Feb 19 2019 02:31 AM - edited Feb 19 2019 03:44 AM
I think I found a security flaw. But maybe not.
I have reported it to Microsoft , but I wanted to raise this here and get some thoughts from real experts.
So one of my customers got in touch with me and had concerns that one of his "SHARED email accounts" had been hacked because he got an email "FROM" that shared email account saying "You have been hacked, please deposit bitcoin......... etc etc etc.. blablabla..."
To understand this post better lets call the shared email address "shared[at]example.com"
And his main account "main[at]example.com"
The hacker is sending from "hacking[at]hackerexample.com"
My first thought was "His account has been hacked"..... If the sender is not "designated
permitted sender hosts" the email should hit the "Junk mail folder" in his main account but it didn't in this case, it went straight into his Inbox......... Thats why I thought this is a real threat...
So I started my research inside the Exchange and also inside the "Shared mailbox" and found that his account was "NOT" hacked.....
"That's strange" I thought........... If the shared email account was not hacked,,, then why did the email not hit his main account junk mail folder.
I think its because he has a forwarding rule "FROM" his shared email account "INTO" his main email account.
Looking like its the real deal !! no junk folder this time....
What ??? I felt like this is a security flaw... but..
A nice lady from Microsoft just called me and we had this discussion... I said I think this is a security flaw and should be addressed, maybe an option to "only forward verified messages"... But she said "no its not a security flaw..... The email should not go through the SPF again , once it is internal... The forwarding rule is doing its job, and is forwarding all emails to his main account, and that's why it is not flagged as spam."
i'd like to get some thoughts on this....
Thanks.