Phishing email sent on behalf of one of our own distribution groups?

Copper Contributor

Good morning,


We have a distribution group set up for receiving messages from a monitoring service. Due to this service being outside of our organisation, the DL is currently set to allow senders from inside and outside of the organisation:






This distribution group is configured to:


- Allow all senders outside and inside the organisation

- There are no 'send on behalf' or 'send as' permissions set on the DL








Please could you shed some light on how this external phishing attempt was able to "Send on behalf of" a distribution list that doesn't have any send on behalf permissions set?


Thank you in advance.


6 Replies

Hi, notice it says send messages TO this group (not from), so you have allowed anyone to send email to this group - so I can use an SMTP tool to send an unauthenticated email to the group 'from any address I like' seeing as you have allowed it.  If you know the sending IP (or range of IPs) of the monitoring system, the best option would be a Mail Flow rule using the following settings:
- when message is sent to:
- drop the message without delivering
- except when it comes from these IPs: IP or range of IP of valid sending servers.
You could also do 'except when from this address' , but on it's own that could still be exploited.

Thank you for your response SimBur.

That's a good suggestion, thank you.

However, do you have any idea what may have caused the message to appear as "on behalf of" when it was received by the members of the distribution group? This is what is confusing me the most.

A message truly sent on behalf would be considered authenticated and internal.  Anything can be put in the From field - are you able to post the header (remove any of your IPs) have you confirmed it came from external, not an internal machine? If the address list has been extracted at some point an attacker could know to add the on behalf to the from address. Cheers.



I received one of these yesterday, It does detect that it is an unverified sender and sent it to spam though.

@MikeNielsen @JC1231530 I received one of these yesterday. Went to our junk but I can't understand how they used our distribution group as the Sender. The distribution group does not have a login and isn't a licensed account. We can't even send from the address if we wanted to. 



Where is your SMTP for sending out those Email?