Adrian Johnson
TL;DR:
- A phishing campaign exploited a security vulnerability in Proofpoint’s email filtering systems to send millions of spoofed emails from companies like IBM and Disney.
- The emails, with valid SPF and DKIM signatures, attempted to phish users by directing them to malicious sites to steal credit card details.
A massive phishing campaign targeted millions of users with “perfectly spoofed” emails from top companies like IBM, Nike, Disney, and others. The campaign exploited a security flaw in Proofpoint’s email filtering systems, allowing the scammers to send messages with valid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. These authentic-looking emails attempted to trick users into clicking on malicious links that would steal their credit card information.
The spam campaign, dubbed EchoSpoofing, ran from January to June, reaching peak volumes of 14 million emails per day. Guardio Security identified the exploit and worked with Proofpoint to mitigate the issue. The scammers abused an insecure email routing feature on Proofpoint servers to send messages through their own Microsoft 365 tenant accounts, making them appear as if they were legitimately from companies like Disney. Proofpoint has since implemented stricter controls to prevent unauthorized relay abuse.
Millions of spam messages were sent to users of various email providers, originating from virtual private servers. Proofpoint published a list of Microsoft tenants used by the spammers and has taken steps to block further attempts to relay through its servers. Users are advised to be cautious of emails from unknown sources and to report any suspicious activity to protect themselves from phishing attacks.
