The purported Proofpoint flaw, as seen reported on some cybersecurity news sites, is in my opinion a great overstatement and at least partially incorrect pointing of fingers. First, what is being reported? Here’s a link to one of the stories: https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html
The headlines say that Proofpoint has been breached, allowing malicious actors to send phishing emails out of Microsoft 365 environments outbound through Proofpoint servers due to misconfiguration by Proofpoint.
The way Proofpoint allows outbound email to be sent from M365 out to the Internet is to allow emails to relay from all M365 email hosts. There wasn’t a single hostname, IP address or IP range you could specify for emails sent out from Exchange Online.
I know when I first started working with M365, I brought up the question of how can we prevent malicious actors from sending email out from M365 posing as my company? I was told that this was part of cloud computing and what we pay Microsoft to prevent. We have done all we can to prevent emails from being sent outbound directly from M365 to the Internet and I looked into validating that all emails sent from M365 through our Proofpoint environment were actually sent from our employees. In the end, there wasn’t much demand for this validation so it dropped by the wayside. We relied on Microsoft to keep M365 secure.
A few months ago, Proofpoint made us aware that malicious actors were actively sending email out from M365 through Proofpoint servers and provided a way to prevent this. It was an easier configuration than the one I was looking at a few years back and we got it implemented. On top of this, we have Exchange Online configured to only allow email outbound from M365 to our Proofpoint host IPs and our email authentication records (SPF, DKIM and DMARC) are very tight. So malicious emails posing as our company are unlikely to be allowed by any organization that enforces DMARC.
What about other companies? If other companies follow Proofpoint recommendations in their Proofpoint environment, they should be good, but I wonder how many of them restrict the sending of outbound email from Exchange Online? What about companies that don’t use Proofpoint. They should be safe, right?
I don’t believe this is the case. The reason this “Proofpoint flaw” has been making the news is because a malicious actor could connect to any M365 environment and send emails using any sending domain outbound through Proofpoint servers. Because the Proofpoint servers would be in the spoofed domain’s email authentication records, they would pass DMARC. But what if the company being spoofed doesn’t use Proofpoint? What if their email authentication records specify M365 servers? This means the malicious actors can skip a step. They no longer have to send the emails outbound through the spoofed domain’s Proofpoint environment. They can just send them directly to their intended targets. M365 servers would be in the spoofed domain’s authentication records so they’ll be accepted by targeted recipient servers just as readily as those fraudulently sent through Proofpoint.
In short, yes, companies that use Proofpoint should secure their environments to ensure malicious actors can’t send emails outbound through their Proofpoint from M365. The problem is that anyone that sends directly out from Exchange Online does not have this extra SMTP hop available to prevent these emails from being sent. Proofpoint has addressed their portion of this problem. It’s time for Microsoft to step up and either secure their environment from having these emails sent or, if they believe it’s secure, please prove it to us.
–Matt