A hacker for months exploited a misconfiguration in cybersecurity firm Proofpoint’s email protection platform to send millions of phishing emails that spoofed such high-profile companies – and Proofpoint customers – as IBM, Coca-Cola, Nike, and the Walt Disney Company.

The massive phishing campaign – dubbed “EchoSpoofing” by security researchers at Guardio Security –ran from January to June and averaged 3 million phishing emails a day, peaking on some days to as many as 14 million. The bad actor routed the spam through Proofpoint customers’ Microsoft 365 tenants, sending emails that included authenticated DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) and targeting individuals using free email services like Yahoo, Gmail, and GMX.

Proofpoint’s Secure Email Relay hosted solution offers organizations protection against their domains from being abused by compromised email service providers or malicious apps, according to the company. It also scans messages looking for malicious content, allows only approved resource to connect to the relay, uses DKIM signing, and only enables credentialed sender to use the service.

Still, the hacker leveraged the exploit to bypass the protections, enabling them to send the spoofed emails to targets, according to Nati Tal, head of Guardio Labs, which sampled some of the emails from spoofed accounts.

“When we analyzed the path those emails took to reach the victims’ inboxes, we realized they all share the same characteristics – starting at a simple SMTP server on a virtual server, going through an Office365 Online Exchange server, and later entering a domain-specific Proofpoint server that dispatches the email to the targets,” Tal wrote in a report. “We see different SMTP servers, as well as different Office365 instances, in other samples from this campaign. Yet, the endpoint is always a Proofpoint pphosted.com server.”

A ‘Firewall’ for Emails

He described Proofpoint’s email security solution as a “firewall” for emails, offering customers a way to direct their organizations’ outgoing and incoming emails through its servers. Those servers are the last stops for the email before being sent out and approve the DKIM signatures and SPF.

“An attacker needs only find a way to send spoofed emails through the Proofpoint relay, and Proofpoint will do all the rest,” Tal wrote. “They needed to find a way in for that, and they did.”

The bad actor exploited what he described as a “super-permissive misconfiguration flaw” that allowed Office365 accounts to easily interact with Proofpoint’s relay servers. They were able to generate spoofed emails, add them to a blind relay on the Office365 instances, and deliver them to Proofpoint servers, where they were accepted and processed. Proofpoint dispatched the email as fully genuine and aligned with the actual domain name.

“This technique can be leveraged by a threat actor to spoof both high-value and reputable brands and, even more importantly, to do so on a mass scale,” Tal wrote. “Those spoofed domains and the Proofpoint relay are allowed to send emails in massive numbers, which is one of the most significant leverages here.”

Stealing Money and Credit Card Info

In analyzing one sample, Guardio researchers saw that the phishing email talked about an expired account and urged the victim to click on a part of the message to extend the account. If the victim clicked, they would be sent to a fake branded landing page with an offer posing as a customer quiz. This went to another legitimate-looking page asking for their credit card information. The goal is to steal money and the information.

The top spoofed domains included ibm.com, disney.com, nike.com, and bestbuy.com. Most of the operations were run via a cluster of virtual private servers (VPSs) primarily hosted on OVH, a French cloud service, and managed with PowerMTA, which is legitimate software designed for enterprise-grade email delivery that is owned by Bird.

In its own report, Proofpoint’s threat research team wrote that they detected the spam campaign in March and implemented measures in place to address the issue, including creating a unit that contacted customers to help them change their configuration settings and prioritized those being abused by the hacker. The group also ensured that configurations were correct for new customers to prevent the relay being abused.

Tracking the Hacker

The company also determined the early steps the bad actor was taking before launching a campaign to get ahead of them and shared information with service providers, email infrastructure companies, and vendors.

Tal wrote that Guardio contacted Proofpoint in May, sharing indicators of compromise (IoCs) to identify and track the operation.

He added that only a few years ago, spoofing an email from a particularly domain was relatively easy for bad actors who could write whatever they wanted into the “From” line.

“Nowadays, security protocols require emails to be sent from approved servers and authenticated with the domain’s private DKIM encryption key – all aligned with the domain mentioned in the FROM header,” he wrote. “And yet, threat actors still manage to launch large-scale phishing email campaigns, swiftly taking hold of the identities of major brands.”

They can be helped by various “unexpected complexities,” Tal wrote. With EchoSpoofing, one challenge is enhancing an old and insecure protocol like SMTP, which is highly fragmented and is inconsistently implemented by various vendors. Another complexity is integrating security measures with Microsoft Exchange, which he noted is almost 30 years old and a platform that users have little control over.