Threat Research

Scammer Exploits Microsoft 365 Tenants to Launch Spam Campaigns via Relay Servers

Proofpoint

Proofpoint researchers documented spam campaigns being relayed through a small set of Proofpoint customers’ Microsoft 365 tenants by abusing a modifiable outbound email relay setting. The vendor added an admin interface to restrict relay to specified tenants and emphasized the risk extends beyond Proofpoint to other email providers. #Proofpoint #Microsoft365 #OutboundRelay #VPS #DKIM

Keypoints

  • In March 2024, spam campaigns were relayed through several Proofpoint enterprise customers’ email infrastructures via a misconfigured outbound relay feature.
  • The spammer controlled Microsoft 365 tenants using random strings (e.g., 23gdfs56gsd.onmicrosoft.com) and some messages spoofed sender information.
  • Spammers used a rotating series of leased VPS IP addresses to launch rapid bursts of thousands of messages through SMTP servers.
  • DKIM signing was applied as messages transited through the Proofpoint infrastructure, aiding deliverability.
  • Proofpoint implemented an admin-friendly process to restrict which M365 tenants can relay, with Essentials customers largely unaffected due to default protections.
  • Industry collaboration and outreach (including Guardio Labs) helped validate the relay-abuse findings and improve defenses.
  • The post underscores the need for providers to curb relay abuse at the source and for broader collaboration to prevent similar abuse across ecosystems.

MITRE Techniques

  • [T1071.002] Mail Protocols – Brief description of how it was used. ‘Utilized SMTP protocol to relay spam messages through the email infrastructure of Proofpoint customers.’
  • [T1583] Acquire Infrastructure – Brief description of how it was used. ‘Rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers.’
  • [T1562] Impair Defenses – Brief description of how it was used. ‘Spammers exploited misconfigured email relay settings to bypass security measures.’
  • [T1566.001] Phishing – Brief description of how it was used. ‘Potentially collected credentials through phishing attempts in spam campaigns.’

Indicators of Compromise

  • [Domain] 0h1[.]onmicrosoft[.]com – example of abused Microsoft tenant domain used by the spammer
  • [Domain] 23gdfs56gsd[.]onmicrosoft[.]com – example of abused Microsoft tenant domain used by the spammer

Read more: https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint