Forum Discussion
Phishing email sent on behalf of one of our own distribution groups?
Hi, notice it says send messages TO this group (not from), so you have allowed anyone to send email to this group - so I can use an SMTP tool to send an unauthenticated email to the group 'from any address I like' seeing as you have allowed it. If you know the sending IP (or range of IPs) of the monitoring system, the best option would be a Mail Flow rule using the following settings:
- when message is sent to: distrbutiongroup@yourplace.com
- drop the message without delivering
- except when it comes from these IPs: IP or range of IP of valid sending servers.
You could also do 'except when from this address' , but on it's own that could still be exploited.
That's a good suggestion, thank you.
However, do you have any idea what may have caused the message to appear as "on behalf of" when it was received by the members of the distribution group? This is what is confusing me the most.
I received one of these yesterday, It does detect that it is an unverified sender and sent it to spam though.
MikeNielsen JC1231530 I received one of these yesterday. Went to our junk but I can't understand how they used our distribution group as the Sender. The distribution group does not have a login and isn't a licensed account. We can't even send from the address if we wanted to.
A message truly sent on behalf would be considered authenticated and internal. Anything can be put in the From field - are you able to post the header (remove any of your IPs) have you confirmed it came from external, not an internal machine? If the address list has been extracted at some point an attacker could know to add the on behalf to the from address. Cheers.
