A misconfiguration in Proofpoint’s email security system allows threat actors to send seemingly genuine emails without detection. This campaign, which has been active since January 2024, leverages well-known companies by spoofing their emails and circumventing major security protections, such as SPF and DKIM signatures. WaterISAC is sharing for security awareness as the exploit of Proofpoint’s email protections enables the widespread impersonation of well-known brands.

The scale of the operation is staggering, with an average of three million spoofed emails sent per day, reaching a peak of 14 million in June 2024. These phishing emails are able to impersonate legitimate company domains, making them nearly indistinguishable from authentic communications.

The underlying issue stems from what is being called a "super-permissive misconfiguration flaw" in Proofpoint's email servers, which allowed rogue Microsoft 365 tenants to relay fraudulent messages through the email infrastructures of Proofpoint's customers. This enables the attacker to send seemingly genuine emails without detection, making even the most security aware user susceptible to this attack.

While Proofpoint has acknowledged the ongoing campaign and noted that it does not align with any known threat actor, they have implemented measures to mitigate the issue, such as restricting which Microsoft 365 tenants can relay emails. The incident underscores the necessity for organizations to maintain strict oversight of third-party email services and implement robust controls to safeguard against spoofing attacks. For more information on the ongoing phishing campaign, visit BleepingComputer or TheHackerNews.