Proofpoint has blamed poor user configurations for a Spam attack linked to its platform in Augustwith a senior company official suggesting that the responsibility lies with customers.
Speaking at a media roundtable to Proofpoint Protect London 2024Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, noted that, within reason, any security “can be configured in really bad ways” in response to a question from ITPro.
Referring specifically to the spam campaign earlier this year, which may have sent millions of emails, Kalember said users had configured settings so that their systems would “trust anything” from Microsoft tenants.
At the time, the security company said the “root cause” was a modifiable configuration feature on Proofpoint servers that allowed relaying of outgoing messages from Microsoft 365 tenants, without specifying which tenants to allow.
“This is a complicated problem for us because, in this shared responsibility model, we are not going to force our customers to change configurations based on their trust in Microsoft,” Kalember said.
“So we have to push them progressively more aggressively over time to just say, 'Hey, we'd really love it if you didn't do this, because Microsoft is bouncing it around and going to other people,'” he added. .
Although he considered Proofpoint to be an “intermediate step,” he added that the company felt “bad” about the issue and did not “want this to happen.” At the same time, however, “we also cannot fully review our customers' configurations without consulting and working with them.”
“We're actually having an interesting discussion internally about how aggressive we should be in telling people that they've done something reckless with their product configurations,” he added.
He said the company has considered making these setups “very difficult to do” in the manner of AWS and its treatment of S3 buckets. Kalember said that, where S3 buckets have been noticeably left openAmazon now “makes it very difficult” to do this.
“We're trying to embrace more of those principles when it comes to ways our own products can be configured in risky ways,” Kalember said.
Spam sent through Proofpoint's anti-phishing platform
Nicknamed “EchoSpoofing” by a report from Guardio LabsThe original spam campaign involving Proofpoint saw fake emails appear in the inboxes of Proofpoint clients such as Disney and Coca-Cola.
The emails were authenticated with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) as a result of the campaign method, and Guardio estimated that the threat actor could have sent up to three million emails a day.
The threat actor reportedly sent “rapid bursts” of thousands of emails to Microsoft 365 that were then transmitted to Proofpoint's servers.
Proofpoint stated at the time that it had simplified its administrative surface so that its customers could more effectively specify which emails should be transmitted in response to the issue, adding that no customer data was lost or exposed.