Mystified as to how this was possible, Guardio noticed that the phishing emails all originated on an SMTP virtual server routed via Office365 Online Exchange before entering a domain-specific relay server operated by Proofpoint.
Importantly, that final Proofpoint server was where the DKIM and SPF authenticity would be passed as legitimate, essentially allowing it to route emails on behalf of its customers.
“EchoSpoofing”
The bypass turned out to have two parts to it. The first was to beat the SPF IP-to-domain check, which was achieved by sending their spoofed emails from an SMTP server in their control through an Office365 account. This stops spoofing when email originates on those accounts but not, crucially, when relaying emails from external SMTP servers.
