Phishing campaigns that spoof well-known global brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola to trick recipients into clicking on malicious emails should be a thing of the past.
We trust this assumption thanks to a suite of mature email authentication technologies dating back over a decade: If the sender’s email is disney.com domain then the probability that this has somehow been spoofed is extremely low.
And yet as a small Israeli security company called Guardio discovered earlier this year, cracks can appear that allow criminals to bypass this system when nobody is paying attention.
This week the company published a note describing a phishing campaign dubbed “EchoSpoofing” was able to send millions of spoofed emails impersonating the major brands mentioned above by exploiting a weakness in the Proofpoint email protection service.
The result: between January and June, the criminals were able to send an average of three million spoofed emails per day and up to 14 million on some days, Guardio said.
It sounds like a lot but is in fact fairly modest by spam standards. However, all the phishing attackers would need was for a fraction of a percent of people to be fooled for the campaign to be a success.
Email firewall
The background is that Proofpoint is a market-leading provider of email security services. Big companies (including 87 of the Fortune 100) run email to and from their servers through Proofpoint’s platform to ensure that malicious emails are filtered out.
And yet somehow, this campaign showed they were getting through. At first, Guardio couldn’t find anything wrong with the spoofed emails which had the ultimate purpose of stealing credit card data from anyone fooled by them.
The DomainKeys Identified Mail (DKIM) settings, which use public key encryption to authenticate a sender’s domain, also checked out as did the Sender Policy Framework (SPF), which verifies the sender’s IP is the correct one for the domain.
Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint.
Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to route emails on behalf of its customers.
“EchoSpoofing”
The bypass turned out to have two parts to it. The first was to beat the SPF IP-to-domain check, which was achieved by sending their spoofed emails from an SMTP server in their control through an Office365 account. This stops spoofing when email originates on those accounts but not, crucially, when relaying emails from external SMTP servers.
Beating DKIM should have been the hard part but turned out to be trivial thanks to the way the Proofpoint server was configured to accept email from servers with an approved IP range.
That, it transpired, included ones from Office365, which the criminals had already manipulated to relay their phishing emails. As Guardio’s Labs’ head Nati Tal wrote in the company’s blog on the attack:
“If no other special rules or enforcement are manually added later on, will any Office365 account be able to interact with the Proofpoint relay server? Well, the answer is — YES!”
All the attackers had to do was route the emails for a specific company to the correct Proofpoint host used to process email for its domain. That, they got, by copying the MX record by querying that domain’s public DNS.
Call it email laundering: Emails from the rogue server will always be filtered so instead the attackers find a way to route their malicious emails through a server that will make them look clean.
The Proofpoint server believed the emails to have originated from legitimate domains such as Disney so it forwarded them as if they were.
Beating filtering
The whole attack shows how seemingly watertight technology still depends on it being configured carefully.
DKIM, SPF, and the more recent policy-based standard DMARC (Domain-Based Message Authentication, Reporting, and Conformance) were supposed to stop the spoofing problem.
They are the result of nearly two decades of effort to clean up email, which from the early 2000s onwards started being overwhelmed by a surge in spam.
Slowly, as more companies adopted them, these technologies worked. Commercial and criminal spam/phishing is still a problem but the ability to spoof domains has receded.
But cybersecurity is never that simple. The spoofers prey on weaknesses in the application of anti-spoofing and anti-spam technologies which can be complex to configure. Oversights are common and perhaps inevitable.
“This technique can be leveraged by a threat actor to spoof both high-value and reputable brands and, even more importantly, to do so on a mass scale,” wrote Tal.
Guardio told Proofpoint about the flaw in May, to which the latter “responded within hours, setting the stage for our joint efforts.”
In fact, customers had apparently noticed the issue and started blocking the emails. Proofpoint informed customers and has since added a header to authenticate Office365 accounts:
“By using this header, customers can ensure that only emails from their own authorized Office365 tenants are accepted, effectively blocking any malicious actors from further exploiting this flow.”
Curiously, outreach to Microsoft about compromised Office365 accounts was less successful.
“These accounts remained active for over seven months and counting,” wrote Tal.