Forum Discussion
Phishing email sent on behalf of one of our own distribution groups?
Good morning,
We have a distribution group set up for receiving messages from a monitoring service. Due to this service being outside of our organisation, the DL is currently set to allow senders from inside and outside of the organisation:
This distribution group is configured to:
- Allow all senders outside and inside the organisation
- There are no 'send on behalf' or 'send as' permissions set on the DL
Please could you shed some light on how this external phishing attempt was able to "Send on behalf of" a distribution list that doesn't have any send on behalf permissions set?
Thank you in advance.
J
6 Replies
Hi, notice it says send messages TO this group (not from), so you have allowed anyone to send email to this group - so I can use an SMTP tool to send an unauthenticated email to the group 'from any address I like' seeing as you have allowed it. If you know the sending IP (or range of IPs) of the monitoring system, the best option would be a Mail Flow rule using the following settings:
- when message is sent to: distrbutiongroup@yourplace.com
- drop the message without delivering
- except when it comes from these IPs: IP or range of IP of valid sending servers.
You could also do 'except when from this address' , but on it's own that could still be exploited.- Thank you for your response SimBur.
That's a good suggestion, thank you.
However, do you have any idea what may have caused the message to appear as "on behalf of" when it was received by the members of the distribution group? This is what is confusing me the most.I received one of these yesterday, It does detect that it is an unverified sender and sent it to spam though.
