Home

Spoofing emails from external accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-781604%22%20slang%3D%22en-US%22%3ESpoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-781604%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20get%20a%20lot%20of%20spoofing%20emails%20from%20external%20accounts.%20I%20know%20how%20to%20limit%20them%20but%20today%20I%20was%20surprised%20by%20something%20new%20to%20me.%20Just%20few%20days%20ago%20I%20have%20created%20new%20user%20and%20email%20account.%20And%20today%20this%20user%20account%20get%20spoofing%20email%20from%20external%20domain.%20How%20it's%20possible%20so%20fast%3F%3C%2FP%3E%3CP%3EI%20am%20not%20master%20of%20Exchange%20but%20from%20my%20point%20of%20view%20one%20user%20account%20or%20computer%20has%20been%20compromised.%20Is%20there%20any%20other%20way%20that%20someone%20get%20access%20to%20such%20information%20like%20our%20email%20address%3F%3C%2FP%3E%3CP%3EWe%20run%20Office%20365%20Business%20Premium%2C%20and%20we%20started%20implementation%20of%20EMS%20P1.%3C%2FP%3E%3CP%3EUnfortunately%20we%20don't%20have%20Windows%2010%20enterprise.%3C%2FP%3E%3CP%3ECan%20you%20suggest%20how%20to%20increase%20security%20of%20our%20Exchange%20and%20mailboxes%3F%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-781604%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784648%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3BCorrect%2C%20it%20looks%20like%20a%20compromised%20Mailbox%20being%20used%20to%20download%20your%20GAL%20outside%20the%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Check%20suspicious%20login%2Faudit%20from%20Azure%20AD.%20look%20for%20ip%20addresses%2C%20geographic%20location%20time%20of%20access%2C%20workstation.%20This%20should%20give%20you%20idea%20on%20what%20account%2Fs%20are%20compromised.%3C%2FP%3E%3CP%3E2.%20Once%20identified%20on%20what%20account%20it%20is%20-%20folow%20remediation%20path%20in%20order.%3C%2FP%3E%3CP%3EReset%20Password.%26nbsp%3B%3C%2FP%3E%3CP%3ERevoke%20all%20Azureaduserrefreshtoken%20(From%20Azure%20AD%20Powershell)%3C%2FP%3E%3CP%3ECheck%20for%20any%20forwarding%20activated%20on%20a%20mailbox.%3C%2FP%3E%3CP%3EAs%20a%20security%20measure%20ask%20all%20users%20to%20change%20passwords%20(there%20may%20be%20more%20than%201%20who%20are%20compromised)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnable%20Multi%20Factor%20authentication%20for%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fhow-to-fix-a-compromised-hacked-microsoft-office-365-account%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fhow-to-fix-a-compromised-hacked-microsoft-office-365-account%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcloudyhappypeople%2F2017%2F10%2F05%2Fkilling-sessions-to-a-compromised-office-365-account%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fcloudyhappypeople%2F2017%2F10%2F05%2Fkilling-sessions-to-a-compromised-office-365-account%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20Best%26nbsp%3B%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-786042%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-786042%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3B%20Were%20you%20able%20to%20figure%20this%20out.%20Do%20let%20me%20know%20if%20you%20need%20additional%20help%20in%20identifying%20the%20logs%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787893%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787893%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3EThank%20you.%20Yes%2C%20I%20know%20how%20to%20proceed%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792499%22%20slang%3D%22en-US%22%3ERe%3A%20Spoofing%20emails%20from%20external%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792499%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31671%22%20target%3D%22_blank%22%3E%40Tomasz%20Szulczewski%3C%2FA%3E%26nbsp%3B%20Perfect.%20Please%20save%20the%20Rapid%20response%20in%20your%20notes%20for%20handling%20any%20future%20similar%20issues%20that%20may%20arise%20%3A)I'm%20glad%20i%20was%20able%20to%20assist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

We get a lot of spoofing emails from external accounts. I know how to limit them but today I was surprised by something new to me. Just few days ago I have created new user and email account. And today this user account get spoofing email from external domain. How it's possible so fast?

I am not master of Exchange but from my point of view one user account or computer has been compromised. Is there any other way that someone get access to such information like our email address?

We run Office 365 Business Premium, and we started implementation of EMS P1.

Unfortunately we don't have Windows 10 enterprise.

Can you suggest how to increase security of our Exchange and mailboxes?

Thank you

 

4 Replies
Highlighted

@Tomasz Szulczewski Correct, it looks like a compromised Mailbox being used to download your GAL outside the network.

 

1. Check suspicious login/audit from Azure AD. look for ip addresses, geographic location time of access, workstation. This should give you idea on what account/s are compromised.

2. Once identified on what account it is - folow remediation path in order.

Reset Password. 

Revoke all Azureaduserrefreshtoken (From Azure AD Powershell)

Check for any forwarding activated on a mailbox.

As a security measure ask all users to change passwords (there may be more than 1 who are compromised)

 

Enable Multi Factor authentication for future.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-acco... 

 

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-offi... 

 

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-o... 

 

All the Best 

Ankit Shukla

 

Highlighted

@Tomasz Szulczewski  Were you able to figure this out. Do let me know if you need additional help in identifying the logs !

 

Cheers

Ankit Shukla

 

Highlighted

@ankit shuklaThank you. Yes, I know how to proceed now.

Highlighted

@Tomasz Szulczewski  Perfect. Please save the Rapid response in your notes for handling any future similar issues that may arise :) I'm glad i was able to assist.

 

Cheers !

Ankit Shukla

 

Related Conversations
Multiple Accounts in Streams
Shauntai in Microsoft Stream Forum on
0 Replies
multiple accounts on one mail adress
Michael1410 in Microsoft Teams on
3 Replies
Duplicate Email Notifications from SharePoint
KZook in SharePoint on
2 Replies
Why cant i share files in an external chat?
jerrodbug in Microsoft Teams on
1 Replies
Impact of enabling DKIM and DMARC
saikelu in Identity & Authentication on
1 Replies
Accounts limit in Edge for iOS and iPadOS
Ole Thomsen in Discussions on
3 Replies