Attackers Exploit Proofpoint to Target Customers with Brand Impersonation Attacks

Proofpoint’s architecture introduced a flaw that enabled an attack known as “EchoSpoofing”. When emails are relayed through Proofpoint (impacting all of their customers), email authentication checks (SPF, DKIM, and DMARC) are passed and the end user inherently trusts the emails delivered to their inbox. Let's look at an example attack that bypassed Proofpoint and was stopped by Abnormal.

How did it get by Proofpoint?

• SEGs like Proofpoint rely upon mail relays, a misconfiguration passed all required email authentication (SPF, DKIM, and DMARC).

• The email leveraged a known brand with a sense of urgency to engage in social engineering to prompt the user to take action and click on the link.

• Proofpoint heavily relies upon outdated methods (e.g., authentication and IOCs) to stop attacks.

What is Proofpoint’s recommendation?

• Proofpoint advises its customers to conduct “health checks” at least quarterly to ensure appropriate configuration.

• Dedicate additional employees to actively manage and tune their configuration on a regular basis.

• Rely upon their TRAP product to perform post-remediation on all of the attacks they miss.

The better way to solve the problem?

• Use a modern API architecture as provided by Abnormal that avoids these types of problems (and avoids being a point of failure in delivering email).

• Abnormal’s AI uses thousands of signals to understand behavioral context, identifying brands like Disney through NLP and computer vision for deeper analysis.

• Abnormal's AI goes beyond traditional indicators to keep pace with ever-shifting attack techniques (keep pace with the attackers while letting legitimate emails through)

Don’t take our word for it. Because of our modern approach, it’s easy to see the actual attacks that are getting past Proofpoint with a 30-second integration to your cloud email provider.

Interested in learning more about Abnormal’s AI-powered solution? Schedule a demo today!