Microsoft Stop the Spam

%3CLINGO-SUB%20id%3D%22lingo-sub-171805%22%20slang%3D%22en-US%22%3EMicrosoft%20Stop%20the%20Spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171805%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20I%20the%20only%20one%20that%20sees%20this%20as%20an%20issue%3F%20I%20have%20several%20customers%20that%20I%20manage%2C%20none%20of%20which%20are%20currently%20on%20Office%20365.%26nbsp%3B%20They%20have%20in%20house%20Exchange%20servers.%26nbsp%3B%20But%20what%20we%20are%20seeing%20is%20the%20following%20and%20it%20is%20becoming%20a%20huge%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20customers%20work%20with%20any%20number%20of%20clients%2C%20vendors%2C%20or%20partners%20(senders)%20that%20ARE%20using%20Office%20365%20as%20their%20legitimate%20email%20servers.%26nbsp%3B%20My%20clients%20have%20increasingly%20been%20receiving%20email%20from%20these%20senders%20that%20are%20actually%20SPAM%2C%20SCAM%2C%20PHISHING%20or%20otherwise%20non-legitimate%20email.%26nbsp%3B%20But%20these%20are%20not%20just%20Email%20that%20are%20obvious%20spam%20that%20come%20from%20the%20senders%20spoofed%20address%20that%20can%20be%20blacklisted%2C%20but%20instead%20these%20are%20emails%20that%20look%20EXACTLY%20like%20the%20legitimate%20email%20from%20the%20senders%20and%20coming%20from%20the%20servers%20from%20which%20the%20senders%20would%20be%20sending.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20it%20is%20as%20if%20the%20hackers%20have%20broken%20into%20the%20legitimate%20mail%20account%20on%20the%20Office365%20servers%2C%20extracted%20the%20verbiage%2C%20signatures%2C%20greetings%2C%20manner%20of%20speaking%2C%20logos%2C%20etc%2C%20etc%2C%20and%20have%20crafted%20the%20email%20with%20some%20sort%20of%20payload%20or%20misdirect%20and%20then%20send%20it%20to%20my%20clients%20from%20the%20VERY%20SAME%20bank%20or%20farm%20of%20Office365%20servers.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20impossible%20to%20block%20on%20our%20Spam%20service%20because%20blocking%20the%20SCAM%20would%20also%20block%20the%20legitimate%20email.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20notify%20the%20client%20that%20thy%20may%20have%20been%20hacked%2C%20and%20might%20need%20to%20change%20passwords.%26nbsp%3B%20We%20forward%20these%20email%20to%20junk%40office365.microsoft.com%20and%20phish%40office365.microsoft.com%20in%20hopes%20that%20Microsoft%20Support%20will%20find%20a%20way%20to%20begin%20closing%20down%20these%20hackers%20on%20their%20end.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOf%20course%2C%20I%20have%20no%20direct%20way%20to%20call%20Microsoft%20Support%20and%20explain%20this%20to%20them%2C%20as%20we%20are%20not%20O365%20subscribing%20business.%26nbsp%3B%20I%20HAVE%20attempted%20to%20get%20the%20discussion%20going%20by%20opening%20a%20couple%20%24500%20support%20tickets%20as%20if%20it%20was%20a%20problem%20on%20our%20Exchange%20server%2C%20just%20so%20I%20could%20talk%20to%20someone%20at%20Microsoft.%26nbsp%3B%20But%20they%20ultimately%20find%20that%20there%20is%20no%20issue%20with%20our%20servers%2C%20agree%20that%20the%20email%20is%20coming%20from%20MS%20servers%2C%20refund%20the%20money%2C%20but%20do%20NOT%20seem%20to%20want%20to%20take%20this%20back%20to%20Office365%20Support%20to%20address%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20else%20can%20I%20do%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-171805%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171851%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Stop%20the%20Spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171851%22%20slang%3D%22en-US%22%3EYou%20need%20to%20investigate%20your%20staff%20and%20your%20mailbox%20audit%20logs.%20I've%20had%20users%20get%20their%20accounts%20compromised%20via%20phishing%20and%20they%20will%20get%20into%20their%20exchange%20online%20accounts%20and%20setup%20rules%20to%20hide%20messages%20and%20spam%20internal%20people.%20MFA%20would%20all%20but%20kill%20this%20issue%2C%20but%20it%20happens.%20Are%20you%20sure%20that%20these%20legit%20looking%20messages%20aren't%20actually%20being%20sent%20internally%20from%20compromised%20accounts%3F%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Am I the only one that sees this as an issue? I have several customers that I manage, none of which are currently on Office 365.  They have in house Exchange servers.  But what we are seeing is the following and it is becoming a huge issue.

 

My customers work with any number of clients, vendors, or partners (senders) that ARE using Office 365 as their legitimate email servers.  My clients have increasingly been receiving email from these senders that are actually SPAM, SCAM, PHISHING or otherwise non-legitimate email.  But these are not just Email that are obvious spam that come from the senders spoofed address that can be blacklisted, but instead these are emails that look EXACTLY like the legitimate email from the senders and coming from the servers from which the senders would be sending.

 

So it is as if the hackers have broken into the legitimate mail account on the Office365 servers, extracted the verbiage, signatures, greetings, manner of speaking, logos, etc, etc, and have crafted the email with some sort of payload or misdirect and then send it to my clients from the VERY SAME bank or farm of Office365 servers. 

 

These are impossible to block on our Spam service because blocking the SCAM would also block the legitimate email.

 

We notify the client that thy may have been hacked, and might need to change passwords.  We forward these email to junk@office365.microsoft.com and phish@office365.microsoft.com in hopes that Microsoft Support will find a way to begin closing down these hackers on their end. 

 

Of course, I have no direct way to call Microsoft Support and explain this to them, as we are not O365 subscribing business.  I HAVE attempted to get the discussion going by opening a couple $500 support tickets as if it was a problem on our Exchange server, just so I could talk to someone at Microsoft.  But they ultimately find that there is no issue with our servers, agree that the email is coming from MS servers, refund the money, but do NOT seem to want to take this back to Office365 Support to address it.

 

What else can I do?

 

1 Reply
Highlighted
You need to investigate your staff and your mailbox audit logs. I've had users get their accounts compromised via phishing and they will get into their exchange online accounts and setup rules to hide messages and spam internal people. MFA would all but kill this issue, but it happens. Are you sure that these legit looking messages aren't actually being sent internally from compromised accounts?