, disclosed that “The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow.”

Consequences of EchoSpoofing

If you are a Microsoft 365 user, using Proofpoint’s Secure Email Gateway to block malicious emails through a relay system, you need to exercise caution as any other Microsoft 365 tenants can potentially spoof your domain. As Proofpoint cannot explicitly filter out specific Office 365 tenants and authorizes all of them, if you have defined Microsoft as a legitimate sender – malicious actors can easily impersonate your domain to send phishing emails. 

The spoofed emails sent through this system are not then flagged as suspicious, even passing the  DMARC check, and landing directly into your receiver’s inbox.

The Scale of the Exploitation

The attacks had a significantly widespread reach.

Targeted Companies

The new “Ecospoofing” method targeted various well-known brands. These companies include Nike, IBM, Walt Disney, Best Buy, and others. 

Proofpoint’s Response and Mitigation Strategies

After the issue was noticed, Proofpoint released various measures to counter this vulnerability promptly. These included enabling customers to now specify permitted Microsoft 365 tenants. Proofpoint reassured customers that while every email routing system is vulnerable to a certain extent – customer data was not exposed or compromised during the attacks. 

Opting for Well-Rounded Email Security with PowerDMARC

PowerDMARC’s advanced AI-powered email authentication platform offers both security and visibility when it comes to most email-based exploits and threats. Our Threat Intelligence technology is adept at making data-driven predictions on threat patterns and trends, with a team of experts guiding you through tightening your email authentication posture. 

PowerDMARC’s detailed APIs allow customers to seamlessly integrate our platform with their existing security systems including SEGs like Proofpoint – providing enhanced security! 

Furthermore, we help domain owners shift to enforced DMARC policies like “reject”, empowering them to combat spoofing attacks effectively. 

Final Words

The EchoSpoofing exploit highlights a significant vulnerability in Proofpoint’s email routing system, proving that even trusted security solutions can have blind spots. 

Attackers are not new to leveraging misconfigurations in email systems to bypass authentication checks, launching widespread phishing campaigns. While Proofpoint has responded with corrective measures, this incident underscores the importance of proactive email security powered by a team of experts. 

To explore protective strategies for your domain name and enforce your email authentication correctly – contact us today to speak to one of our seasoned professionals.

*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Ahona Rudra. Read the original post at: https://powerdmarc.com/echospoofing-proofpoint-exploit/