Massive Scam Exploits Proofpoint’s Email Flaw, Sends Millions of Spoofed Messages

An unidentified threat actor has exploited a significant email routing misconfiguration in Proofpoint’s defenses, launching a massive scam campaign dubbed EchoSpoofing. This flaw allowed millions of spoofed emails, mimicking companies such as Best Buy, IBM, and Nike, to be sent from Proofpoint’s authenticated servers. These messages, carrying valid SPF and DKIM signatures, bypassed major security protocols, deceiving recipients and stealing sensitive information.

The campaign, active since January 2024, reached a peak in June with 14 million emails sent daily. Guardio Labs researcher Nati Tal emphasized the sophistication of this method, which almost entirely masked the emails’ fraudulent origins. The attackers leveraged Microsoft 365 tenants to relay emails through Proofpoint’s infrastructure to users on platforms like Yahoo! and Gmail.

The root cause was a "super-permissive misconfiguration flaw" in Proofpoint’s servers, allowing spammers to exploit the email infrastructure. In response, Proofpoint has worked to rectify the issue by restricting which M365 tenants can relay messages and urging email providers to limit new or unverified tenants from sending bulk emails.

Proofpoint assured that no customer data was exposed during these campaigns. The company continues to implement measures to mitigate such risks and emphasizes the importance of vigilant email security practices for organizations using third-party services.