alot of users getting spam

%3CLINGO-SUB%20id%3D%22lingo-sub-415411%22%20slang%3D%22en-US%22%3Ealot%20of%20users%20getting%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-415411%22%20slang%3D%22en-US%22%3E%3CP%3Ea%20few%20of%20our%20users%20are%20getting%20spam%20emails%20that%20make%20it%20seems%20that%20the%20emails%20are%20from%20microsoft.%3C%2FP%3E%3CP%3Esome%20are%20received%20from%20their%20own%20email%20address.%3C%2FP%3E%3CP%3Eupon%20checking%20the%20header%2C%20we%20found%20this.%3C%2FP%3E%3CP%3Edmarc%20failed.%3C%2FP%3E%3CP%3Ewhat%20else%20can%20we%20do%20to%20block%20such%20span%20email%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20822px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F106334iB7029E10D65B75BC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22spam2.jpg%22%20title%3D%22spam2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAuthentication-Results%3A%20spf%3Dnone%20(sender%20IP%20is%2092.38.163.78)%3CBR%20%2F%3Esmtp.mailfrom%3Dnoreply.barracudanetworks.com%3B%20goldxxxxxx.com.sg%3B%20%3CSTRONG%3Edkim%3Dnone%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(message%20not%20signed)%20header.d%3Dnone%3Bgolxxxx.com.sg%3B%20dmarc%3Dfail%3C%2FSTRONG%3E%3CBR%20%2F%3Eaction%3Dnone%20header.from%3Dgolxxxxxxx.com.sg%3Bcompauth%3Dfail%20reason%3D601%3CBR%20%2F%3EReceived-SPF%3A%20None%20(protection.outlook.com%3A%20noreply.barracudanetworks.com%20does%3CBR%20%2F%3Enot%20designate%20permitted%20sender%20hosts)%3CBR%20%2F%3EReceived%3A%20from%20noreply.barracudanetworks.com%20(92.38.163.78)%20by%3CBR%20%2F%3EPU1APC01FT028.mail.protection.outlook.com%20(10.152.252.229)%20with%20Microsoft%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-415411%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-419256%22%20slang%3D%22en-US%22%3ERe%3A%20alot%20of%20users%20getting%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-419256%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20compauth%3Dfail%20is%20a%20very%20strong%20signal%2C%20although%20I'm%20not%20sure%20what%20reason%20601%20exactly%20is.%20In%20any%20case%2C%20the%20message%20should%20have%20been%20marked%20as%20phish%20or%20spam.%20Read%20more%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fanti-spoofing-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fanti-spoofing-protection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-419451%22%20slang%3D%22en-US%22%3ERE%3A%20alot%20of%20users%20getting%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-419451%22%20slang%3D%22en-US%22%3EI%20do%20it%20in%20a%20couple%20of%20steps.%20allow%20through%20if%20Authentication-Results%20header%20includes%20dkim%3Dpass%20and%20%5C.d%3Dmicrosoft.com%20Then%20Quarantine%20anything%20with%20(%3Fi)microsoft%20in%20the%20header.%20You%20have%20to%20be%20specific%20and%20can't%20just%20look%20at%20spf%20or%20dkim%3Dpass%20without%20looking%20at%20what%20it's%20passing.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

a few of our users are getting spam emails that make it seems that the emails are from microsoft.

some are received from their own email address.

upon checking the header, we found this.

dmarc failed.

what else can we do to block such span emailspam2.jpg

 

Authentication-Results: spf=none (sender IP is 92.38.163.78)
smtp.mailfrom=noreply.barracudanetworks.com; goldxxxxxx.com.sg; dkim=none
(message not signed) header.d=none;golxxxx.com.sg; dmarc=fail
action=none header.from=golxxxxxxx.com.sg;compauth=fail reason=601
Received-SPF: None (protection.outlook.com: noreply.barracudanetworks.com does
not designate permitted sender hosts)
Received: from noreply.barracudanetworks.com (92.38.163.78) by
PU1APC01FT028.mail.protection.outlook.com (10.152.252.229) with Microsoft

 

2 Replies
Highlighted

Well, compauth=fail is a very strong signal, although I'm not sure what reason 601 exactly is. In any case, the message should have been marked as phish or spam. Read more here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection

Highlighted
I do it in a couple of steps. allow through if Authentication-Results header includes dkim=pass and \.d=microsoft.com Then Quarantine anything with (?i)microsoft in the header. You have to be specific and can't just look at spf or dkim=pass without looking at what it's passing.