In a recent cybersecurity incident, several threat actors successfully exploited a vulnerability in Proofpoint Email Protection, an email gateway, to launch large-scale phishing campaigns from the official domains of the affected Proofpoint customers.
Those threat actors managed to spoof the domains of Proofpoint clients without stealing their authentication credentials. Through that breach, they sent up to 14 million phishing messages in a single day, for months. This happened between January 2024 and June 2024, before being detected by the security team of Guard.io, a prominent cyber security research firm.
The cyber-attack was carried out by exploiting a weak default security configuration in Proofpoint Email Protection. This default value allowed attackers to make their phishing messages appear legitimate to their victims, bypassing the most commonly used security protections.
Until a few years ago, spoofing the "From:" email header was quite simple. You could set it to whatever value you wanted, regardless of whether you owned that email address and domain. By doing this, anyone could send emails that looked like coming from a specific email account.
In the last decade protocols such as DMARC, DKIM, and SPF have been introduced. These protocols force the verification of the domain ownership. This means faking a message from a reputable domain is not trivial anymore.
Despite these additional protocols, in 2024 a group of attackers launched millions of spoofed phishing emails using reputable domains of popular brands such as Disney, IBM, and Coca-Cola. They did this without compromising those companies' DNS servers and SPF records, and without stealing the DKIM key owned by those brands.
The threat actors relied on the Proofpoint vulnerability we described to bypass all the checks and authenticate themselves to Proofpoint's email gateway through their Microsoft credentials. They used the secure email gateway to distribute their malicious phishing emails.
Proofpoint already documented the flaw in a guide published in May 2023. However, they failed to inform most customers about the potential risks associated with the default configuration. The security firm at Guard.io noted the issue, detected the exploit, and informed Proofpoint in May 2024. Then, Proofpoint launched a more proactive communication campaign informing customers about the risk and prompting them to fix their configurations.
The impact of this incident isn't limited to Proofpoint customers. It extends to millions of users. The hackers leveraged EchoSpoofing to successfully send an average of 3 million phishing messages every day for several months, impacting a massive amount of people globally, regardless of their affiliation with Proofpoint or Microsoft.
Proofpoint customers face significant legal risk, reputational damage, and operational disruption.
Their domains have been used for massive phishing campaigns, putting them at risk of legal action by those affected by such attacks.
The high number of spam and phishing emails received by their customers damaged those brands’ reputations, as their customers associated malicious emails with those companies.
Due to the high number of emails reported as dangerous, those companies' domain reputation declined and even their legitimate emails couldn't be delivered to customers, disrupting their customer engagement and email service.
The most urgent action every Proofpoint user should take is to review and possibly patch their configuration, enabling the "Anti-spoof Rule" and preventing the issue from happening. The procedure is described in an online guide published by the vendor.
Proofpoint informed their customers on how to implement possible mitigation measures linked to usage of their product.
Timely updates of every product and service a company uses are fundamental for keeping an optimal security posture. Software vendors often provide their customers with a support newsletter that informs them about the latest security updates. In case of security incidents such as the Proofpoint EchoSpoofing flaw, such newsletters also inform their customers about the impact and the required corrective measures. Stakeholders responsible for a company's security, such as CISOs, CIOs, and Heads of IT should remain up to date with such news and ensure their organizations implement the recommended updates, minimizing the window of opportunity for potential attackers.
Software and configuration updates are only helpful when the vendor already discovered the issue. However, while the issue is still unknown to the vendor, what can their customers do to reduce the risk of this kind of attack?
Every company should regularly conduct independent penetration tests and security assessments, ensuring their security posture is optimal. Even if software vendors run bug bounty programs, they can’t capture all the edge cases and they are often testing different configuration scenarios than the ones present at each of their customers. For this reason, every company must take responsibility for their security rather than blindly trusting their vendors.
One of the downsides of relying on a centralized security gateway such as Proofpoint's email gateway or similar Secure Email Gateway solutions (SEGs) is the blast radius of any successful attack on such systems. The incident affecting Proofpoint is an example of how a simple default configuration could cause millions in damage.
A distributed security approach to email security, such as the one Planck takes, massively reduces the size of the attack perimeter. Unlike centralized gateways, Planck is designed in line with Zero Trust Architecture principles and fully compatible with the highest security standards set by PGP (Pretty Good Privacy), while retaining compatibility with enterprise requirements such as usability and central administration.
This approach, recommended by many experts and governments, prevents attackers from abusing entire organizations and causing extensive damage. This is accomplished by distributing the agents in charge of keeping your system secure, rather than having your security managed on a single server or the cloud.
By installing Planck on your devices you can ensure your emails and documents remain safe, even if servers or people are compromised.
Understanding NIS2 Compliance The NIS2 Directive (Directive (EU) 2022/2555) is a pivotal piece of legisl...
Cyber incidents, like theft of confidential intellectual property (think research data and patents), are...
Do you think you’d know the difference between your actual boss and an AI fake version on a video call? ...