Threat Research

[Cyware] “EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch…

Cyware

Guardio Labs identified EchoSpoofing, a mass phishing campaign that exploits Proofpoint’s email protection to dispatch millions of spoofed messages appearing to come from major brands. Attackers leverage Proofpoint relay misconfigurations and abused Office365 accounts to bypass SPF/DKIM protections and reach recipients with seemingly legitimate emails. #EchoSpoofing #Proofpoint #Disney #Nike #IBM #BestBuy #CocaCola #Office365

Keypoints

  • EchoSpoofing uses Proofpoint infrastructure to send spoofed emails in the names of well-known brands.
  • The campaign relies on a misconfigured Proofpoint relay that allows spoofed emails to pass major security checks.
  • Emails are DKIM-signed and SPF-approved via Proofpoint’s outbound relay, enabling acceptance by receivers like Gmail.
  • Attackers abused Microsoft Office365 accounts to relay and deliver the spoofed messages.
  • The operation is powered by a PowerMTA backend, managed on VPSs, delivering millions of emails per batch.
  • Guardio collaborated with Proofpoint to mitigate the issue and improve tenant-based and admin controls to prevent recurrence.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – Abusing Proofpoint infrastructure to dispatch spoofed emails through a trusted service. “Abusing Proofpoint infrastructure with perfectly spoofing emails in their customers’ names”
  • [T1566.002] Spearphishing Link – Campaign includes a fake branded landing page with an offer in a customer quiz. “presents a fake branded landing page with an offer you can’t refuse disguised as a customer quiz.”
  • [T1078] Valid Accounts – Attackers abused Microsoft’s Office365 accounts to enable the delivery chain. “involving the abuse of Microsoft’s Office365 accounts.”
  • [T1199] Exploitation of Trusted Relationship – Leveraging Proofpoint’s relay as a trusted intermediary to reach targets with authenticated-looking emails. “Proofpoint’s server is the latest point to dispatch the outgoing email” (and related relay path)
  • [T1036] Masquerading – The email uses the Disney domain in the From header to masquerade as a trusted sender. “This is the real disney.com domain presented in the FROM header.”

Indicators of Compromise

  • [Domain] Spoofed domains used in the campaign – disney.com, nike.com, ibm.com, coca-cola.com
  • [IP Address] Outbound/proxy IPs used in delivery – 205.220.164.148, 204.128.192.17
  • [SMTP Hostname/Domain] Proofpoint relay and related endpoints – pphosted.com, mx0a-00278502.pphosted.com
  • [Email Address] Sender addresses observed in headers – [email protected], [email protected] (randomized per email batch)

Read more: https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6