cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New tenant and domain classed as phishing

malmesater
Copper Contributor

‎Dec 01 2021 02:10 PM - last edited on ‎Apr 04 2022 08:30 AM by

‎Dec 01 2021 02:10 PM - last edited on ‎Apr 04 2022 08:30 AM by

New tenant and domain classed as phishing

Hi everyone. 

I have searched and tried to find an answer on my questions but can't find anything. 

I configured a new tenant with a new custom domain with "Enabled Security Defaults".

When my friends now tries to send emails they get "Spam Confidence Level 5" on every email they send?

They have a Microsoft 365 Business Premium license.

 

Country/Region SE
Language en
Spam Confidence Level 5
Spam Filtering Verdict SPM
IP Filter Verdict NLI
HELO/EHLO String SWE01-MM0-obe.outbound.protection.outlook.com
PTR Record mail-mm0swe01on2112.outbound.protection.outlook.com
Connecting IP Address 40.107.120.112
Protection Policy Category SPM
Spam rules (4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004)
Source header CIP:40.107.120.112;CTRY:SE;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:SWE01-MM0-obe.outbound.protection.outlook.com;PTR:mail-mm0swe01on2112.outbound.protection.outlook.com;CAT:SPM;SFS:(4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004);DIR:INB;
Unknown fields DIR:INB;

 

I have tried to email my outlook.com, work email (M365) and my personal M365 tenant and same classification on the emails. 

Same problem if I try to send an email from .onmicrosoft.com address.

 

I can't find anything.

I have tried to change the outgoing policys, phishing policys, etc. and still the same problem. 

I'm out of idéas. 

 

When I try to configure DKIM i get "Error in retrieving encrypted key.".

On both custom domain and onmicrosoft.com.

attached two pictures of the error aswell. 

 

Please help and thanks in advance.

Best regards 

Thomas Malmesater

Sweden

Preview file
114 KB
Preview file
7 KB
3,761 Views
1 Like
12 Replies
Reply
12 Replies
malmesater

‎Dec 05 2021 10:27 PM

‎Dec 05 2021 10:27 PM

Re: New tenant and domain classed as phishing

I guess no one has an answer for this question?
0 Likes
Reply
stephy_rul

‎Dec 15 2021 01:25 PM

‎Dec 15 2021 01:25 PM

Re: New tenant and domain classed as phishing

@malmesater 
perhaps the cause is the spam from different IPs from 40.107.xxx.xxx
"from" is every time the same sender

Bildschirmfoto 2021-12-15 um 21.47.38.png


Bildschirmfoto 2021-12-15 um 21.45.38.png

0 Likes
Reply
stephy_rul

‎Dec 15 2021 01:30 PM

‎Dec 15 2021 01:30 PM

Re: New tenant and domain classed as phishing

i registered the first message at the 2021.12.09 (9th of dec.) in germany
0 Likes
Reply
malmesater

‎Dec 16 2021 01:30 AM

‎Dec 16 2021 01:30 AM

Re: New tenant and domain classed as phishing

Hi,
Thanks for the replay.
I'm not sure what you mean, how can I prevent this from happening?

BR
Thomas M
0 Likes
Reply
stephy_rul

‎Dec 16 2021 12:30 PM

‎Dec 16 2021 12:30 PM

Re: New tenant and domain classed as phishing

@malmesater 
hi
what i want to show,
that there is someone sending spam from, or try to send via relay, or faked IPs, or a combination of these, with the name of these servers.
perhaps it is possible to report it to microsoft and ask them.
i am to lazy to do it, as my mailserver is a very small one in germany and these kind of "spamfloods" will normally go away in view days or weeks. as you see my server blocks it already.

your problem is the other way around, you want to send.
perhaps you are able to contact microsoft and show them also my findings and ask about the cause of the "pishing error" with your settings (if they have questions, want some logs, i am able to help them).

short explanation
i found your thread by searching the IPs(beginning with 40.107. .....), at google, trying to find similar "victims" as me and what they do about it, but can't find any other message about it yet.
i do not know if your problem is connected with mine.

i wish you a lot of passion, if you get in contact microsoft.(by the way it is possible, but the information will not be easy to find)

wkr
stephy

1 Like
Reply
ShaikhRA

‎Dec 16 2021 09:45 PM

‎Dec 16 2021 09:45 PM

Re: New tenant and domain classed as phishing

It appears that you have already published the SPF record.
However, I was unable to find CNAMEs required for DKIM.
You can follow https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-out... to configure DKIM.
After that you can configure DMARC as well by following https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-em...
SPF, DKIM, and DMARC will help in deliverability of the emails.
0 Likes
Reply
malmesater

‎Dec 16 2021 10:52 PM

‎Dec 16 2021 10:52 PM

Re: New tenant and domain classed as phishing

Thank you so much for your answer.
I will try to get in contact with MS and se what they say.

BR
Thomas M
0 Likes
Reply
malmesater

‎Dec 16 2021 10:55 PM - edited ‎Dec 16 2021 10:55 PM

‎Dec 16 2021 10:55 PM - edited ‎Dec 16 2021 10:55 PM

Re: New tenant and domain classed as phishing

I deleted records because I thought they were the ones causing the problem.
But I will add them again and see if I can activate DKIM.

The problem with DKIM is that M365 can't "create" encryption key.

 

BR

Thomas M

0 Likes
Reply
ShaikhRA

‎Dec 17 2021 04:10 AM

‎Dec 17 2021 04:10 AM

Re: New tenant and domain classed as phishing

Based on my experience, yes, the DNS records are needed to successfully configure DKIM.
0 Likes
Reply
malmesater

‎Dec 20 2021 04:54 AM

‎Dec 20 2021 04:54 AM

Re: New tenant and domain classed as phishing

@ShaikhRA 

I was after long time waiting able to activate DKIM and Dmarc. 

So I hope this might resolve my problem, if not I will contact Microsoft about it. 

 

Thanks for the help and I wish you Marry Christmas and happy new year. 

 

BR 

Thomas M

0 Likes
Reply
ShaikhRA

‎Dec 20 2021 07:47 AM

‎Dec 20 2021 07:47 AM

Re: New tenant and domain classed as phishing

You too have a Merry Christmas and Happy New Year.
If the problem persists, check content and signature in the emails.
If the signature has hyperlinks, you may get a higher SCL score. Try removing the signature and see if it helps.
0 Likes
Reply
JohnJolly1715

‎Dec 22 2021 12:13 AM - edited ‎Dec 22 2021 12:15 AM

‎Dec 22 2021 12:13 AM - edited ‎Dec 22 2021 12:15 AM

Re: New tenant and domain classed as phishing

@malmesater 

greetings
what I need to show,
that there is somebody sending spam from, or attempt to send by means of transfer, or faked IPs, or a mix of these, with the name of these servers.
maybe it is feasible to report it to microsoft and ask them.
I'm to languid to do it, as my mailserver is a tiny one in germany and these sort of "spamfloods" will regularly disappear in view days or weeks. as you see my server blocks it as of now.

your concern is the reverse way around, you need to send.
maybe you can contact microsoft and show them likewise my discoveries and get some information about the reason for the "pishing mistake" with your settings (assuming they have questions, need a few logs, I'm ready to help them).

0 Likes
Reply