Cybercriminals have found a way to send millions of “perfectly spoofed” phishing emails thanks to a vulnerability in Proofpoint’s email relay servers.
Experts from Guardio Laboratories revealed that the phishing campaign began in January 2024 and was sending an average of three million emails per day, peaking in early June with 14 million emails distributed.
The researchers dubbed the campaign “EchoSpoofing,” noting that the scammers were properly DKIM-signing and SPF-approved with their phishing emails. What did tip the researchers off, however, was that all of the emails were being sent from a single family of relay servers — pphosted.com — which is owned and operated by email security vendor Proofpoint.
Bypass spam filters
To the recipient, the email appears to come from a legitimate company. The companies being impersonated here all appear to be Proofpoint customers, primarily Fortune 100 companies. These include Disney, IBM, Nike, Best Buy, and Coca-Cola.
“These emails matched official Proofpoint email relays with verified SPF and DKIM signatures, bypassing important security measures, all in an attempt to trick recipients and steal money and credit card information,” the researchers concluded.
Guardio Labs said that all major email platforms, including Gmail, did not mark these emails as spam and instead delivered them directly to people’s inboxes. The emails scared victims with fake account expirations, payment and renewal requests, and the like, all with the goal of collecting payments and personally identifiable information.
Proofpoint said it has been monitoring the EchoSpoofing campaign since March 2024 and has provided new settings and advice on how to prevent similar attacks in the future. The company provided detailed guidance on how users can add anti-spoof controls and more.
Through BleepingComputer