Proofpoint acknowledged that the root cause of the issue was a modifiable email routing configuration that failed to specify which Microsoft 365 tenants were authorized.

In March 2024, a vulnerability was discovered in Proofpoint’s email relay service, which allowed malicious actors to exploit a configuration setting.

Hackers exploited Microsoft 365's feature permitting emails to be sent from any domain, enabling them to route messages from their controlled Office 365 tenants through Proofpoint's service.

Spoofed emails sent through this system could bypass DMARC checks, landing directly in recipients' inboxes without being flagged as suspicious.

Microsoft 365 users utilizing Proofpoint's Secure Email Gateway (SEG) should exercise caution, as any Microsoft 365 tenant can spoof their domain, leading to potential phishing attacks.

The EchoSpoofing incident underscores the need for proactive email security and the importance of addressing misconfigurations in email systems.

PowerDMARC's services include helping domain owners enforce DMARC policies effectively to combat spoofing and enhance email security.

EchoSpoofing, coined by Gaurdio Labs, involves attackers utilizing SMTP servers on Virtual Private Servers to send messages that pass authentication checks.

This configuration flaw allowed attackers to send millions of spoofed messages using a phishing technique known as 'EchoSpoofing,' which involved spoofing any domain name.

The EchoSpoofing incident targeted well-known brands such as Nike, IBM, Walt Disney, and Best Buy, highlighting the widespread reach of this exploit.

Despite the incident, Proofpoint assured customers that their data was not compromised, although it highlighted vulnerabilities within their system.

In response to the vulnerability, Proofpoint implemented measures allowing customers to specify permitted Microsoft 365 tenants to enhance security.