Proofpoint has blamed poor user configurations for a spam attack linked to its platform in August, with a senior company figure suggesting responsibility lies with customers.
Speaking at a media roundtable for Proofpoint Protect London 2024, Ryan Kalember, EVP of cybersecurity strategy at Proofpoint noted that, within reason, any security “can be configured in really bad ways” in response to a question from ITPro.
Referring specifically to the spam campaign earlier this year - which may have sent emails numbering in the millions - Kalember said that users had configured settings such that their systems would “trust anything” from Microsoft tenants.
At the time, the security firm said the “root cause” was a modifiable configuration feature on Proofpoint servers which allowed the relay of outbound messages from Microsoft 365 tenants, ,without specification of which tenants to allow.
“This is a complicated problem for us because, in this shared responsibility model, we're not going to force our customers to change configurations around their trust of Microsoft,” Kalember said.
“So we have to nudge them progressively more aggressively over time to just say, ‘Hey, we would really love you to not be doing this, because this is being bounced off of you from Microsoft and going to other people,’” he added.
Though he felt Proofpoint was an “intermediary step,” he added that the firm felt “bad” about the issue and that it doesn’t “want this to happen.” At the same time, though, “we also can't totally overhaul our customer's configurations without consulting them and working with them.”
“We're actually having an interesting discussion internally on how aggressive we should be in telling people they have done something unwise with their product configurations,” he added.
He said the firm has considered making these configurations “very hard to do” in the manner of AWS and its treatment of S3 buckets. Kalember said that, where S3 buckets have been notoriously left open, Amazon now “makes it really hard” to do this.
“We're trying to adopt more of those principles when it comes to ways that our own products can be configured in a risky way,” Kalember said.
Spam sent via Proofpoint’s anti-phishing platform
Dubbed “EchoSpoofing” by a report from Guardio Labs, the original spam campaign involving Proofpoint saw fake emails appear in the inboxes of Proofpoint clients such as Disney and Coca-Cola.
The emails were authenticated with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) as a result of the campaign method, and Guardio estimated that as many as three million emails a day could have been sent by the threat actor.
The threat actor reportedly sent “quick bursts” of thousands of emails to Microsoft 365 which were then relayed to Proofpoint servers.
Proofpoint stated at the time that it had streamlined its administrative surface so that its customers could more effectively specify which emails should be relayed in response to the issue, adding also that no customer data was either lost or exposed.
