Forum Discussion
Spoofed email being given SCL -1 due to user's safe senders list
I have an issue where users are getting email where there is a spoofed email address in the header part of an email. e.g:
envelope from: <bad@bad.com>
from: Good Guy <goodguy@goodco.com> <bad@bad.com>
The email passes spf checks and skips quarantine because the recipient has goodguy@goodco.com added to their safe senders list in outlook.
Shouldn't 365 be checking the safe senders list for the bad@bad.com address not the spoofed one?!
The only thing I think I can do to block these at the moment is clear all users' safe senders lists in powershell, but I'm not sure that is a good solution.
Any suggestions?
Thanks
I confirm this too.
An attacker used a compromised domain to send out email to one of our internal users with the "From" as her manager
eg. Susie@contoso.com received email 'From' mary@contoso.com but the email was sent from outside the organization. But since susie had Mary's name in her safe senders list, the spam filter did no checks and just allowed the email through.
This attack was even supported by the fact that the compromised domain was using a 3rd party provider for mass emails (like MailGun) and so were we. Owing to this we both had mailgun IPs in our SPF records, so in fact the SPF did pass due to this.
Microsoft support confirmed that the safe senders list supersedes over any domain or spam filtering.
Only an SPF hard fail would've helped here according to MS Support.
As a mitigation technique, we now have a banner for all emails coming from outside the organisation and also a mailflow rule that if there are emails coming from outside that are using any of our verified domains, then send to administrator for approval.
Clearing everyone's safe senders list would only be a temp solution. I want microsoft to give us an option for users to not be allowed to add users from internal domain into the safe senders list.
Vikas
Does anyone have a better solution for this?
Just had a user add the CEO to her Safe Senders, and get a Phishing email in her inbox, even with ATP flagging it.
Hey a b,
It is surprising to me that the email would be able to pass an SPF check, as you say it is. SPF should be looking for the sending server. I would guess this is being sent from somewhere like Microsoft?
1. I would report the behavior and bypass to Microsoft, especially if they are the sending server.
2. I would be interested to see more details from the actual header. I have never had issues with the email being spoofed and that address getting through because of filters. Normally the actual filtering is done on the internal headers of the email, and good about catching stuff like spoofing as a result. As you said, yes O365 should be checking for the actual sender, not a spoofed address and in my experience that is what I have had happen.
Can you perhaps share a bit more information about the header (obviously taking into account removing any personal information)? Without that it is hard to speculate what could be going on.
Adam
Hi Adam,
Thanks for the reply.
No they're not being sent from Microsoft. A header section from an example one below:
Authentication-Results: spf=pass (sender IP is 162.241.190.238)
smtp.mailfrom=calzadoroy.com; mydomain.co.uk; dkim=pass (signature was
verified) header.d=calzadoroy.com; mydomain.co.uk; dmarc=none action=none
header.from=goodguys.co.uk;Received-SPF: Pass (protection.outlook.com: domain of calzadoroy.com
designates 162.241.190.238 as permitted sender)Received: from [201.141.93.6] (port=33313 helo=10.12.1.108)
by cal.calzadoroy.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <irene.alonso@calzadoroy.com>)
id 1g284j-0005If-DK
for myuser@mydomain.co.uk; Mon, 17 Sep 2018 22:37:25 -0600
Date: Mon, 17 Sep 2018 23:37:13 -0600
From: Good Guy <goodguy@goodguys.co.uk> <irene.alonso@calzadoroy.com>--------------------------------------------------------------------------
So in this example, calzadoroy.com is a domain we have never heard of and don't do business with.
The IP address 201.141.93.6 is from Uruguay which is one of the countries listed in our spam filter to filter emails from.
goodguy@goodguys.co.uk is someone we do business with and this email address is listed in the recipient's safe senders list - so this is targeted spam.
and Irene Alonso's name and email doesn't appear anywhere on the email the end user receives in Outlook 2016.
For the emails we receive like this where the recipient doesn't have the spoofed email address in their safe senders list the email will be correctly quarantined, however we're receiving a lot of ones where they have been added.
Thanks,
Rich
Thanks for the details, that helps to paint a more complete picture.
So it looks like the IP that is being sent to you is 162.241.190.238, which is calzadoroy.com. (which appears to be in Utah in the US 0 https://whatismyipaddress.com/ip/162.241.190.238).
calzadoroy.com received the message from 201.141.93.6 (Uruguay as you have said).
So to me, calzadoroy is likely having issues, the Uruguay ip is sending mail to them, which is then being sent on to you. I would want to see the full hops (not just one of them) to confirm this, but from what i can tell from what you have provided.
It looks as if an account is setup with the user you know, with the intention of spamming out, but the SPF pass has nothing to do with that account. I would perhaps in this case get the IP associated with the domain you know, and whitelist the IP rather than the user, that would stop this problem as it is not coming from the company you work with's mail system, just a user. Also blacklisting 162.241.190.238 if you do not buisness with them should help too.By just having goodguy@goodguys.co.uk whitelisted and not the sending IP, if that is the sending account (which it looks like someone setup a mail server to do that) then you are not catching the spoof.
Hope this helps!
Adam
