Cybercriminals found a way to send millions of “perfectly spoofed” phishing emails thanks to a vulnerability in Proofpoint’s email relay servers.
Guardio Labs experts revealed that the phishing campaign started in January 2024 and was sending an average of three million emails per day. In early June, it peaked with 14 million emails being distributed.
Researchers dubbed the campaign “EchoSpoofing” and noted that the criminals managed to get their phishing emails properly signed with DKIM and approved with SPF. What tipped off researchers, however, was that all the emails were being sent from a specific family of relay servers (pphosted.com), which is owned and operated by email security vendor Proofpoint.
How to bypass spam filters
To the recipient, the email appears to be from a legitimate company. The companies being impersonated here all appear to be Proofpoint clients, mostly Fortune 100 companies. These include Disney, IBM, Nike, Best Buy, and Coca-Cola, to name a few.
“These emails mimicked official Proofpoint email relays with authenticated SPF and DKIM signatures, thereby bypassing key security protections, all to trick recipients into stealing funds and credit card details,” the researchers concluded.
Guardio Labs claimed that all major email platforms, including Gmail, did not flag these emails as spam and instead allowed them to go directly to users’ inboxes. The emails frightened victims with fake account expirations, requests for payment and renewal, and the like, all with the goal of collecting payment and personal identification information.
Proofpoint said it has been closely monitoring the EchoSpoofing campaign since March 2024 and has provided new settings and advice on how to prevent such attacks in the future. The company provided detailed guidance on how users can add anti-spoofing controls and more.
Through Computer beeping
