Guardio Labs recently identified “EchoSpoofing,” a critical vulnerability in Proofpoint’s email protection service used by 87% of Fortune 100 companies.
This flaw allows hackers to exploit phishing emails, tricking recipients into disclosing personal information like usernames and credit card numbers, thereby enabling identity theft or malware distribution with minimal technical effort.
How Phishing Campaign Exploited Proofpoint
In this phishing campaign, attackers bypassed modern email security by:
- Spoofing emails via their SMTP servers
- Relaying them through misconfigured Office 365 accounts
- Exploiting Proofpoint’s lenient email flow settings
This allowed them to send millions of authenticated phishing emails, impersonating brands like Disney and IBM. The emails passed SPF and DKIM checks, aiming to steal credit card and other sensitive information through fake landing pages and offers.
This exploit reveals flaws in default email security settings, stressing the need for stricter rules and better configuration awareness. Attackers used misconfigured Office 365 accounts and Proofpoint settings to send up to 14 million spoofed emails daily over two weeks.
Eleven OVH VPS clusters with PowerMTA software sent up to 2.88 million emails at once, using spoofed domains and hacked Office 365 accounts.
Brands like Disney, IBM, Best Buy, and Nike were impersonated. Proofpoint knew since March, but Guardio’s May alert led to customer notifications, compromised account reports, and new security measures using the X-OriginatorOrg header.
Following this incident, Proofpoint improved its admin panel with clearer risk descriptions and approval processes, emphasizing the need for stronger default security settings.
The complexity and scope of the campaign highlight the evolution of cybersecurity and the importance of proactive measures against large-scale phishing attacks.
Security upgrades, especially for outdated systems like SMTP and Microsoft Exchange, require careful planning and client engagement. Proofpoint’s handling of the EchoSpoofing issue shows its risk management maturity and commitment to effective, non-disruptive solutions through collaboration with partners like Guardio.
Impact and Prevention
Proofpoint has updated its system to add unique vendor-specific headers to outgoing emails containing Office365 account names. They’ve also advised customers to monitor for misuse and be cautious of configurations with unnecessary permissions.
This incident highlights how even robust security services can have vulnerabilities, stressing the need for multi-layered security approaches.
IOCs
# Office365 Tenants
novamixnf.onmicrosoft.com
skypesksm.onmicrosoft.com
munimariquina.onmicrosoft.com
edc2015.onmicrosoft.com
farocapital365.onmicrosoft.com
gmdk.onmicrosoft.com
x8674lj.onmicrosoft.com
ramirocaroguamuchil.onmicrosoft.com
bandalignano.onmicrosoft.com
skyvictory.onmicrosoft.com
redesmedicasips.onmicrosoft.com
t1chile.onmicrosoft.com
cfcnglns65p07a512l.onmicrosoft.com
dsumed.onmicrosoft.com
meleamita.onmicrosoft.com
blancom.onmicrosoft.com
idorganization.onmicrosoft.com
opam.onmicrosoft.com
saiani.onmicrosoft.com
stacey025.onmicrosoft.com
bolmendo.onmicrosoft.com
emailcontact132.onmicrosoft.com
jerem236.onmicrosoft.com
frantisekvesely.onmicrosoft.com
mitwarehouse.onmicrosoft.com
gourmoud.onmicrosoft.com
grupmacrolim.onmicrosoft.com
veroty.onmicrosoft.com
teclive.onmicrosoft.com
sdht.onmicrosoft.com
nahjaltaj.onmicrosoft.com
fas83.onmicrosoft.com
snnssmartact.onmicrosoft.com
jordi619.onmicrosoft.com
antonya777.onmicrosoft.com
bernadno.onmicrosoft.com
reonenergy.onmicrosoft.com
furgeson862.onmicrosoft.com
frend265.onmicrosoft.com
domnef.onmicrosoft.com
berga015.onmicrosoft.com
lukk989.onmicrosoft.com
6zc8sx.onmicrosoft.com
angelicoo.onmicrosoft.com
molebeek.onmicrosoft.com
zbmxs.onmicrosoft.com
clementy618.onmicrosoft.com
nordany390.onmicrosoft.com
sofrane.onmicrosoft.com
fgbgfbtsbg.onmicrosoft.com
molanbeek.onmicrosoft.com
volman683.onmicrosoft.com
gafaacat.onmicrosoft.com
kleop.onmicrosoft.com
omran035.onmicrosoft.com
antlisa.onmicrosoft.com
gregorioa.onmicrosoft.com
hollman250.onmicrosoft.com
mailv077.onmicrosoft.com
felnder.onmicrosoft.com
lukana108.onmicrosoft.com
lkstubc.onmicrosoft.com
lisalfr.onmicrosoft.com
clemon108.onmicrosoft.com
amana770.onmicrosoft.com
nertvoxss.onmicrosoft.com
# SMTP Servers
103.114.217.36
51.81.235.59
51.81.214.179
51.81.210.13
51.81.206.120
51.81.206.119
51.81.206.118
51.81.204.120
51.81.195.94
51.81.150.17
51.81.150.15
51.81.150.14
51.81.150.13
51.81.150.12
51.81.150.11
51.81.150.10
51.81.149.245
51.81.149.211
51.81.149.175
51.81.148.234
51.81.142.68
51.81.142.64
51.81.142.62
51.81.140.123
15.204.50.179
15.204.50.178
15.204.50.177
15.204.50.176
15.204.50.175
15.204.41.218
15.204.41.213
15.204.40.128
15.204.226.108
15.204.20.226
15.204.12.95
15.204.12.122
15.204.12.120
15.204.12.119
15.204.12.117
147.135.40.42
147.135.40.11
# Spoofed Domains
ibm.com
disney.com
ibm.com
bestbuy.com
coca-cola.com
foxnews.com
hoka.com
converse.com
espn.com
reebok.com
danone.com
sodexo.com
nike.com
novartis.com
acehardware.com
agc.com
bjs.com
chsinc.com
cmsenergy.com
columbiagasohio.com
edenred.com
labcorp.com
mckesson.com
nexteraenergy.com
nutrien.com
suez.com
sunnova.com
sysco.com
unfi.com
wesco.com
wmf.com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment