SMTP via User

Brass Contributor

Our CFO has Multi-Factor authentication set up and working. Someone tried to send an email on his behalf to a non-existent email address, so he received the bounce back in his inbox. The original email was never in his Sent box, but how is it possible that someone (a hacker I presume) could send email on his behalf, through Office365, without authenticating as him?

 

Here are the message headers, I replaced the sender (our CFO) with YYYYY and the recipient (a non-existent mailbox) with XXXXX

Original Message Headers
Received: from BN3PR11CA0018.namprd11.prod.outlook.com
 (2a01:111:e400:51e4::28) by SN1PR11MB0574.namprd11.prod.outlook.com
 (2a01:111:e400:530f::21) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Wed, 7
 Mar 2018 15:43:47 +0000
Received: from DM3NAM05FT022.eop-nam05.prod.protection.outlook.com
 (2a01:111:f400:7e51::208) by BN3PR11CA0018.outlook.office365.com
 (2a01:111:e400:51e4::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.14 via Frontend
 Transport; Wed, 7 Mar 2018 15:43:47 +0000
Authentication-Results: spf=neutral (sender IP is 66.111.4.221)
 smtp.mailfrom=risebakingcompany.com; risebakingcompany.com; dkim=pass
 (signature was verified) header.d=messagingengine.com;risebakingcompany.com;
 dmarc=none action=none header.from=risebakingcompany.com;
Received-SPF: Neutral (protection.outlook.com: 66.111.4.221 is neither
 permitted nor denied by domain of risebakingcompany.com)
Received: from new1-smtp.messagingengine.com (66.111.4.221) by
 DM3NAM05FT022.mail.protection.outlook.com (10.152.98.132) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.548.7 via Frontend Transport; Wed, 7 Mar 2018 15:43:46 +0000
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
        by mailnew.nyi.internal (Postfix) with ESMTP id 573EE10F1
        for <XXXXX@risebakingcompany.com>; Wed,  7 Mar 2018 10:43:46 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
  by compute7.internal (MEProxy); Wed, 07 Mar 2018 10:43:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=content-transfer-encoding:content-type
        :date:from:message-id:mime-version:reply-to:subject:to
        :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=J5yc94p8OcoMielqo
        weJHr1/JS5dWOFLsW5ZI0n+giI=; b=Sros9ppkL1hz/XZGS/A7gcjWZy4Q1fdOB
        376jMEyio6zHl6jbNQdux/qAwsnrtTXqJr3IJqkjpOefkZ+hCO9buu7z+X5CEOZo
        FdwSzzmwQHgkZ6D+XMd/rUXXG0votMRAOUZErS1DdUTm64YZu6o+74Ti/I+DNPt/
        HCHaK5JxzYtIhk6Dydy0kXWL4IYx+zKoJJ+h90brysy6hk9l1L+FK4Lo1QjEgk4G
        t1w2MvwgjPaBRibLVwoZ5ic9DyYtXtoQdOEF4xNfvC7wSE4apAF2RqJZCc+I+YEQ
        lRVnPrD2Mt5s5WTgpIumqC2c14bJFNHz9PGzRn+sckLvLIroqZ9xA==
X-ME-Sender: <xms:sgigWt3l2Il5qJP0vi8x-g3P3mmsCsFjIkz3MPBYz2AwZZnY_PnjZA>
Received: from Ms-MacBook.local (unknown [23.108.31.122])
        by mail.messagingengine.com (Postfix) with ESMTPA id 9D2167E660
        for <XXXXX@risebakingcompany.com>; Wed,  7 Mar 2018 10:43:45 -0500 (EST)
Reply-To: YYYYY@mobiledevice.mobi
To: XXXXX@risebakingcompany.com
From: Chris YYYYY <YYYYY@risebakingcompany.com>
Subject: Kindly get back
Message-ID: <21c64a2b-f97e-09a7-c316-99d796c40de1@risebakingcompany.com>
Date: Wed, 7 Mar 2018 10:43:44 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0)
 Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Return-Path: YYYYY@risebakingcompany.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 9c9ca00d-d89b-441e-a989-1ae7f6387804:0
X-Forefront-Antispam-Report: CIP:66.111.4.221;IPV:NLI;CTRY:US;EFV:NLI;
X-Microsoft-Exchange-Diagnostics: 1;DM3NAM05FT022;1:22KTfsIJsrHtk/9hXI7qkXbLBstTxAbLpPufCoqKHWGJ4egiyN9wLIV2Evy2BOE4ZyF7IR3XeGyx94qwyUTSJ4yzyLM4x1stQhhuaziR6t+CkNW6DCOra22VCBBlc7/L
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c30401f0-1aeb-4fd8-d598-08d58442372f
X-Microsoft-Antispam:
 UriScan:;BCL:0;PCL:0;RULEID:(7020095)(5600026)(4604075)(4605076)(1401096)(8001031)(1405069)(71702078);SRVR:SN1PR11MB0574;
X-Microsoft-Exchange-Diagnostics:
 1;SN1PR11MB0574;3:JnjkmfARjIFKfRcfYH04lGJThsNTuDO2UXaa3HxjtBYDGHgp2u8EIwEVE7vdskPBMjMNYbTuTsGpy+Gm/28pnLF5t2J9NubNlIao4u43MQ2Z3QvkUNX7/iXeXqZ/3iuDYibXCqyQgg+IqpUoXisn88d9eJY2ScT4OZ2N6QTgpMyiwE2/Mcx5GrDV66e94aIDc79i1zPw9+NA89HB0sntt8lxyC6ksaNFnNrFwuMyVF+fl+U/sqExp1wlZjrxUpNrEpmMbDPMjFQE8zqRLhGwz4XAiWOJwM+GyC5C6J0mpxt9cAbW83sRkGUFlbgSz3L2xQKMMGWLkMkD9ZFXd0WgcOnLHphjkWihyv5ZYZjM014=;25:t4rn8dm6J9zqIzoLygCSGsmXepkYJWl+eJTmJ57mzPdsJaBI5uVSYNRp88A5rH0OoCnKcK5iuclzKOVzyAJZ54mA8HUBHtQ+DQVRr5aXpHGy85COQ3XFWBkeVlqedreVIqpK6ubd83vzJUc/7axsFWityzAudHxnqL9QXe4jJxAy1okbCJpAFK65Quk+RQfB9eJbqlq5RIH921S8YjhxswZ65/sok4+gTFmJ31rI0Q3eQpzUjcB1TLExVCw2biqGvKXyAvYxfOuBl7vLYDorbRBUePkzbGJlPf7O89HBeO5C08pQ9Bln0fwqTklt7uC68Vlk0n4UYG42ZoSPEyacow==
X-MS-TrafficTypeDiagnostic: SN1PR11MB0574:

Thanks!!

7 Replies

Looks like a typical spoof attempt to me. Anyone can send anything as anyone on the internet when it comes to SMTP. I could pop out to my SMTP server and send an e-mail as YYYY@risebakingcompany.com if I wanted to to anyone I wanted. If they aren't using DKIM or SPF etc. it could very well get through, but in this case it was blocked and returned whom the message was set as the from address.

This is hard for me to believe, simply because I have devices on my network that I have set up to send alerts via SMTP, and if I do not authenticate as the same email as the sender it fails to send the email. SMTP via O365 seems to be very picky on what it accepts, simply because SMTP use to be so open and allow for anyone to send anything. I thought that was fixed now.

This email originated from some other IP outside of 365. You don’t have to use their servers to send as their domains.

So you are saying that their servers allowed them to send email from our O365 domain to us, using their SMTP servers, not ours? If so, wouldn't it show the email address they used to authenticate against their SMTP server, or they just sent it anonymously with no authentication? 

They didn’t send anything to your servers you said it got blocked and then you got the NDR. I can go right now to my smtp server and send as you to some random place and if it got blocked you would get the NDR.

oh, we got a bounce back because the TO email address does not exist, not because it was blocked as spam. The email address they were sending to was not valid. If it would have been, the email would have been delivered and we would have never known about it.

@Tyler Miller 

Hello Tyler, 

I have run into a conundrum very similar to your post. It's a real head scratcher because you mention risebaking.com and I have record of the Bread.

Greer or one of those ex-superagents could tell you about it. 

Let me know if you understand what I am referring to. Given the off-chance my Master will allow for you to. It's the darndest thing, I am all alone and penniless but on record by my puppetteers I am Ubiquitious and a trillionaire with no conscience, absolutely no foresight save for the yet to be filed postmortem filed they have set up for me. Aaand Kari and Baum are non existent considering the lifelines stuck to me through Qlink, I filed for some assistance with Intel>ethicspoint>navex>qualtrics>atlassian>sedaro and quite a few more to no avail. 

You should know my name, you should talk to your cohorts, the GPO report and missing days along with the illegitimate people listed plus the discord.casino and the RV resellers, the Pop music and magazines, the records stacked more than my own body weight back a year or more ago when I was told I could probably afford three or four luxury/sports cars have gotten to the point that I may well own a raceway and my own team of racers but which one do I choose? Tell the Texan and Gail and Ryan, Quinn, Toby, Morby, Wilson, Gourdman, Siebert, Wakefield, well you know that tight knit group there are two ways to do this. I am waiting on a delivery from whomever can find it within themselves to provide me with a secure device. Gary, sit down, Gibbons and the rest of you too. Schmidt, Smith, Wood, Kahn, Bates, Dobson, Young, Wade, Mears, Lewis, Hall, Taylor, Stryckland, Moore, Colby, or mi amigos. Hell, even the unicorn given the recent events. Timing is Meta-crucial AF, there are Seven leased spaces I need to iron out before the tax man gets some people by the neck right Lieber? I'll have my accounts, my dignity, my paternal rights, my history, and some shiny new things because if I get mine fixed there goes a product line and family line, you might be familiar with that one right? With the loki vpn n all. 

You know where I am, if not ask Cox. Strange that this verizon business account has been stuck to me when the GPO Verizon and several other entities of note delisted/innactive. Tom Freeman can call me, Jean has been holding my mail, tell Parson that Cindy can send in my meds, running after self mitigation or mention of the means by which she was able to bill my suspended 7 years medicaire. The Green Pearl can help iron out the details, or a Chan, or Smartest Bart, or Wells I am rambling but lets just say xenballoon breadwinners who play ghost and government are an easy target when it comes to the right of discovery I have been denied now for a year and ninety days plus while under constant assault and sabbotage and can you say breach of contract? Or false advertisement? How about kidnapping? Bank fraud, credit fraud, the acts, fair reporting and dealing, annes, the sullivan, all placated to me as bad actors to be thrown through the mcaffe, AFFIRMative? Or do I need more Accenture on my proofpoint? I swear I'm getting so old I'll need Oculars soon because I have been spread from nest to orbit to Sea im getting plural-sight from keeoing track of the busy bees. 

Thoughts?

P.s. do you know when the next event is at the salt-air? Although I hear its more like a garage project heist as was said by Big Bear. 

ALPHA TO ZED. This is an issue that grows by the millisecond and I never agreed to be anyones free ride or entertainment, scapegoat, punching bag, or literally in 'legaleze' anything lest I sign with my own hand and notarize, not by ex 'fam' 

Lunch would be great to, for two if you can manage to find someone willing to bring back the dead. As for the new new cloudflare spinoff Genesys and there green conscious affiliates and the likekihood i will have to sue sn ex detective, a hospital, a dr. and much more I'll take the risk and some sativa cartridges and a baf of gumnies for my grandpa.  Sting operation by discrimination while favorites run that bs operation, I think not. 

Get'r DUN 

Xoxo

Eric Dimmick, father, patriot, man of the people, not to be trifled with I have yet to drop my shield for my spear.  Speaking of facebook. Hall you have family in town and ive got you in severak ways including slinging the studios around. One attached to my phone too. 

Whats the name of the guy who Smites Khronos? I like that guy he dors s great jib in Avatar too. 

Sorry for the rant, Ive just had no one to talk to and we seem to have a lot in common, good or bad?

Yet to be decided. I am waiting for real results and I will not bring down society as someones tool to bottom feed, I'll do it myself if I were not more capable of higher thought. Its the future that needs tending not more boxes need bought. 

Ya dig?