Overview
On April 14, 2025, at 15:54 UTC, a report surfaced that users were receiving spam originating from the sophos.com domain. Within the hour our Sophos Internal Detection and Response team was made aware and began investigating the report.
Our investigation found that trial accounts were being used to exploit a logic flaw in how Sophos Email validates whether senders are authorized to relay through our cloud email service.
Our team took immediate action, including blocking the accounts and IPs involved in the abuse, during an investigation into how the attackers were able to bypass that validation policy.
The investigation determined that the logic used to constrain a customer account to only send mail from domains they control wasn’t strict enough. Permanent solutions were implemented to prevent this abuse in the future. Additionally, restrictions were imposed on trial accounts to prevent future attempts to find flaws by unverified accounts.
Impact
The attackers were able to send approximately 1.9 million non-malicious spam messages through Sophos gateways. The abuse primarily used the outbound email addresses info [AT] sophos [DOT] com and news [AT] sophos [DOT] com, but did include 30 messages impersonating the domains of 12 Sophos Email customers. All impacted customers have been notified by Sophos Support.
Timeline
| Time | Event |
| April 2, 2025 | First trial account created by Threat Actors (TA) to figure out how to bypass outbound filtering policy intended to prevent domain impersonation. |
| April 13, 2025 18:00 UTC | TA begins sending large quantities of email outbound through Sophos Email gateways. |
| April 14, 2025 15:54 UTC | Initial post to Reddit by /u/jegraves puzzling over spam originating from info [AT] sophos [DOT] com. |
| April 14, 2025 16:52 UTC | Sophos Internal Detection and Response team (IDR) is made aware of the Reddit post and triages incident. |
| April 14, 2025 17:05 UTC | Sophos IDR begins investigation involving key stakeholders. |
| April 14, 2025 19:07 UTC | Sophos blocks the domain linked from the spam campaign. |
| April 15, 2025 06:00 UTC | Changes are pushed to production to prevent spoofing of sophos.com. |
| April 15, 2025 16:33 UTC | All IPs and email addresses related to the abuse are blocked in Sophos Email. |
| April 17, 2025 11:51 UTC | Deactivated all trial accounts linked to spam campaigns. |
| April 19, 2025 04:59 UTC | Changed policy to prevent future trial accounts from sending outbound emails not managed by a partner or reseller. |
Analysis
For obvious reasons, Sophos Email must carefully consider the origins of all messages submitted for outbound relay, in order to prevent abuse. When the service launched, the system would only relay mail if both the envelope sender (or if NULL, the From header) and the IP address belonged to the customer associated with the domain. This resulted in problems with forwarded messages, such as calendar invites, not meeting the criteria, which led to them being rejected.
In 2019, a change was made to this logic to take into consideration the Sender header as well as envelope sender and From header. This would allow a user who receives an external calendar invite from example.org to then forward that to a friend at example.com, as long as the Sender header belonged to the customer, despite the From header being from a domain external to the customer.
This created the condition that the criminals were abusing. A malicious sender could register a trial account, send a message where the envelope sender was NULL, the Sender header was an email address in the domain of the trial account, and the From address was one actively managed by other Sophos Email customers, primarily sophos.com.
While the attackers first registered a trial account on April 2, 2025, they initially appear to have entered an experimentation phase. They did not begin spamming in earnest until April 12, 2025, limiting the cumulative time of abuse to under two days.
Resolution
Immediate actions
Immediate actions were taken on April 15, 2025, to block domains and IP addresses associated with the abusers and to disable 24 accounts associated with the spamming activity.
The primary logic changes to resolve this incident were implemented on April 16, 2025, and involved improving the policy implemented in 2019 to be more restrictive. Sophos Email now will require the From header domain to belong to the same customer as the Sender header when the envelope sender is NULL. This accommodates the previous calendar use case but prevents customers from impersonating other Sophos Email-managed domains.
A third change was implemented on April 18, 2025, to mitigate future abuse by disallowing trial accounts from sending outbound emails. This applies to all trial accounts created going forward unless created by a Sophos partner.
Sophos would like to thank /u/jegraves for bringing this issue to our attention. We have granted them an award under our bug bounty program.
Longer term actions
Improve detection capabilities for suspicious activities originating from trial accounts in Sophos Email. Most malicious activity begins within a short time of account creation, creating opportunities to analyze account behaviors and take a more proactive approach to abuse mitigation.
Additional Actions
Customers may wish to delete suspicious or spam emails originating from info [AT] sophos [DOT] com and news [AT] sophos [DOT] com arriving between April 13, 2025, and April 16, 2025.
If you have further questions or feel you require assistance related to this incident, please contact Sophos Support using any of the options below.
- Submit a case: Log into the Support Portal and click Help -> Create Support Ticket
- MDR customers: Please reach out via your MDR dashboard or directly to your assigned Sophos threat response contact.