Home
Network Security

Proofpoint Vulnerability Exploited for Phishing Campaign

Threat actors have been exploiting a flaw in Proofpoint’s email protection service, impersonating popular brands as part of a phishing campaign. Learn more about the flaw and its threat to Proofpoint users.

Anuj Mudaliar Anuj Mudaliar Assistant Editor - Tech, SWZD
July 30, 2024
Email Phishing
(Credits: Shutterstock.com)

  • Threat actors have leveraged a vulnerability in Proofpoint’s email protection service to run a wide-ranging phishing campaign.
  • The campaign has sent millions of emails impersonating popular companies such as IBM, Best Buy, Walt Disney, and Nike.

A vulnerability in security firm Proofpoint’s email protection service has been discovered. This vulnerability enabled attackers to spoof millions of emails from legitimate companies such as IBM, Disney, and Coca-Cola, posing severe risks to organizations using the service.

Researchers at Guardio Labs first reported the flaw. According to them, a technique called echo spoofing manipulates Proofpoint’s email routing settings to send emails that appear to be sent by trusted sources. This, in turn, raises the chances of victims falling to associated scams.

See More: US Government Indicts North Korean Hacker Rim Jong Hyok, Offers $10M Reward

The Vulnerability

The vulnerability lies in Proofpoint’s email protection settings. These emails start at an SMTP (simple mail transfer protocol) server, go through an Office365 Online Exchange server, and later enter a domain-specific Proofpoint server. Attackers can circumvent security measures that would generally warn users about suspicious emails with unique IDs of the spoofed brand, which can be found in mail exchanger (MX) records.

This can involve manipulating Domain-based Message Authentication, Reporting, and Conformance (DMARC) records, which can be used to verify email senders. These records can be spoofed to send phishing emails that bypass security filters to reach inboxes directly.

Proofpoint’s server is typically the final checkpoint for incoming and outgoing emails. An attacker only needs to find a way to send spoofed emails through the Proofpoint relay. Attackers can do this by injecting spoofed headers in the phishing email via an Office 365 account to relay emails from a malicious source. A misconfiguration issue resulting in excessive permission ensures that even spoofed emails are correctly signed and authenticated.

Considering how the SMTP protocol works, authentication is not required to add approved email services, as that process is conducted via IP addresses. Proofpoint has pre-approved a list of IPs associated with trusted email services such as Office365.

The sophisticated phishing campaign is being run on a wide scale. The fake emails can fool security measures such as Sender Policy Framework and DomainKeys Identified Mail. The flaw is used to impersonate major brands, potentially exposing millions of users of the impersonated brands to theft of information such as financial data, login credentials, and personal information. Clicking on the spoofed email links to fraudulent websites often includes attractive offers by the company.

Implications and Mitigation

Proofpoint was alerted to the problem and has issued patches to mitigate vulnerability exploitation. The flaw’s discovery highlights the need for updating email security protocols and continuous monitoring. Organizations should review security settings and apply patches and updates promptly.

Proofpoint deployed an update that automatically attached unique vendor-specific headers for Exchange to outgoing emails containing the Office365 account name. The company has also warned customers about the risk of configurations with unnecessary permissions, urging them to monitor for signs of misuse.

Exploiting security services like Proofpoint, which multiple organizations use, shows how seemingly strong security measures can be vulnerable. This raises concerns about the efficacy of third-party security services and the need for multi-layered approaches.

Takeaways

The vulnerability in Proofpoint’s email protection service highlights the evolving nature of the cybersecurity landscape. Organizations should be vigilant, update security measures, and consider additional security measures, including but not limited to cybersecurity insurance, to mitigate risks posed by such attacks.

LATEST NEWS STORIES

Endpoint Security Phishing
Anuj Mudaliar
Anuj Mudaliar

Assistant Editor - Tech, SWZD

opens a new window opens a new window
opens a new window opens a new window
Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

Trick or Threat: The Monsters Lurking Behind Domains
Network Security

Trick or Threat: The Monsters Lurking Behind Domains

6 Tell-Tale Signs of APT Attacks
Network Security

6 Tell-Tale Signs of APT Attacks

The Complete Guide to Incident Response
Network Security

The Complete Guide to Incident Response

CrowdStrike Reveals Root Cause Analysis of Global Outage
Network Security

CrowdStrike Reveals Root Cause Analysis of Global Outage

HPE Aruba Networking Bolsters Cybersecurity Portfolio With AI and Behavioral Analytics-Powered NDR
Network Security

HPE Aruba Networking Bolsters Cybersecurity Portfolio With AI and Behavioral Analytics-Powered NDR

New Sitting Ducks DNS Attack Technique Puts Millions of Domains at Risk of Hijack
Network Security

New Sitting Ducks DNS Attack Technique Puts Millions of Domains at Risk of Hijack