---
title: "How threat actors managed to send millions of phishing emails from trusted domains- explaining echo-spoofing | AutoSPF"
description: "In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to send millions of hard-to-detect emails impersonating."
image: "https://autospf.com/og/blog/how-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing.png"
canonical: "https://autospf.com/blog/how-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing/"
---

Quick Answer

In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to send millions of hard-to-detect emails impersonating blue-chip companies. They exploited a misconfiguration in Proofpoint’s secure email gateway (SEG) to send fraudulent credit card emails.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20threat%20actors%20managed%20to%20send%20millions%20of%20phishing%20emails%20from%20trusted%20domains-%20explaining%20echo-spoofing&url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing%2F&title=How%20threat%20actors%20managed%20to%20send%20millions%20of%20phishing%20emails%20from%20trusted%20domains-%20explaining%20echo-spoofing "Share on Reddit") [ ](mailto:?subject=How%20threat%20actors%20managed%20to%20send%20millions%20of%20phishing%20emails%20from%20trusted%20domains-%20explaining%20echo-spoofing&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fhow-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing%2F "Share via Email") 

![millions of phishing emails](https://media.mailhop.org/autospf/images/2024/08/spf-record-tester-4830.jpg) 

In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to [send millions of hard-to-detect emails impersonating](https://www.darkreading.com/cloud-security/disney-nike-ibm-signatures-3m-fake-emails) blue-chip companies. They exploited a misconfiguration in Proofpoint’s [secure email gateway](https://www.techtarget.com/searchsecurity/feature/Browse-the-best-email-security-gateways-for-your-enterprise) (SEG) to send fraudulent credit card emails. These emails bypassed security filters as they were signed and verified, looking like they were coming from legitimate business domains. _The popular brands they mimicked included Disney, Nike, Best Buy, ESPN, IBM, Coca-Cola, Fox News, and many more_. 

_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022%5FIC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) - a domain-spoofing attack that SPF, DKIM, and DMARC are specifically designed to prevent - caused more than $2.7 billion in direct losses._

The purpose of this blog is to explain how one misconfiguration led to a chain of exploitations and how you can avoid them.

![cybercriminals](https://media.mailhop.org/autospf/images/2024/08/spf-validator-8053.jpg) 

## What actually happened?

Here is the bulleted breakdown of the scenario that culminated in abuses of open relays. 

- The [cybercriminals](https://thehackernews.com/2024/04/cybercriminals-targeting-latin-america.html) used genuine Microsoft Office 365 accounts. It is unclear how they got access to genuine accounts; either they broke into them or used trial accounts.
- They made emails look like they were coming from legitimate businesses by branding them the same way using the official logos, signatures, etc. The branding could also involve setting the ‘From’ addresses to appear as if they were from the official domains (for example, nike.com, disney.com, ibm.com, etc.). This further faded the red flags that could have raised suspicions.
- Gmail is one of the most heavily used mailboxes, and hence, it is capable of handling a high volume of messages from trusted servers like Outlook, which is Microsoft’s email service. Since Gmail’s servers are designed to efficiently process the exchange of millions of emails per hour, it didn’t have to block them due to rate limits.
- The bad actors exploited the [Sender Policy Framework (SPF)](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) process. _The emails were sent through Microsoft’s official relay server, protection.outlook.com_. The impersonated brands’ SPF records included spf.protection.outlook.com, which meant emails sent through this relay server were authorized by the brands.
- Then, they altered or spoofed the [email headers](https://proton.me/blog/what-are-email-headers) so that the messages appeared to be originating from different sources.
- Since the emails were sent via servers that included the impersonated brands’ [SPF records](/spf-record-checker/create-spf-record/), they passed the SPF checks and didn’t raise any suspicion among the recipients.

## Proofpoint’s misconfigurations that were exploited

Proofpoint’s permissive IP-based authentication settings allowed threat actors to send millions of [phishing emails](https://www.bleepingcomputer.com/news/security/proofpoint-settings-exploited-to-send-millions-of-phishing-emails-daily/). The issue arose from a generic configuration that Proofpoint often used, where it was set to accept emails from entire IP ranges associated with services like Office365 or [Google Workspace](https://en.wikipedia.org/wiki/Google%5FWorkspace) without specifying particular accounts. This meant that once a service like Office365 was enabled, Proofpoint would accept emails from any IP within the Office365 range, regardless of the specific account sending the email.

## Proofpoint’s other overly permissive configurations

- Admin setup: Proofpoint lets admins add hosted email services with no extra steps other than just a single click that relies on IP-based authentication.
- Generic acceptance: The Proofpoint’s setup doesn’t mention which accounts are authorized. Because of this, any account within the IP range is accepted.
- Blind relay: Because of its easy and wide acceptance, [threat actors](https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email) relay emails through Proofpoint, which ultimately processes and delivers even [fraudulent emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) as usual.
![fraudulent emails ](https://media.mailhop.org/autospf/images/2024/08/spf-flattening-3972.jpg) 

## Warding off such attacks is possible

Don’t rely on permissive IP-based authentication; instead, configure Proofpoint to authenticate specific accounts or domains. It’s also a good practice to audit [email security](/) settings within Proofpoint and other email security gateways. 

Most importantly, make sure you have all three [email authentication](/spf-too-many-dns-lookups/spf-lookup/) protocols (SPF, [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/), and [DMARC](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/)) standing as the guards of your domain. _These protocols help authenticate the sending domain and ensure that emails are not tampered with during transit_. Regularly update these records to reflect legitimate IP addresses and services. Don’t hesitate to use the strict DMARC policies, p=quarantine or p=reject. This way, unauthorized emails will be blocked or isolated at the recipients’ ends. 

[Review email logs](https://www.inmotionhosting.com/support/email/review-mail-logs/) and authentication reports regularly to detect unusual patterns, such as emails sent from unexpected IP addresses or domains. This can help identify and mitigate attacks in real-time.

We at AutoSPF can help you have an SPF record that doesn’t [exceed the DNS lookup limit of 10](/blog/fixing-spf-dns-lookups-quick-tips/). So, if you need our help with this, [contact us](/contact-us/).

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Advanced 10m  AutoSPF’s Guide to Configuring SPF & DKIM for Avanan: A Detailed Walk-through  Nov 26, 2025 ](/blog/autospf-guide-configuring-spf-dkim-for-avanan-detailed-setup-walkthrough/)[  Advanced 24m  Best DNS Security Tools for Email in 2026 SPF, DKIM & DMARC Management Compared  Apr 28, 2026 ](/blog/best-dns-security-tools-email-2026-spf-dkim-dmarc-compared/)[  Advanced 23m  Best Email Authentication Tools For Enterprise in 2026 The Complete Guide  Apr 30, 2026 ](/blog/best-email-authentication-tools-enterprise-2026-complete-guide-solutions/)[  Advanced 30m  Best SPF Management Tools for MSPs in 2026 A Buyer’s Guide  Apr 27, 2026 ](/blog/best-spf-management-tools-for-msps-in-2026-buyers-guide/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How threat actors managed to send millions of phishing emails from trusted domains- explaining echo-spoofing","description":"In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to send millions of hard-to-detect emails impersonating.","url":"https://autospf.com/blog/how-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing/","datePublished":"2024-08-30T12:40:13.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-08-30T12:40:13.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/how-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing/"},"articleSection":"advanced","keywords":"DKIM, DMARC, email security, SPF, SPF record","wordCount":678,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/08/spf-record-tester-4830.jpg","caption":"millions of phishing emails","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Advanced","item":"https://autospf.com/advanced/"},{"@type":"ListItem","position":4,"name":"How threat actors managed to send millions of phishing emails from trusted domains- explaining echo-spoofing","item":"https://autospf.com/blog/how-threat-actors-sent-phishing-emails-from-trusted-domains-using-echo-spoofing/"}]}
```