Forum Discussion

Grace Yin's avatar
Grace Yin
Iron Contributor
Jan 24, 2018

How to stop internal spam mail?

Hi,   In the past two days, we kept receiving spam mail from our internal (same domain) user account, but they were from different users and sent to different distribute groups in our company. W...
office 365
Grace Yin's avatar
Grace Yin
Iron Contributor
Jan 24, 2018

Hi Loryan,

 

Thank you for your reply. It seems it is a phishing email. It lures user to click a link in the email and lead user to put email user name and password on the bad site.

 

I noticed if the email from the external mailbox, the mail will be blocked in Junk Mail folder, but if the spam mail from internal mailbox, it won't be filtered. How to address the internal user send spam mail issue? Does people filter the internal exchanged emails?

 

Thanks,

 

Loryan Strant's avatar
Loryan Strant
MVP
Jan 24, 2018
You have a breached device - take it off the network and wipe it.
To restrict emails internally you can use Exchange Transport Rules as I mentioned in my previous response.
  • Anonymous's avatar
    Anonymous
    Jan 24, 2018

    We had a scenario recently that a persons 365 account password was hacked. The hacker logged remotely onto their Outlook and were sending emails to all this persons contacts. Phishing for others to enter their details. 

     

    They even responded when asked is this email legit ... 

     

    We checked/wiped the persons machine/Took it off the network, still emails were coming. But wasn't until we changed their password and made it more complex did it stop. 

     

    Then someone else had the same issue ... changed password, it stopped. Force a change of password for everyone on the Domain.

     

    Have had the machine review via Security Company ... nothing was discovered. So wasn't the machine.

     

    AD Azure logs indicated it was a person logging in from small town in USA. 

     

    We were really lucky it wasn't worse.

     

    PS. They also added a rule into the users Outlook to send to delete all new incoming emails. Only found that as a result of searching the AD Azure logs.

    • Tyler Miller's avatar
      Tyler Miller
      Brass Contributor
      Jan 26, 2018

      We had the same thing, I was chasing people and changing passwords until I said: "enough is enough!" I forced the entire company to change their passwords and encouraged people (forced IT and Execs) to enable Multi-Factor Authentication to stop the overseas hackers from getting into our email accounts.

    • Grace Yin's avatar
      Grace Yin
      Iron Contributor
      Jan 24, 2018

      Hi Stephen,

       

      We had exact the same case. It started with one user who used his home PC. His user name and password got hacked and the hacker sent email to all people in his contact. We reset his password and he seems not sending phishing email anymore. However the second user opened the email and entered user name password in the link, then phishing email was sent out from the second user again.

       

      We did the same thing. Had all users who opened the link to change password immediately. The situation seems being controlled right now. 

       

      I want to know how to prevent this from happening in the future. We did virus scan and found nothing on the second user's PC.  Since Office 365 can block the same phishing email from outside sender, I wonder if there is a way for inside sender?

       

      Thanks,

      • Anonymous's avatar
        Anonymous
        Jan 24, 2018

        We are reviewing with our vendor, at the moment they are suggesting to block non domain IP addresses or non-domain joined devices.

         

        Potentially another option is to use multi-factor authentication for anything external to the domain.