Home

Spoofing emails from external accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-781604%22%20slang%3D%22en-US%22%3ESpoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-781604%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20get%20a%20lot%20of%20spoofing%20emails%20from%20external%20accounts.%20I%20know%20how%20to%20limit%20them%20but%20today%20I%20was%20surprised%20by%20something%20new%20to%20me.%20Just%20few%20days%20ago%20I%20have%20created%20new%20user%20and%20email%20account.%20And%20today%20this%20user%20account%20get%20spoofing%20email%20from%20external%20domain.%20How%20it's%20possible%20so%20fast%3F%3C%2FP%3E%3CP%3EI%20am%20not%20master%20of%20Exchange%20but%20from%20my%20point%20of%20view%20one%20user%20account%20or%20computer%20has%20been%20compromised.%20Is%20there%20any%20other%20way%20that%20someone%20get%20access%20to%20such%20information%20like%20our%20email%20address%3F%3C%2FP%3E%3CP%3EWe%20run%20Office%20365%20Business%20Premium%2C%20and%20we%20started%20implementation%20of%20EMS%20P1.%3C%2FP%3E%3CP%3EUnfortunately%20we%20don't%20have%20Windows%2010%20enterprise.%3C%2FP%3E%3CP%3ECan%20you%20suggest%20how%20to%20increase%20security%20of%20our%20Exchange%20and%20mailboxes%3F%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-781604%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784648%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3BCorrect%2C%20it%20looks%20like%20a%20compromised%20Mailbox%20being%20used%20to%20download%20your%20GAL%20outside%20the%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Check%20suspicious%20login%2Faudit%20from%20Azure%20AD.%20look%20for%20ip%20addresses%2C%20geographic%20location%20time%20of%20access%2C%20workstation.%20This%20should%20give%20you%20idea%20on%20what%20account%2Fs%20are%20compromised.%3C%2FP%3E%3CP%3E2.%20Once%20identified%20on%20what%20account%20it%20is%20-%20folow%20remediation%20path%20in%20order.%3C%2FP%3E%3CP%3EReset%20Password.%26nbsp%3B%3C%2FP%3E%3CP%3ERevoke%20all%20Azureaduserrefreshtoken%20(From%20Azure%20AD%20Powershell)%3C%2FP%3E%3CP%3ECheck%20for%20any%20forwarding%20activated%20on%20a%20mailbox.%3C%2FP%3E%3CP%3EAs%20a%20security%20measure%20ask%20all%20users%20to%20change%20passwords%20(there%20may%20be%20more%20than%201%20who%20are%20compromised)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnable%20Multi%20Factor%20authentication%20for%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fhow-to-fix-a-compromised-hacked-microsoft-office-365-account%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fhow-to-fix-a-compromised-hacked-microsoft-office-365-account%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcloudyhappypeople%2F2017%2F10%2F05%2Fkilling-sessions-to-a-compromised-office-365-account%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fcloudyhappypeople%2F2017%2F10%2F05%2Fkilling-sessions-to-a-compromised-office-365-account%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20Best%26nbsp%3B%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-786042%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-786042%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3B%20Were%20you%20able%20to%20figure%20this%20out.%20Do%20let%20me%20know%20if%20you%20need%20additional%20help%20in%20identifying%20the%20logs%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787893%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787893%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3EThank%20you.%20Yes%2C%20I%20know%20how%20to%20proceed%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792499%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792499%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3B%20Perfect.%20Please%20save%20the%20Rapid%20response%20in%20your%20notes%20for%20handling%20any%20future%20similar%20issues%20that%20may%20arise%20%3A)I'm%20glad%20i%20was%20able%20to%20assist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Tomasz Szulczewski
Occasional Contributor

Hi,

We get a lot of spoofing emails from external accounts. I know how to limit them but today I was surprised by something new to me. Just few days ago I have created new user and email account. And today this user account get spoofing email from external domain. How it's possible so fast?

I am not master of Exchange but from my point of view one user account or computer has been compromised. Is there any other way that someone get access to such information like our email address?

We run Office 365 Business Premium, and we started implementation of EMS P1.

Unfortunately we don't have Windows 10 enterprise.

Can you suggest how to increase security of our Exchange and mailboxes?

Thank you

 

4 Replies

@Tomasz Szulczewski Correct, it looks like a compromised Mailbox being used to download your GAL outside the network.

 

1. Check suspicious login/audit from Azure AD. look for ip addresses, geographic location time of access, workstation. This should give you idea on what account/s are compromised.

2. Once identified on what account it is - folow remediation path in order.

Reset Password. 

Revoke all Azureaduserrefreshtoken (From Azure AD Powershell)

Check for any forwarding activated on a mailbox.

As a security measure ask all users to change passwords (there may be more than 1 who are compromised)

 

Enable Multi Factor authentication for future.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-acco... 

 

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-offi... 

 

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-o... 

 

All the Best 

Ankit Shukla

 

Highlighted

@Tomasz Szulczewski  Were you able to figure this out. Do let me know if you need additional help in identifying the logs !

 

Cheers

Ankit Shukla

 

Highlighted

@ankit shuklaThank you. Yes, I know how to proceed now.

Highlighted

@Tomasz Szulczewski  Perfect. Please save the Rapid response in your notes for handling any future similar issues that may arise :) I'm glad i was able to assist.

 

Cheers !

Ankit Shukla

 

Related Conversations
Accounts limit in Edge for iOS and iPadOS
Ole Thomsen in Discussions on
3 Replies
Customize user profile in Teams
arielmw2 in Microsoft Teams on
2 Replies
AD groups in update management (azure automation accounts)
PatrickF11 in Azure on
1 Replies
Move tasks to another account
bpatterson in Microsoft To Do on
0 Replies