cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to stop internal spam mail?

Grace Yin
Iron Contributor

‎Jan 24 2018 08:05 AM - edited ‎Jan 24 2018 08:29 AM

‎Jan 24 2018 08:05 AM - edited ‎Jan 24 2018 08:29 AM

How to stop internal spam mail?

Hi,

 

In the past two days, we kept receiving spam mail from our internal (same domain) user account, but they were from different users and sent to different distribute groups in our company. We checked the internet head, they are from our O365 mail server IP address. We first think the sender's computer might be hacked so we changed the sender's password, but today another user send out the same spam. My question is how to stop it? I worry another spam will be sent out tomorrow. Is there internal spam filter we should set up?

 

The spam email content is like below. There is link for "UPDATE EMAIL".

 

"

  You may no longer have access to your office365 email account because your email account has exceeded it's mail quota on the database server. If you want to continue using your office365 account, please verify your account to continue using your email service. Update through the link below.

 

                UPDATE EMAIL

 

       Sincerely,

   Information Technology."

 

Need help! Thanks in advance!

Labels:
20.1K Views
0 Likes
16 Replies
Reply
16 Replies
Loryan Strant

‎Jan 24 2018 11:58 AM

‎Jan 24 2018 11:58 AM

Re: How to stop internal spam mail?

If they are hacked, changing their password won't help as it's probably too late and something is infected.
I would suggest taking the persons computer offline while you fix it (generally a format & re-install is the best way to deal with a virus).
The other thing you can do is create an Exchange Transport Rule that prevents that particular user from sending an email to anyone inside or outside the organisation if it has particular words like those found in the email.
0 Likes
Reply
Grace Yin

‎Jan 24 2018 03:00 PM

‎Jan 24 2018 03:00 PM

Re: How to stop internal spam mail?

Hi Loryan,

 

Thank you for your reply. It seems it is a phishing email. It lures user to click a link in the email and lead user to put email user name and password on the bad site.

 

I noticed if the email from the external mailbox, the mail will be blocked in Junk Mail folder, but if the spam mail from internal mailbox, it won't be filtered. How to address the internal user send spam mail issue? Does people filter the internal exchanged emails?

 

Thanks,

 

0 Likes
Reply
Loryan Strant

‎Jan 24 2018 03:49 PM

‎Jan 24 2018 03:49 PM

Re: How to stop internal spam mail?

You have a breached device - take it off the network and wipe it.
To restrict emails internally you can use Exchange Transport Rules as I mentioned in my previous response.
0 Likes
Reply

‎Jan 24 2018 04:32 PM

‎Jan 24 2018 04:32 PM

Re: How to stop internal spam mail?

We had a scenario recently that a persons 365 account password was hacked. The hacker logged remotely onto their Outlook and were sending emails to all this persons contacts. Phishing for others to enter their details. 

 

They even responded when asked is this email legit ... 

 

We checked/wiped the persons machine/Took it off the network, still emails were coming. But wasn't until we changed their password and made it more complex did it stop. 

 

Then someone else had the same issue ... changed password, it stopped. Force a change of password for everyone on the Domain.

 

Have had the machine review via Security Company ... nothing was discovered. So wasn't the machine.

 

AD Azure logs indicated it was a person logging in from small town in USA. 

 

We were really lucky it wasn't worse.

 

PS. They also added a rule into the users Outlook to send to delete all new incoming emails. Only found that as a result of searching the AD Azure logs.

0 Likes
Reply
Grace Yin

‎Jan 24 2018 04:55 PM

‎Jan 24 2018 04:55 PM

Re: How to stop internal spam mail?

Hi Stephen,

 

We had exact the same case. It started with one user who used his home PC. His user name and password got hacked and the hacker sent email to all people in his contact. We reset his password and he seems not sending phishing email anymore. However the second user opened the email and entered user name password in the link, then phishing email was sent out from the second user again.

 

We did the same thing. Had all users who opened the link to change password immediately. The situation seems being controlled right now. 

 

I want to know how to prevent this from happening in the future. We did virus scan and found nothing on the second user's PC.  Since Office 365 can block the same phishing email from outside sender, I wonder if there is a way for inside sender?

 

Thanks,

0 Likes
Reply

‎Jan 24 2018 05:04 PM

‎Jan 24 2018 05:04 PM

Re: How to stop internal spam mail?

We are reviewing with our vendor, at the moment they are suggesting to block non domain IP addresses or non-domain joined devices.

 

Potentially another option is to use multi-factor authentication for anything external to the domain.

 

 

0 Likes
Reply
Grace Yin

‎Jan 24 2018 06:50 PM

‎Jan 24 2018 06:50 PM

Re: How to stop internal spam mail?

To block non domain IP addresses or non-domain joined devices will not work because my user will use mail from home or their phone. 

 

I don't understand why microsoft doesn't check emails exchanged internally, like what I mentioned, I noticed the exact the same phishing email was caught in Junk Mail folder if it was from external mailbox, however it went through if it's from internal mailbox.

 

Thanks,

0 Likes
Reply

‎Jan 24 2018 07:12 PM

‎Jan 24 2018 07:12 PM

Re: How to stop internal spam mail?

In the Security & Compliance site for 365, Spam policy, you can filter by country or region or language ... could that work for you? 

 

Also in here you can treat an email as Bulk and take an action like quarantine or pre-pend the message with "Potential Malware" or some other text or redirect it.

 

If you have access to the security & Compliance site, have a look at the policies and see whats applicable.

 

We are also looking at passing our mail through Sophos cloud solution to have an extra level of security.

0 Likes
Reply
Loryan Strant

‎Jan 24 2018 09:48 PM

‎Jan 24 2018 09:48 PM

Re: How to stop internal spam mail?

Here are your actions:
1. Quarantine the user: format their work PC, disable their phone or home computer from connecting.
2. Create an Exchange Transport Rule to prevent them from sending emails to the entire staff (I've already said this twice before).

Microsoft *does* check emails internally, however they don't go through the same engines as external mail because they expect their clients to take a certain amount of responsibility for good Internet security practice.
Also they have a solution called Advanced Threat Protection that puts links into a "detonation" chamber so emails like phishing attacks don't get through.

Customers have the tools available - they need to use them.
0 Likes
Reply
Grace Yin

‎Jan 25 2018 09:25 AM

‎Jan 25 2018 09:25 AM

Re: How to stop internal spam mail?

Hi Loryan,

 

Thank you for your reply. We did the two actions you mentioned right away after the phishing emails were sent out, however some users still open the bad link and entered their log in credentials because the page looks like the O365 web logon page. No matter how we send out the notice not to open the link, there are still some users not follow.  

 

We received the phishing email again this morning from another different user. The hacker changed the subject line so the Transport Rule that we created to block the subject didn't work.

 

I will look into  Advanced Threat Protection. It seems we need to pay for this feature. 

 

Thanks,

0 Likes
Reply
Grace Yin

‎Jan 25 2018 09:38 AM

‎Jan 25 2018 09:38 AM

Re: How to stop internal spam mail?

Hi Stephen,

 

Thank you for your info. How will the email flow if you add  Sophos cloud solution? Will you put it in front of O365 or behind? If you put in front of O365 before email reach O365, it still won't filter the email internally. 

 

Thanks,

0 Likes
Reply

‎Jan 25 2018 11:09 AM

‎Jan 25 2018 11:09 AM

Re: How to stop internal spam mail?

All mail will flow through sophos, both in and out of exchange online, using the connnector. We will effectively point the MX record to the sophos endpoint. 

0 Likes
Reply
Loryan Strant

‎Jan 25 2018 02:56 PM

‎Jan 25 2018 02:56 PM

Re: How to stop internal spam mail?

That doesn't help when an internal user is affected, as it never goes through the connector.
0 Likes
Reply
Loryan Strant

‎Jan 25 2018 02:59 PM

‎Jan 25 2018 02:59 PM

Re: How to stop internal spam mail?

Looks like you need everyone to do some mandatory training on phishing and malware in general.
With the change in subject line - create another rule, and keep creating them. They don't cost you anything. You can also potentially look at trying to create a rule that prevents a single user from emailing every individual in the company.
And yes you do need to pay for ATP - but it's a small cost given the pain you're currently going through, and that's *before* you lose money from a data breach or dropping customers who have lost faith in your competency.
0 Likes
Reply
Grace Yin

‎Jan 25 2018 04:58 PM

‎Jan 25 2018 04:58 PM

Re: How to stop internal spam mail?

Thank you Loryan! Can you confirm if ATP protects email internally? I can recommend it to my manager if it does. 

 

Thanks,

0 Likes
Reply
Tyler Miller

‎Jan 26 2018 12:33 PM

‎Jan 26 2018 12:33 PM

Re: How to stop internal spam mail?

We had the same thing, I was chasing people and changing passwords until I said: "enough is enough!" I forced the entire company to change their passwords and encouraged people (forced IT and Execs) to enable Multi-Factor Authentication to stop the overseas hackers from getting into our email accounts.

0 Likes
Reply