EchoSpoofing is a massive phishing campaign that exploited Proofpoint’s email protection to deliver millions of perfectly spoofed emails from trusted brands. Guardio Labs and Proofpoint collaborated to identify and mitigate the vulnerability, underscoring the need for ongoing vigilance in email security. #EchoSpoofing #Proofpoint #Disney #IBM #Nike #BestBuy #CocaCola
Keypoints
- Campaign name: EchoSpoofing
- Exploited service: Proofpoint’s email protection service
- Targeted brands: Disney, IBM, Nike, Best Buy, Coca-Cola (among others)
- Attack method: spoofed emails that are properly DKIM-signed and SPF-approved
- Goal: steal funds and credit card details from recipients
- Collaboration: Guardio Labs worked with Proofpoint to mitigate the issue
- Volume and timeline: ~3 million spoofed emails daily, peaking at 14 million; misconfigurations in email relaying used to bypass protections
MITRE Techniques
- [T1566] Phishing – Sending spoofed emails that appear to be from legitimate brands to deceive recipients. Quote: ‘Procedure: Sending spoofed emails that appear to be from legitimate brands to deceive recipients.’
- [T1566.001] Email Spoofing – Utilizing misconfigured email relays to send emails with forged sender addresses. Quote: ‘Procedure: Utilizing misconfigured email relays to send emails with forged sender addresses.’
- [T1003] Credential Dumping – Attempting to steal user credentials through phishing tactics. Quote: ‘Procedure: Attempting to steal user credentials through phishing tactics.’
Indicators of Compromise
- [Office365 Tenants] Office365 tenants involved in the spoofing flow. Example: novamixnf.onmicrosoft.com, skypesksm.onmicrosoft.com, and 2 more items
- [SMTP Servers] SMTP infrastructure used to dispatch emails. Example: 103.114.217.36, 51.81.235.59, and 2 more items
- [Spoofed Domains] Domains spoofed in the campaigns. Example: disney.com, ibm.com, and 2 more items
- [SMTP Domains] Email delivery domains used for relays. Example: tonalimail.org, x0ican.org, and 2 more items