A massive phishing campaign dubbed "EchoSpoofing" exploited now-fixed, weak permissions in Proofpoint's email protection service to dispatch millions of spoofed emails impersonating big entities like Disney, Nike, IBM, and Coca-Cola, to target Fortune 100 companies.
The campaign started in January 2024, disseminating an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June.
The phishing emails were designed to steal sensitive personal information and incur unauthorized charges. They also included properly configured Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) signatures, making them appear authentic to the recipients.
Guardio Labs helped discover the phishing campaign and security gap in Proofpoint's email relay servers. In May 2024, they notified the firm and helped them fix it.
To conduct the campaign, threat actors set up their own SMTP servers to create spoofed emails with manipulated headers and then relayed them through Proofpoint's relay servers using compromised or rogue Microsoft Office 365 accounts.