In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to send millions of hard-to-detect emails impersonating blue-chip companies. They exploited a misconfiguration in Proofpoint’s secure email gateway (SEG) to send fraudulent credit card emails. These emails bypassed security filters as they were signed and verified, looking like they were coming from legitimate business domains. The popular brands they mimicked included Disney, Nike, Best Buy, ESPN, IBM, Coca-Cola, Fox News, and many more.
The purpose of this blog is to explain how one misconfiguration led to a chain of exploitations and how you can avoid them.
What actually happened?
Here is the bulleted breakdown of the scenario that culminated in abuses of open relays.
- The cybercriminals used genuine Microsoft Office 365 accounts. It is unclear how they got access to genuine accounts; either they broke into them or used trial accounts.
- They made emails look like they were coming from legitimate businesses by branding them the same way using the official logos, signatures, etc. The branding could also involve setting the ‘From’ addresses to appear as if they were from the official domains (for example, nike.com, disney.com, ibm.com, etc.). This further faded the red flags that could have raised suspicions.
- Gmail is one of the most heavily used mailboxes, and hence, it is capable of handling a high volume of messages from trusted servers like Outlook, which is Microsoft’s email service. Since Gmail’s servers are designed to efficiently process the exchange of millions of emails per hour, it didn’t have to block them due to rate limits.
- The bad actors exploited the Sender Policy Framework (SPF) process. The emails were sent through Microsoft’s official relay server, protection.outlook.com. The impersonated brands’ SPF records included spf.protection.outlook.com, which meant emails sent through this relay server were authorized by the brands.
- Then, they altered or spoofed the email headers so that the messages appeared to be originating from different sources.
- Since the emails were sent via servers that included the impersonated brands’ SPF records, they passed the SPF checks and didn’t raise any suspicion among the recipients.
Proofpoint’s misconfigurations that were exploited
Proofpoint’s permissive IP-based authentication settings allowed threat actors to send millions of phishing emails. The issue arose from a generic configuration that Proofpoint often used, where it was set to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts. This meant that once a service like Office365 was enabled, Proofpoint would accept emails from any IP within the Office365 range, regardless of the specific account sending the email.
Proofpoint’s other overly permissive configurations
- Admin setup: Proofpoint lets admins add hosted email services with no extra steps other than just a single click that relies on IP-based authentication.
- Generic acceptance: The Proofpoint’s setup doesn’t mention which accounts are authorized. Because of this, any account within the IP range is accepted.
- Blind relay: Because of its easy and wide acceptance, threat actors relay emails through Proofpoint, which ultimately processes and delivers even fraudulent emails as usual.
Warding off such attacks is possible
Don’t rely on permissive IP-based authentication; instead, configure Proofpoint to authenticate specific accounts or domains. It’s also a good practice to audit email security settings within Proofpoint and other email security gateways.
Most importantly, make sure you have all three email authentication protocols (SPF, DKIM, and DMARC) standing as the guards of your domain. These protocols help authenticate the sending domain and ensure that emails are not tampered with during transit. Regularly update these records to reflect legitimate IP addresses and services. Don’t hesitate to use the strict DMARC policies, p=quarantine or p=reject. This way, unauthorized emails will be blocked or isolated at the recipients’ ends.
Review email logs and authentication reports regularly to detect unusual patterns, such as emails sent from unexpected IP addresses or domains. This can help identify and mitigate attacks in real-time.
We at AutoSPF can help you have an SPF record that doesn’t exceed the DNS lookup limit of 10. So, if you need our help with this, contact us.
