Security News > 2024 > July > Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails
An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.
"These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections - all to deceive recipients and steal funds and credit card details," Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.
It all goes back to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint enterprise customers' email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX. This is the result of what Guardio described as a "Super-permissive misconfiguration flaw" in Proofpoint servers that essentially allowed spammers to take advantage of the email infrastructure to send the messages.
"The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow," Proofpoint said in a coordinated disclosure report shared with The Hacker News.
"Any email infrastructure that offers this email routing configuration feature can be abused by spammers."
"Microsoft 365 accepted these spoofed messages and sent them to these customers' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer's email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable."
News URL
https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html
Related news
- Beware of phishing emails delivering backdoored Linux VMs! (source)
- New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Phishing emails increasingly use SVG attachments to evade detection (source)
- European companies hit with effective DocuSign-themed phishing emails (source)