Security News > 2024 > July > Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails

Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails
2024-07-29 13:19

An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.

"These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections - all to deceive recipients and steal funds and credit card details," Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.

It all goes back to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint enterprise customers' email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX. This is the result of what Guardio described as a "Super-permissive misconfiguration flaw" in Proofpoint servers that essentially allowed spammers to take advantage of the email infrastructure to send the messages.

"The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow," Proofpoint said in a coordinated disclosure report shared with The Hacker News.

"Any email infrastructure that offers this email routing configuration feature can be abused by spammers."

"Microsoft 365 accepted these spoofed messages and sent them to these customers' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer's email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable."


News URL

https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Proofpoint 9 1 25 13 3 42