What is EchoSpoofing?: Understanding Email Routing Exploits

Blog, Cybersecurity

The recent exploitation of an email routing flaw, known as EchoSpoofing, allowed attackers to send millions of spoofed emails across multiple organizations.

by Ahona Rudra

Reading Time: 4 min
What is EchoSpoofing?: Understanding Email Routing Exploits
Table Of Contents

It is not a secret that email authentication can be pretty vulnerable. This is especially true when emails are forwarded with modified headers, changed subject lines, or removed attachments. These minor changes can compromise an email’s DKIM signature.

Various Secure Email Gateways (SEGs), have been introduced to address this issue. These SEGs can tackle the authentication issues of altered emails by re-authenticating them. While this method is good enough to mitigate authentication failures, it raises new risks.

Unfortunately, a vulnerability was noticed in Proofpoint’s email relay service, in March 2024. It has allowed various malicious actors to exploit a configuration setting. This email routing flaw enabled attackers to send millions of spoofed messages.

In this article, you will learn everything about EchoSpoofing and the recent email routing exploit. 

Key Takeaways

  1. Email authentication vulnerabilities can be exacerbated by configuration flaws in email relay services.
  2. The EchoSpoofing technique allows attackers to exploit trusted email services to send spoofed emails.
  3. A recent configuration issue with email relay systems enabled malicious actors to impersonate legitimate domains without proper filters.
  4. Even with security measures in place, organizations must remain vigilant against evolving email-based threats.
  5. Implementing strict DMARC policies can help prevent domain impersonation and enhance email security.

Understanding the Email Routing Exploit

Malicious actors found a way to exploit a vulnerability in email relay services, a configuration setting that accepts emails from any Microsoft 365 tenant. After receiving these emails, they are re-authenticated by adding a new and valid DKIM signature.

The flaw in the configuration settings allows the perpetrators to spoof any domain name. This lets them send emails that appear to come from legitimate sources, in a series of phishing campaigns called “EchoSpoofing”.

 

Protect Against EchoSpoofing with PowerDMARC!

Start 15-day trial Book a demo

What is EchoSpoofing?

The exploit has been named “EchoSpoofing” by Gaurdio Labs. It is a technique by which attackers send emails from SMTP servers. These SMTP servers are hosted on Virtual Private Servers (VPS), and the sent messages easily pass to email authentication checks, including SPF and DKIM. These EchoSpoofing emails mimic legitimate emails from trusted senders.

Microsoft 365 allows emails to be sent from any domain of the user’s choice. While notorious for enabling emails to be sent from even suspicious-looking tenants, the hackers in the EchoSpoofing exploit utilized this flaw to route messages from attacker-controlled Office 365 tenants. For example, Proofpoint customers authorizing Microsoft 365 as a legitimate sender, inadvertently landed themselves in trouble. These attacker-controlled Office 365 tenants got a free pass to relay the EchoSpoofing emails through their relay service with a tag of authentication and valid DKIM signatures. 

Consequences of EchoSpoofing

If you are a Microsoft 365 user, using Secure Email Gateways to block malicious emails through a relay system, you need to exercise caution as any other Microsoft 365 tenants can potentially spoof your domain. As most of these SEGs cannot explicitly filter out specific Office 365 tenants and authorizes all of them, if you have defined Microsoft as a legitimate sender – malicious actors can easily impersonate your domain to send phishing emails

The spoofed emails sent through this system are not then flagged as suspicious, even passing the  DMARC check, and landing directly into your receiver’s inbox.

The Scale of the Exploitation

The attacks had a significantly widespread reach.

Targeted Companies

The new “Ecospoofing” method targeted various well-known brands. These companies include Nike, IBM, Walt Disney, Best Buy, and others. 

Response and Mitigation Strategies

After the issue was noticed, various measures to counter this vulnerability was promptly released. These included enabling customers to now specify permitted Microsoft 365 tenants. Customers were also reassured that while every email routing system is vulnerable to a certain extent – customer data was not exposed or compromised during the attacks. 

Opting for Well-Rounded Email Security with PowerDMARC

PowerDMARC’s advanced AI-powered email authentication platform offers both security and visibility when it comes to most email-based exploits and threats. Our Threat Intelligence technology is adept at making data-driven predictions on threat patterns and trends, with a team of experts guiding you through tightening your email authentication posture. 

PowerDMARC’s detailed APIs allow customers to seamlessly integrate our platform with their existing security systems – providing enhanced security! 

Furthermore, we help domain owners shift to enforced DMARC policies like “reject”, empowering them to combat spoofing attacks effectively. 

Final Words

The EchoSpoofing exploit highlights a significant vulnerability in email routing systems, proving that even trusted security solutions can have blind spots. 

Attackers are not new to leveraging misconfigurations in email systems to bypass authentication checks, launching widespread phishing campaigns. While corrective measures have been taken, this incident underscores the importance of proactive email security powered by a team of experts. 

To explore protective strategies for your domain name and enforce your email authentication correctly – contact us today to speak to one of our seasoned professionals.

Latest posts by Ahona Rudra (see all)
Top 5 Cybersecurity Tips for E-commerce Brandscybersecurity-tipsRed-Team-VS-Blue-TeamRed Team VS Blue Team