Skip to main content

Jul 31, 2024

Attackers Exploit Proofpoint to Target Customers with Brand Impersonation Attacks

Learn about the recent EchoSpoofing attack that exploited Proofpoint's relay servers and how Abnormal's AI-driven approach provides superior protection against brand impersonation and advanced phishing attacks.

Key Insights

EchoSpoofing exploits Proofpoint's mail relay architecture, allowing emails to pass SPF, DKIM, and DMARC checks despite being malicious.

Proofpoint's own fix requires quarterly health checks, dedicated staff tuning, and post-delivery remediation via TRAP—placing burden on customers.

Abnormal blocked 580,000+ EchoSpoof attacks by using behavioral context, NLP, and computer vision rather than authentication signals alone.

SEGs that sit in the mail path can become single points of failure, relaying spoofed emails directly to end users' inboxes.

580,000+ EchoSpoof Attacks Blocked for Abnormal Customers

Proofpoint’s architecture introduced a flaw that enabled an attack known as “EchoSpoofing”. When emails are relayed through Proofpoint (impacting all of their customers), email authentication checks (SPF, DKIM, and DMARC) are passed and the end user inherently trusts the emails delivered to their inbox. Let's look at an example attack that bypassed Proofpoint and was stopped by Abnormal.

Disney Spoof

How did it get by Proofpoint?

  • SEGs like Proofpoint rely upon mail relays, a misconfiguration passed all required email authentication (SPF, DKIM, and DMARC).

  • The email leveraged a known brand with a sense of urgency to engage in social engineering to prompt the user to take action and click on the link.

  • Proofpoint heavily relies upon outdated methods (e.g., authentication and IOCs) to stop attacks.

What is Proofpoint’s recommendation?

  • Proofpoint advises its customers to conduct “health checks” at least quarterly to ensure appropriate configuration.

  • Dedicate additional employees to actively manage and tune their configuration on a regular basis.

  • Rely upon their TRAP product to perform post-remediation on all of the attacks they miss.

The better way to solve the problem?

  • Use a modern API architecture as provided by Abnormal that avoids these types of problems (and avoids being a point of failure in delivering email).

  • Abnormal’s AI uses thousands of signals to understand behavioral context, identifying brands like Disney through NLP and computer vision for deeper analysis.

  • Abnormal's AI goes beyond traditional indicators to keep pace with ever-shifting attack techniques (keep pace with the attackers while letting legitimate emails through)

Future-Proof Your Email Security

Don’t take our word for it. Because of our modern approach, it’s easy to see the actual attacks that are getting past Proofpoint with a 30-second integration to your cloud email provider.

Interested in learning more about Abnormal’s AI-powered solution? Schedule a demo today!

Schedule a Demo

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.