Forum Discussion

Grace Yin's avatar
Grace Yin
Iron Contributor
Jan 24, 2018

How to stop internal spam mail?

Hi,   In the past two days, we kept receiving spam mail from our internal (same domain) user account, but they were from different users and sent to different distribute groups in our company. W...
office 365
Loryan Strant's avatar
Loryan Strant
MVP
Jan 24, 2018
If they are hacked, changing their password won't help as it's probably too late and something is infected.
I would suggest taking the persons computer offline while you fix it (generally a format & re-install is the best way to deal with a virus).
The other thing you can do is create an Exchange Transport Rule that prevents that particular user from sending an email to anyone inside or outside the organisation if it has particular words like those found in the email.
  • Grace Yin's avatar
    Grace Yin
    Iron Contributor
    Jan 24, 2018

    Hi Loryan,

     

    Thank you for your reply. It seems it is a phishing email. It lures user to click a link in the email and lead user to put email user name and password on the bad site.

     

    I noticed if the email from the external mailbox, the mail will be blocked in Junk Mail folder, but if the spam mail from internal mailbox, it won't be filtered. How to address the internal user send spam mail issue? Does people filter the internal exchanged emails?

     

    Thanks,

     

    • Loryan Strant's avatar
      Loryan Strant
      MVP
      Jan 24, 2018
      You have a breached device - take it off the network and wipe it.
      To restrict emails internally you can use Exchange Transport Rules as I mentioned in my previous response.
      • Anonymous's avatar
        Anonymous
        Jan 24, 2018

        We had a scenario recently that a persons 365 account password was hacked. The hacker logged remotely onto their Outlook and were sending emails to all this persons contacts. Phishing for others to enter their details. 

         

        They even responded when asked is this email legit ... 

         

        We checked/wiped the persons machine/Took it off the network, still emails were coming. But wasn't until we changed their password and made it more complex did it stop. 

         

        Then someone else had the same issue ... changed password, it stopped. Force a change of password for everyone on the Domain.

         

        Have had the machine review via Security Company ... nothing was discovered. So wasn't the machine.

         

        AD Azure logs indicated it was a person logging in from small town in USA. 

         

        We were really lucky it wasn't worse.

         

        PS. They also added a rule into the users Outlook to send to delete all new incoming emails. Only found that as a result of searching the AD Azure logs.