Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day

  /     /     /  
Publicated : 23/11/2024   Category : security


Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day


A simple toggle in Proofpoints email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough?



Millions of near-undetectable emails impersonating blue chip companies were spreading every day through the first half of 2024, thanks to some permissive features of Microsoft 365 and Proofpoints email protection service.
Proofpoints secure email gateway (SEG) is a kind of firewall for corporate emails, filtering what comes in and applying authentication to what goes out. Recently, though, researchers from Guardio uncovered a
campaign undermining that outbound part
, utilizing a super-permissive misconfiguration flaw to send credit-card scam emails that were signed and verified as if they came from legitimate, brand name corporate accounts.
It puts recipients in a weird place, says Adam Maruyama, field CTO at Garrison Technology. You can receive a spoofed email and be affected, even if youve done your full [cybersecurity] due diligence to try to protect yourself.
Proofpoint has since implemented a fix which has all but killed the campaign, but some broader questions around email security linger.
Theres not been a lot that has changed in the underlying infrastructure of what email is since it first started, says Jeremy Fuchs, office of the CTO at Check Point Software. For example, The sender address in an email is kind of like the sender address in snail mail. I could send you a letter and say its coming from the North Pole, and there really wouldnt be anything anyone could do to stop it. Its not that simple in the digital world, but its still fairly easy. 
In the campaign, which Guardio called EchoSpoofing, the attacker took advantage of this fact by setting up their own Simple Mail Transfer Protocol (SMTP) server on a virtual server. From there, they could send out emails with whatever From header they wished — for example, a fake customer service account coming from an @disney.com or @northpole.cool domain.
Of course, any modern security solution that employs anti-spoofing technology like
Domain-based Message Authentication Reporting & Conformance (DMARC) monitoring
or spam filter would catch suspicious emails coming from a random server. But this is where the EchoSpoofing vulnerability comes into play.
It turned out that Proofpoints SEG contained a toggle which, when turned on, trusted any emails routing through Microsoft Office 365. Microsoft 365 is a commonly used mail service among businesses, but anybody — including a hacker — can also use it. Thus, if a hacker could send mail through Microsoft to a Proofpoint customer, it would be trusted by default and passed along.
This is where mail exchange (MX) records came in handy. MX records in the Domain Name System (DNS) specify the mail servers responsible for handling email for a domain. Companies that use Proofpoint SEG send their MX records to Proofpoints servers. These records are public so, Fuchs observes, they werent just guessing about who to target. They knew exactly who they could target.
In summary: the attacker forged emails mimicking major corporations (including Disney, Best Buy, ESPN, IBM, Coca Cola, Nike, Fox News, and dozens more) from a private SMTP server, then relayed them through Microsoft 365 to known Proofpoint customers. If the customer had the super-permissive setting toggled on, Proofpoint would stamp the malicious emails with the same
Domain Keys Identified Mail (DKIM)
verification it would legitimate emails, then sent them on to victim inboxes.
The EchoSpoofing campaign began in January, and was first discovered by Proofpoint itself in late March. At that point, the company explained in a
blog post
, it took a number of steps to notify and protect customers.
But those efforts did not stem the tide of attacks. In fact, the forged emails only grew in number — averaging three million per week, and occasionally surpassing ten million.
Dark Reading reached out to Proofpoint for more information on why email attacks only rose after its initial remediation efforts began. Proofpoint representatives pointed Dark Reading to passages of its blog, and did not provide further comment.
Perhaps the campaign survived because the attacker had a keen operational awareness. As Guardio explained, Once it finds a vulnerable Proofpoint account (by testing out this exploit on a small scale), it saves the domain for later use, forcing time gaps between delivery opportunities. It switches abused domains and Office365 accounts each time, making it harder to spot the activity and trying to stay under the radar as much as possible.
This diligence may have been the key to the campaigns staying power, even after it had been detected. It was quite interesting to see how, once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing the end is near — as can be seen with the disney.com domain usage in the above graph in early June 2024.
EchoSpoofing finally seems to have died down recently, after Proofpoint introduced a vendor-specific header for outgoing emails. Now, customers can restrict the 365 accounts allowed to send emails on their behalf to only their own.
Besides permissiveness, negligence too paved the way for the EchoSpoofers.
According to Guardio, despite Proofpoints efforts to alert Microsoft, the attackers maliciously-wielded Office365 accounts remain active many months later. In a statement to Dark Reading, a Microsoft spokesperson claimed that When our partner alerted us to this issue, we took immediate action to investigate. We blocked tenants abusing our service and disabled accounts deemed fraudulent.
Then there were the companies that were victims of being spoofed. As Nati Tal, head of Guardio Labs, notes, they werent powerless to detect millions of fake emails
impersonating their brands
. In this case, if someone from Disney or wherever was looking at the amount of emails being sent out from their ProofPoint [server], it would probably have popped out immediately, at the first moment. You would see some kind of anomaly.
That, he says, should be a lesson that You need to implement some kind of logging, some kind of data tracking for your email distribution.
Organizations that dont implement secure email controls like DMARC monitoring risk far greater cyber consequences than EchoSpoofing has demonstrated thus far. As Maruyama reflects, I think my concern is that these have been pretty generic spam attacks. Click here, then they try to steal your credit card number. I could see a world in which a more sophisticated actor would save a similar vulnerability to do very targeted spear phishing to, for example, get emails through that look like they are from the government and defense services, targeted toward individuals in the Pentagon, DHS, etc. That is a much bigger threat, with due respect to folks whove had credit cards stolen here.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day