Guardio Labs discovered a phishing campaign exploiting Proofpoint’s email protection to send millions of perfectly spoofed emails from major brands like Disney, IBM, and Nike. The attack bypassed security by leveraging authenticated SPF and DKIM signatures, deceiving recipients and stealing sensitive information. The campaign traced back to vulnerabilities in the email relay configuration of Proofpoint's servers and Office365 accounts. Proofpoint and Guardio collaborated to mitigate the issue, emphasizing the need for vigilant and proactive security measures.
Table of contents
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed EmailsThe Perfect Spoof of Major Brands“Now Spoofing on Disney+”Proofpoint’s Relay Servers as the EnablerInjecting Spoofed Headers with Email RelayingA Permissive Configuration Turned DetrimentalFinalizing the Email Flow with Connectors“EchoSpoofing” in NumbersThe Powerful Backend Behind the OperationDisclosure and Cooperation with ProofpointSort: