Someone spoofed my company's domain

%3CLINGO-SUB%20id%3D%22lingo-sub-2277609%22%20slang%3D%22en-US%22%3ESomeone%20spoofed%20my%20company's%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277609%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22x-hidden-focus%22%3EGood%20afternoon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22x-hidden-focus%22%3Esomeone%20has%20spoofed%20my%20company's%20domain%20and%20is%20sending%20hundreds%20of%20emails%20to%20random%20organizations%20worldwide.%20He%20is%20using%20one%20of%20the%20valid%20email%20accounts%20to%20impersonate%20and%20as%20a%20result%20one%20of%20our%20users%20was%20receiving%2020-30%20replies%20from%20unknown%20people.%20We%20have%20enabled%20DMARC%20reject%20policy%20and%20it%20gave%20an%20effect.%20I%20can%20see%20that%20multiple%20attempts%20are%20now%20being%20rejected%20due%20to%20SPF%20check%20failure.%20However%20DMARC%20doesn't%20protect%20in%20100%25%20cases%20and%20some%20of%20the%20emails%20are%20still%20being%20delivered.%20I%20believe%20these%20are%20those%20cases%20where%20receiving%20side%20is%20not%20validating%20SPF%2FDKIM.%20I'm%20getting%20multiple%20DMARC%20reports%20and%20can%20see%20source%20IP%20addresses%20for%20spoofing%20emails.%20All%20of%20them%20are%20from%20GoDaddy%20IP%20range%20but%20GoDaddy%20is%20not%20replying%20to%20abuse%20reports.%20My%20question%3A%20Whether%20there%20is%20any%20other%20way%20to%20complain%20and%20stop%20this%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2277609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edmarc%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Espf%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESpoofing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2279824%22%20slang%3D%22en-US%22%3ERe%3A%20Someone%20spoofed%20my%20company's%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279824%22%20slang%3D%22en-US%22%3EI%20suggest%20please%20check%20with%20your%20Internal%20security%20team%20there%20are%20various%20way!%3CBR%20%2F%3EPlease%20deploy%20Azure%20Defender%20to%20protect%20your%20Public%20DNS%20as%20we%20all%20IaaS%20and%20PaaS%20workload%2C%20start%20adopting%20%22Zero%20Trust%20security%20model%22%20and%20Defender%20for%20endpoint%20%2C%20Azure%20ATP%2C%20MCAS%20and%20AIP%20and%20for%20that%20you%20M365%20license%20E5%2C%20which%20more%20effective.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2279025%22%20slang%3D%22en-US%22%3ERe%3A%20Someone%20spoofed%20my%20company's%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279025%22%20slang%3D%22en-US%22%3EMake%20sure%20instruct%20users%20about%20this%20spam%20and%20when%20they%20receive%20it%2C%20then%20mark%20it%20as%20Junk%20(instead%20of%20deleting)%20and%20this%20way%20your%20Anti-Spam%20filter%20will%20gets%20smarter%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2278162%22%20slang%3D%22en-US%22%3ERe%3A%20Someone%20spoofed%20my%20company's%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2278162%22%20slang%3D%22en-US%22%3ESadly%20it's%20not%20that%20easy%2C%20best%20thing%20to%20do%20is%20harden%20things%20on%20your%20end%20and%20keep%20on%20reporting%20them.%3C%2FLINGO-BODY%3E
New Contributor

Good afternoon,

 

someone has spoofed my company's domain and is sending hundreds of emails to random organizations worldwide. He is using one of the valid email accounts to impersonate and as a result one of our users was receiving 20-30 replies from unknown people. We have enabled DMARC reject policy and it gave an effect. I can see that multiple attempts are now being rejected due to SPF check failure. However DMARC doesn't protect in 100% cases and some of the emails are still being delivered. I believe these are those cases where receiving side is not validating SPF/DKIM. I'm getting multiple DMARC reports and can see source IP addresses for spoofing emails. All of them are from GoDaddy IP range but GoDaddy is not replying to abuse reports. My question: Whether there is any other way to complain and stop this?  

3 Replies
Sadly it's not that easy, best thing to do is harden things on your end and keep on reporting them.
Make sure instruct users about this spam and when they receive it, then mark it as Junk (instead of deleting) and this way your Anti-Spam filter will gets smarter
I suggest please check with your Internal security team there are various way!
Please deploy Azure Defender to protect your Public DNS as we all IaaS and PaaS workload, start adopting "Zero Trust security model" and Defender for endpoint , Azure ATP, MCAS and AIP and for that you M365 license E5, which more effective.