Global email security company hacked to send millions of phishing emails

A scammer has effectively hacked a globally renowned email security company to send millions of spoofed phishing emails in the name of Nike, IBM, BestBuy, and Walt Disney. Let us explore how.??

How does the vulnerability work??

Proofpoint is a popular American company known for its email security products and solutions for identity threat, and data loss prevention.??

An attacker has exploited weak permissions in Proofpoint’s email security system to engage in crafting millions of phishing emails to steal sensitive information like credit card details and personal details.??

The security solution for email by Proofpoint acts as a reliable first line of defense for emails globally.?

Experts have labeled this as Echo Spoofing. Here is roughly how the phishing emails were sent:?

• The attacker set up his own SMTP server for creating spoof emails.??

• He modified the headers of the emailers and relayed the spoof emails through Proofpoint’s relay servers leveraging compromised Microsoft/Office 365 accounts.?

• Used multiple domains registered via Namecheap to send emails using a Virtual Private Server hosted by Centrilogic and OVH Cloud.??

• An attacker can easily relay a mail by choosing the domain configuration option that the company offers and selecting the Proofpoint email gateway.?

• An SPF record with too many permissions is created when the OFFICE 365 option is selected allowing the relay mails to be sent through the Proofpoint email service?

• All the spoofed emails pass through the DKIM and SPF checks therefore, they are not flagged as spam in free email services like GMxGmail, Yahoo, etc.?

SharkStriker’s recommendations and actions?

• SharkStriker’s threat hunters have scanned the customer environment based on the Indicators of Compromise (IoC) available?

• Customers and partners can view the status of their security posture in real time using STRIEGO’s security dashboards.?

Stay updated with the latest tactics used by modern-day attackers???

Explore periodical security advisories for a closer look at real-world threat actors, the different techniques and tactics deployed by them, the vulnerabilities exploited by them, and some tips to defend against them. Subscribe to The Journal for more from the world of cybersecurity!??