What is SPF Permerror?

SPF=Permerror indicates that there is a fundamental problem with the SPF record, making it impossible to determine if the sending server is authorized or not.

What is the 10 DNS lookup limit?

During SPF check, every time an email is sent from your domain, your recipient’s email server performs DNS query requests, also known as DNS lookups to check the presence of authorized IP addresses in your DNS and match them to the ones in the received email’s return-path header. However, RFC limits the number of DNS lookups to 10. This is known as the 10 DNS lookup limit.

Am I exceeding SPF Too Many DNS Lookups limit?

If you are worried about exceeding the lookup limit for SPF, you can check your record instantly using our SPF record checker tool.

How to fix SPF Permerror?

A more effective way to avoid SPF errors is to deploy an SPF flattening tool that is automatic and hassle-free – like PowerSPF!

EchoSpoofing: Proofpoint Email Routing Exploit Explained

It is not a secret that email authentication can be pretty vulnerable. This is especially true when emails are forwarded with modified headers, changed subject lines, or removed attachments. These minor changes can compromise an email’s DKIM signature.

Various Secure Email Gateways (SEGs), such as Proofpoint, have been introduced to address this issue. These SEGs can tackle the authentication issues of altered emails by re-authenticating them. While this method is good enough to mitigate authentication failures, it raises new risks.

Unfortunately, a vulnerability was noticed in Proofpoint’s email relay service, in March 2024. It has allowed various malicious actors to exploit a configuration setting. This proofpoint email routing flaw enabled attackers to send millions of spoofed messages.

In this article, you will learn everything about EchoSpoofing and Proofpoint’s recent email routing exploit.

Understanding Proofpoint’s Email Routing Exploit

Malicious actors found a way to exploit a vulnerability in Proofpoint’s email relay service, a configuration setting that accepts emails from any Microsoft 365 tenant. After receiving these emails, Proofpoint re-authenticates them by adding a new and valid DKIM signature.

The flaw in the configuration settings allows the perpetrators to spoof any domain name. This lets them send emails that appear to come from legitimate sources, in a series of phishing campaigns called “EchoSpoofing”.

What is EchoSpoofing?

The exploit has been named “EchoSpoofing” by Gaurdio Labs. It is a technique by which attackers send emails from SMTP servers. These SMTP servers are hosted on Virtual Private Servers (VPS), and the sent messages easily pass to email authentication checks, including SPF and DKIM. These EchoSpoofing emails mimic legitimate emails from trusted senders.

Microsoft 365 allows emails to be sent from any domain of the user’s choice. While notorious for enabling emails to be sent from even suspicious-looking tenants, the hackers in the EchoSpoofing exploit utilized this flaw to route messages from attacker-controlled Office 365 tenants. Proofpoint customers authorizing Microsoft 365 as a legitimate sender, inadvertently landed themselves in trouble. These attacker-controlled Office 365 tenants got a free pass to relay the EchoSpoofing emails through Proofpoint’s relay service with a tag of authentication and valid DKIM signatures.

Proofpoint, in their article explaining the attack, disclosed that “The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow.”

Consequences of EchoSpoofing

If you are a Microsoft 365 user, using Proofpoint’s Secure Email Gateway to block malicious emails through a relay system, you need to exercise caution as any other Microsoft 365 tenants can potentially spoof your domain. As Proofpoint cannot explicitly filter out specific Office 365 tenants and authorizes all of them, if you have defined Microsoft as a legitimate sender – malicious actors can easily impersonate your domain to send phishing emails.

The spoofed emails sent through this system are not then flagged as suspicious, even passing the DMARC check, and landing directly into your receiver’s inbox.

The Scale of the Exploitation

The attacks had a significantly widespread reach.

Targeted Companies

The new “Ecospoofing” method targeted various well-known brands. These companies include Nike, IBM, Walt Disney, Best Buy, and others.

Proofpoint’s Response and Mitigation Strategies

After the issue was noticed, Proofpoint released various measures to counter this vulnerability promptly. These included enabling customers to now specify permitted Microsoft 365 tenants. Proofpoint reassured customers that while every email routing system is vulnerable to a certain extent – customer data was not exposed or compromised during the attacks.

Opting for Well-Rounded Email Security with PowerDMARC

PowerDMARC’s advanced AI-powered email authentication platform offers both security and visibility when it comes to most email-based exploits and threats. Our Threat Intelligence technology is adept at making data-driven predictions on threat patterns and trends, with a team of experts guiding you through tightening your email authentication posture.

PowerDMARC’s detailed APIs allow customers to seamlessly integrate our platform with their existing security systems including SEGs like Proofpoint – providing enhanced security!

Furthermore, we help domain owners shift to enforced DMARC policies like “reject”, empowering them to combat spoofing attacks effectively.

Final Words

The EchoSpoofing exploit highlights a significant vulnerability in Proofpoint’s email routing system, proving that even trusted security solutions can have blind spots.

Attackers are not new to leveraging misconfigurations in email systems to bypass authentication checks, launching widespread phishing campaigns. While Proofpoint has responded with corrective measures, this incident underscores the importance of proactive email security powered by a team of experts.

To explore protective strategies for your domain name and enforce your email authentication correctly – contact us today to speak to one of our seasoned professionals.

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

What is EchoSpoofing?: Proofpoint Email Routing Exploit