Understanding EchoSpoofing: the latest email scam to grip the industry

In January 2024, an unknown threat actor launched a massive scam campaign known as EchoSpoofing, exploiting a misconfiguration in Proofpoint's email security defenses. This exploit allowed the attacker to send millions of spoofed emails from well-known companies like Best Buy, IBM, Nike, and Walt Disney to name a few. This led to significant security challenges for these companies and became an eye-opener for mailbox and email service providers alike. 

How it all began

Proofpoint, a renowned email security vendor, had a critical misconfiguration in its email routing setup. This flaw allowed malicious actors to relay emails through Proofpoint's infrastructure, making them appear as genuine emails from legitimate companies. The attacker leveraged this vulnerability to send emails with authenticated SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) signatures, which are typically used to prevent email spoofing.

The EchoSpoofing campaign began in January 2024 and rapidly scaled, sending up to three million emails per day, with a peak of 14 million in early June as Proofpoint started to implement countermeasures. These spoofed emails bypassed major security protections, deceiving recipients into believing they were from trusted sources, ultimately aiming to steal funds and credit card details. The most unique aspect of this attack was the spoofing method, which left almost no indication that the emails were not genuine.

The exploit

Traditionally, email spoofing involves forging the "FROM" header to make an email appear as though it is sent from a trusted domain. Modern email security protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) require emails to be sent from approved servers and authenticated with a private DKIM key, making simple spoofing more difficult.

Proofpoint provides email security services by acting as an intermediary relay server for its clients, managing both incoming and outgoing emails. Customers configure their SPF records to approve Proofpoint's servers and provide their DKIM keys to Proofpoint for email signing.

Detailed exploitation steps

1. Creating spoofed emails: Attackers generate phishing emails using their SMTP servers, including spoofed headers that make the emails appear as though they originate from a legitimate brand (e.g., Disney).
2. Relay through Office365: The spoofed emails are sent through a Microsoft Office365 Exchange server configured to relay emails. The relayed emails retain the spoofed headers, and since Office365 is included in the brand's SPF records, the emails pass SPF checks.
3. Proofpoint relay: Proofpoint servers, which are configured to accept emails from Office365 without stringent authentication checks, receive these relayed emails. Proofpoint then signs these emails with the legitimate brand's DKIM key and forwards them to the final recipients.
4. SPF and DKIM passing: Since the emails pass through Office365 (an approved sender in the brand’s SPF record) and are signed by Proofpoint using the brand’s DKIM key, they pass all authentication checks (SPF, DKIM, and DMARC).

PowerMTA was the backend used by scammers for the EchoSpoofing attack, highlighting the unfortunate reality that many cracked versions of PowerMTA are widely distributed and abused. As with any software that is not well-maintained, PowerMTA has become outdated and is increasingly exploited, making it a prime example of how neglected software can be misused in malicious operations.

Vulnerability exploitation 

Proofpoint’s default configuration allows any Office365 account to relay emails through its servers, without distinguishing between legitimate and malicious sources. This configuration is highly permissive and exploitable.

Attackers used publicly available DNS records to identify the specific Proofpoint relay servers used by a brand. They configure their Exchange Online Server to use these specific relay servers, completing the delivery chain for spoofed emails.

» host -t mx disney.com
disney.com mail is handled by 10 mxa-00278502.gslb.pphosted.com.
disney.com mail is handled by 10 mxb-00278502.gslb.pphosted.com.

Example attack flow 

1. Spoofed email creation: An attacker crafts a phishing email that appears to be from XXXX@disney.com, with XXXX being a random string.
2. Email relaying via Office365: The email is relayed through an Office365 server, exploiting the relay configuration that does not alter spoofed headers.
3. Proofpoint processing: The email reaches Proofpoint’s relay server (e.g., mxa-00278502.pphosted.com), which processes and signs the email with Disney’s DKIM key and ensures it meets SPF requirements.
4. Delivery to target: The email is delivered to the target’s inbox, fully authenticated by Gmail (or other email services), and appears legitimate with Disney’s branding and logos.

Key takeaways for mailbox providers

1. Restrict relay configurations: Ensure that relay configurations are not overly permissive. Validate that only authenticated and authorized sources can relay emails through your infrastructure.
2. Enhanced authentication checks: Implement stringent checks to verify the authenticity of the sender, especially for relayed emails. Consider additional layers of verification beyond standard SPF, DKIM, and DMARC.
3. Monitor for abnormal activity: Regularly monitor for unusual email activity or volume shifts that could indicate abuse of your relay configurations.

Key takeaways for email service providers (ESPs)

1. Strengthen authentication protocols: Regularly review and strengthen your authentication protocols to ensure they are not vulnerable to exploitation.
2. Volume monitoring: Implement systems to monitor email volume shifts and identify potential abuse. Sudden increases in email volume from a single source should trigger alerts and require further investigation.
3. Cloud Email API security: Ensure your cloud email APIs are secure and implement robust authentication checks to prevent misuse. Regularly update and patch your systems to mitigate the risk of exploitation.

As the threats advance in sophistication, the email world needs stringent and advanced measures to handle them. EchoSpoofing exposed a few vulnerabilities in some prominent email software, but this also allows us to do a thorough review of email configurations and to keep them secure.

Here's to building a safer and more resilient email ecosystem!