Summarize

Simplifying... Inshort

A security flaw in Proofpoint's relay service was exploited in a large-scale phishing campaign, potentially compromising company data.
Despite no evidence of internal breaches, the flaw allowed cybercriminals to send millions of emails daily, posing as legitimate companies.
Proofpoint has since updated its settings to mitigate the risk, but the issue continues to be exploited.

Was a long read? Making it simpler...

Next Article

Scammers posed as companies like Disney, IBM, Nike, and Best Buy

Brands hijacked: Proofpoint bug exploited for sophisticated phishing attacks

By Dwaipayan Roy

Jul 30, 2024

12:52 pm

What's the story

Guardio Labs, a cybersecurity research firm, has discovered a significant security flaw known as "EchoSpoofing." This exploit enabled cybercriminals to bypass Proofpoint's email security measures and impersonate well-known brands, to send millions of spoofed emails with the aim of stealing funds and credit card information. To note, Proofpoint's Secure Email Relay Solution permits users to block phishing emails that can cause data breaches and other scams.

Impact assessment

Exploit's potential severity and implications

Nati Tal, the author of the report and head of Guardio Labs, highlighted the potential severity of this vulnerability. "It can be easily converted from large-scale phishing to a boutique spear-phishing campaign where an attacker can swiftly take any real company team member identity and send emails to other co-workers," Tal said. He warned that sophisticated social engineering could allow attackers access to internal data or credentials, potentially compromising an entire company.

Investigation status

No evidence of internal data breaches yet

Guardio Labs has not found any evidence of internal data breaches resulting from this exploit. Tal clarified that only Proofpoint could detect such activity, and they have not reported any such incidents so far. The attacks primarily involved phishing attempts aimed at individuals outside the affected organizations. Guardio Labs collaborated closely with Proofpoint to resolve this issue and informed them about the actively spoofed domains.

Remedial measures

Proofpoint's response to the security flaw

The vulnerability originated from a flaw in Proofpoint's default settings for its relay service, which allowed non-organization members to send outgoing mail from a domain. Many companies were unaware of this security flaw or how to prevent it. In response, Proofpoint has updated its Admin panel to enhance the default configuration process through alerts and clear descriptions of potential risks.

Campaign

Exploit's timeline and scale of operation

The exploit, which began in January 2024, was part of a "well-orchestrated" campaign that sent an average of 2-3 million emails daily. At its peak in early June, cybercriminals sent 14 million malicious emails daily while posing as Disney. Despite a significant decrease in the rate of exploitation, the issue continues to be misused. Tal noted that enforcing changes to address this issue could potentially disrupt production environments for customers.