My Tenant is the Victim of a Persistent Email Spoofer

Copper Contributor

Hi all, for 5 days now a specific user in my tenant has been the target of a mass email spoofing attack. This users email address has been spoofed, and now we're absolutely flooded with "Undelivered Mail Returned to Sender" bounce back emails. The attacker is impersonating this user by editing their headers to make the email appear to be coming from us.  The attacker is sending a purchase order number out trying to collect payment.


I have confirmed that the affected user's email is not sending out anything, and that the tenant as a whole is not sending out malicious emails.


Most of these emails are being originated from the same domain: "". I have already reported this domain to the FBI, but obviously there is nothing they can really do.


On my end, being the only admin for a small 8 person company, I have added a rule to simply drop these emails from ever being delivered from this domain. Unfortunately, not every email the attacker is sending is from this domain, and some items get through and get quarantined, have to be deleted form the users inbox, or worse and they make it through and annoy the living hell out of the user. 


I was hoping that this attacker would move on, but they have been at this for a week and are sending upwards of 4 thousand emails a day.



What is there that I can actually do about this? Further, why is email so easy to impersonate and commit crime with, and why isn't a solution being developed from big tech?

2 Replies



Would suggest to setup SPF, DKIM and DMARC to protect your Email Domain

Our email domain is fully powered by M365 and Exchange. As far as I'm aware, all of those features are enabled by default. I know at least DMARC is because in the past, a client of ours was not flagging their emails correctly and they would be dropped on our end.