Proofpoint discovered the campaign in March and immediately began implementing countermeasures including improved administrative interfaces to specify allowed Microsoft 365 tenants. Despite these efforts, the spammer adapted quickly by targeting different customers and accelerating their activities. Proofpoint emphasized that no customer data was exposed or lost and that they continuously worked with affected customers to rectify the misconfiguration and block the spam activity.

The EchoSpoofing campaign highlights the need for robust security practices and vigilant monitoring of third-party services. Proofpoint urged VPS providers to limit mass email capabilities and recommended email service providers restrict unverified tenants' ability to send bulk emails. Cybersecurity experts stressed the importance of maintaining control over cloud services and proactive threat anticipation by companies providing critical internet infrastructure. This incident underscores the significant responsibility held by these companies to protect the broader digital ecosystem.

Impact

• Security Bypass
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• tonalimail.org
• amassou.org
• developmentsreaders.org
• towdirection.org
• fenugrek.info
• detawatch.com
• wheatrusks.town
• resultnosc.org
• vscali.org
• mirajcloud.org

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting only to allow approved software to run on systems, reducing the risk of executing unauthorized applications.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.