cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Phishing email sent on behalf of one of our own distribution groups?

JC1231530
Occasional Contributor

‎Sep 16 2021 02:45 AM - last edited on ‎Feb 01 2023 12:37 PM by

‎Sep 16 2021 02:45 AM - last edited on ‎Feb 01 2023 12:37 PM by

Phishing email sent on behalf of one of our own distribution groups?

Good morning,

 

We have a distribution group set up for receiving messages from a monitoring service. Due to this service being outside of our organisation, the DL is currently set to allow senders from inside and outside of the organisation:

 

JC1231530_0-1631786080787.png

 

 

 

This distribution group is configured to:

 

- Allow all senders outside and inside the organisation

- There are no 'send on behalf' or 'send as' permissions set on the DL

 

JC1231530_0-1631785691222.png

 

JC1231530_1-1631785705998.png

 

 

 

Please could you shed some light on how this external phishing attempt was able to "Send on behalf of" a distribution list that doesn't have any send on behalf permissions set?

 

Thank you in advance.

J

1,782 Views
1 Like
3 Replies
Reply
3 Replies
SimBur2365

‎Sep 16 2021 04:42 AM - edited ‎Sep 16 2021 04:44 AM

‎Sep 16 2021 04:42 AM - edited ‎Sep 16 2021 04:44 AM

Re: Phishing email sent on behalf of on of our own distribution groups?

Hi, notice it says send messages TO this group (not from), so you have allowed anyone to send email to this group - so I can use an SMTP tool to send an unauthenticated email to the group 'from any address I like' seeing as you have allowed it.  If you know the sending IP (or range of IPs) of the monitoring system, the best option would be a Mail Flow rule using the following settings:
- when message is sent to: distrbutiongroup@yourplace.com
- drop the message without delivering
- except when it comes from these IPs: IP or range of IP of valid sending servers.
You could also do 'except when from this address' , but on it's own that could still be exploited.

0 Likes
Reply
JC1231530

‎Sep 16 2021 07:53 AM

‎Sep 16 2021 07:53 AM

Re: Phishing email sent on behalf of on of our own distribution groups?

Thank you for your response SimBur.

That's a good suggestion, thank you.

However, do you have any idea what may have caused the message to appear as "on behalf of" when it was received by the members of the distribution group? This is what is confusing me the most.
0 Likes
Reply
SimBur2365

‎Sep 16 2021 12:42 PM - edited ‎Sep 16 2021 12:44 PM

‎Sep 16 2021 12:42 PM - edited ‎Sep 16 2021 12:44 PM

Re: Phishing email sent on behalf of on of our own distribution groups?

A message truly sent on behalf would be considered authenticated and internal.  Anything can be put in the From field - are you able to post the header (remove any of your IPs) have you confirmed it came from external, not an internal machine? If the address list has been extracted at some point an attacker could know to add the on behalf to the from address. Cheers.

0 Likes
Reply