Forum Discussion
Spoofed email being given SCL -1 due to user's safe senders list
I have an issue where users are getting email where there is a spoofed email address in the header part of an email. e.g: envelope from: <bad@bad.com> from: Good Guy <goodguy@goodco.com> <bad@b...
I confirm this too.
An attacker used a compromised domain to send out email to one of our internal users with the "From" as her manager
eg. Susie@contoso.com received email 'From' mary@contoso.com but the email was sent from outside the organization. But since susie had Mary's name in her safe senders list, the spam filter did no checks and just allowed the email through.
This attack was even supported by the fact that the compromised domain was using a 3rd party provider for mass emails (like MailGun) and so were we. Owing to this we both had mailgun IPs in our SPF records, so in fact the SPF did pass due to this.
Microsoft support confirmed that the safe senders list supersedes over any domain or spam filtering.
Only an SPF hard fail would've helped here according to MS Support.
As a mitigation technique, we now have a banner for all emails coming from outside the organisation and also a mailflow rule that if there are emails coming from outside that are using any of our verified domains, then send to administrator for approval.
Clearing everyone's safe senders list would only be a temp solution. I want microsoft to give us an option for users to not be allowed to add users from internal domain into the safe senders list.
Vikas