Forum Discussion
self-to-self spoofing attack with honor DMARC policy turned on
Dear Community,
I have a concern, I am an absolute fan of the ‘Honor DMARC record policy when the message is detected as spoof’ setting in the Anti-phishing policy. Especially the action ‘If the message is detected as spoof and DMARC Policy is set as p=reject’ to set this on reject the message.
However, from the field I have seen that when a user is attacked by self-to-self spoofing. They will receive an NDR from Exchange Online with the original email attached in .eml format, expected but unwanted. This .eml file contains all the links that could be exploited by an attacker. I have reproduced the problem from my own mail server, and my demo tenant with a DMARC compliant domain on p=reject. Here is an example:
-The user received a Non-Delivery Report (NDR) from Exchange Online indicating that their message was rejected by DMARC because the sending domain has a DMARC policy set to reject.
-As you can see in the screenshot above, the original email is attached as an .eml, which may contain suspicious content and links to AitM phishing sites.
This is expected, but unwanted by self-to-self spoofing attacks. I found two solutions:
Solution 1: Set the detection ‘If the message is detected as spoof and DMARC Policy is set as p=reject’ on “Quarantine the message” instead of “Reject the message”. But that is not exactly you want when you want to honor the DMARC policy, and the Configuration Analyzer also recommend to set it on “Reject the message”.
Solution 2: Creating a mail flow rule with the following content
I'm curious if there are other smarter solutions, or if Microsoft needs to investigate this issue within the Defender for Office 365 product team. What are your thoughts?
Have a nice Sunday! 🙂
Ricardo
2 Replies
vand3rlinden the other method is to disable non-deliverable reports in Exchange Admin Center > Mail Flow > Remote Domains
https://admin.exchange.microsoft.com/#/remotedomains- Thanks, that should work. However, this will block all de NDRs. I have opened a support case regarding this issue. Will come back to this post if there is a solution.
