Cybercriminals found a way to send millions of “perfectly spoofed” phishing emails thanks to a vulnerability in Proofpoint’s email relay servers.
Experts from Guardio Labs revealed the phishing campaign started in January 2024, and was sending out an average of three million emails daily. In early June, it peaked with 14 million emails being disseminated.
The researchers dubbed the campaign “EchoSpoofing”, noting the crooks were able to get their phishing emails properly DKIM signed, and SPF approved. What tipped researchers off, though, was that all of the emails were dispatched from one specific family of relay servers – pphosted.com – which is owned and operated by the email security vendor Proofpoint.
Bypassing spam filters
To the recipient, the email looks as if it is coming from a legitimate business. The businesses being spoofed here all seem to be Proofpoint’s customers, mostly Fortune 100 companies. These include Disney, IBM, Nike, Best Buy, and Coca-Cola, to name a few.
“These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details,” the researchers concluded.
Guardio Labs said that all major email platforms, including Gmail, failed to flag these emails as spam, and instead allowed them straight into people’s inboxes. The emails scared the victims with fake account expirations, payment and renewal requests, and similar, all with the goal of harvesting payment and personally identifiable information.
Proofpoint said it had been keeping an eye on the EchoSpoofing campaign since March 2024, and that it provided new settings, and advice, on how to prevent such attacks in the future. The company provided a detailed guide on how users can add anti-spoof checks, and more.
Via BleepingComputer