Puzzled as to how this could happen, Guardio noticed that the phishing emails all originated from a virtual SMTP server routed through Office365 Online Exchange before installing the domain-specific relay server used by Proofpoint.
Essentially, that final Proofpoint server is where the DKIM and SPF authentication will be passed as legitimate, essentially allowing it to route emails on behalf of its clients.
“EchoSpoofing”
The bypass had two parts to it. The first was to run an SPF IP-to-domain check, obtained by sending their spoofed emails from an SMTP server in their control Office365 account. This stops fraud when email originates from those accounts but not, in particular, when sending emails from external SMTP servers.
Source link