On July 29, 2024, The Hacker News reported on an “email routing flaw” discovered by Guardio Labs that was exploited to send millions of spoofed email messages pretending to be from various popular companies and brands. Gaurdio Labs has named this exploit “EchoSpoofing.”
How the exploit works
Bad actors were able to exploit a common configuration setting in Proofpoint’s email relay service that allows the Proofpoint system to accept email messages originated by any Microsoft 365 account, add authentication to them (including adding a new, passing DKIM signature), and then send out those email messages. The result allows bad actors to successfully spoof a given domain name without the domain owner’s consent.
In this configuration, Guardio Labs reports that Proofpoint does not verify that the Microsoft 365 accounts in question were authorized to send mail on behalf of a given domain; they simply accepted the mail and treated it as legitimate because it passed through Microsoft’s systems and Microsoft had been approved.
Microsoft 365, like many mail systems, allows users to send mail outbound using any From domain they want. That mail will fail DMARC authentication unless properly configured, and be signed with the tenant’s DKIM key. Guardio Labs shows that if a Proofpoint mail relay customer has Microsoft 365 as an approved sender, then anyone on Microsoft 365 infrastructure can send mail through their relay and get a legitimate DKIM signature added to their messages.
What this means
If your business email configuration involves using Microsoft’s 365 to host email inboxes, with Proofpoint in front of them as your secure email gateway (SEG) service, and utilizing mail relay functionality, then any user of Microsoft’s 365 platform could impersonate your email domain successfully, if you haven’t taken additional (manual) steps to better secure your Proofpoint configuration.
The spoofed messages fully passed all authentication checks, including SPF, DKIM, and DMARC. Because of a simplistic “one-click integration” setting, Proofpoint would accept, then re-mail (with authentication passing) any messages relayed that reference the spoofed domain.
Microsoft 365 is known to send traffic from new, on trial, or suspicious-looking tenants from distinct “untrustworthy” IP pools due to a higher likelihood of fraudulent activity. Most security systems and mailbox providers that receive messages from Microsoft 365 take this strong signal into account prior to delivering or forwarding messages sent from this pool.
Why it works this way
Email authentication can be brittle; email forwarding with the rewriting of email headers, subject line changes, attachment removal, or rewriting links to protect against malware can invalidate an email message’s existing DKIM authentication signature. Some SEGs (including Proofpoint) work around this by re-authenticating messages themselves, applying their own, new, DKIM authentication signature before forwarding a given message on to its final destination.
This fixes the immediate problem of authentication failures due to the message rewriting needs of security scanning, but it opens additional risks in that the SEG system has to be absolutely sure that the message it is re-authenticating and relaying onward is valid, verified, and legitimate.
Beware of protection gaps
Many of our customers utilize Valimail and Proofpoint together effectively. Those customers find that Proofpoint’s expertise as a secure email gateway (SEG) platform is a starting point, enhanced by our industry-leading expertise in DMARC and email authentication. Limitations in how SEG platforms handle email authentication can lead toward configuration options or default settings that can result in gaps in security coverage, potentially leading to phishing and spoofing attacks, as demonstrated here.
Authentication and verification options can easily be set too broadly, allowing email messages to pass through from other, unrelated senders on the same mailbox provider or marketing automation platform, making it very important to review any platform’s settings to ensure that the principle of “least privilege” is properly applied.
Secure those domains
Reviewing the domains highlighted by the security researchers at Guardio Labs, we note that many of them had not adopted a DMARC policy aimed at enforcement. As they haven’t implemented DMARC at enforcement, many of these domains are not well protected against phishing and spoofing and could be abused even without this exploit. We applaud Proofpoint for working with customers to lock down this overly permissive setting.
Are you protected?
Regardless of what mailbox provider platform or email security gateway you use, it’s important to ensure that you’ve configured it to be as secure as possible. Always review settings to ensure that you authenticate, identify, and monitor all message streams to ensure that all mail is expected mail and that no gateway or mail relay configuration allows for unauthenticated inbound relay or broad post-relay email authentication.
Are you working with an expert who can help you navigate the complex environments of email authentication and security? Contact us today to speak to one of our DMARC experts to learn how Valimail Enforce can help you fully secure your email domains against phishing and spoofing today.
