Office365 groups spam emails

%3CLINGO-SUB%20id%3D%22lingo-sub-1252466%22%20slang%3D%22en-US%22%3EOffice365%20groups%20spam%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EMy%20company%20recently%20experienced%20a%20spear%20phising%20attack.%20Luckily%2C%20we%20discovered%20it%20before%20anything%20happened.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20email%20was%20sent%20to%20one%20of%20our%20Office365%20groups%20and%20was%20freely%20distributed%20to%20all%20users%20in%20the%20group%2C%20however%2C%20it%20was%20located%20in%20the%20Junk%20folder%20for%20all%20users.%20The%20group's%20settings%20is%20set%20to%20allow%20external%20users%20to%20email%20this%20group%2C%20as%20it%20is%20necessary%2C%20and%20to%20send%20copies%20of%20conversations%20and%20event%20to%20group%20members.%20My%20question%20is%20if%20groups%20do%20not%20have%20the%20default%20spam%20filter%3F%20If%20they%20do%2C%20do%20they%20simply%20just%20send%20copies%20of%20the%20emails%20recognized%20as%20spam%20nonetheless%3F%3C%2FP%3E%3CP%3EIn%20general%2C%20I%20would%20just%20like%20to%20know%20if%20there%20is%20a%20way%20to%20prevent%20copies%20of%20spam%20emails%20send%20to%20the%20group%20to%20be%20distributed%20to%20its%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ERasmus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1252466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGroups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESpam%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252943%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20groups%20spam%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252943%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20do%2C%20and%20they%20also%20have%20their%20own%20Junk%20E-mail%20folder%20where%20such%20messages%20should%20be%20placed.%20Since%20that%20didn't%20happen%20in%20your%20case%2C%20I'm%20guessing%20the%20message%20wasn't%20detected%20as%20spam%20at%20that%20point.%20There%20can%20be%20numerous%20reasons%20for%20that%2C%20but%20instead%20of%20guessing%2C%20go%20ahead%20and%20run%20a%20message%20trace%20-%20it%20will%20give%20you%20all%20the%20necessary%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1253668%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20groups%20spam%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1253668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%20You%20are%20right%20the%20message%20did%20pass%20the%20group%20mail%20spam%20filter%20(the%20one%20saying%20delivered)%20but%20not%20for%20the%20users%20as%20you%20can%20see%20from%20the%20image.%20Do%20you%20know%20if%20there%20is%20anything%20to%20do%2C%20so%20this%20won't%20happen%20in%20the%20future%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ERasmus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1254689%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20groups%20spam%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1254689%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20only%20guess%20-%20all%20the%20details%20you%20need%20are%20in%20the%20message%20trace%2Fdetailed%20message%20trace%20and%20the%20message%20headers.%20It%20might%20be%20that%20it%20failed%20the%20dkim%20check%20because%20of%20the%20%22forward%22%20to%20the%20individual%20users%2C%20or%20the%20few%20seconds%20it%20took%20to%20do%20that%20were%20sufficient%20for%20the%20EOP%20filters%20to%20start%20recognizing%20it%20as%20actual%20spam%2C%20etc.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

My company recently experienced a spear phising attack. Luckily, we discovered it before anything happened.

 

The email was sent to one of our Office365 groups and was freely distributed to all users in the group, however, it was located in the Junk folder for all users. The group's settings is set to allow external users to email this group, as it is necessary, and to send copies of conversations and event to group members. My question is if groups do not have the default spam filter? If they do, do they simply just send copies of the emails recognized as spam nonetheless?

In general, I would just like to know if there is a way to prevent copies of spam emails send to the group to be distributed to its users?

 

Best regards,

Rasmus

3 Replies
Highlighted

They do, and they also have their own Junk E-mail folder where such messages should be placed. Since that didn't happen in your case, I'm guessing the message wasn't detected as spam at that point. There can be numerous reasons for that, but instead of guessing, go ahead and run a message trace - it will give you all the necessary details.

Highlighted

@Vasil Michev 

 

Hi Vasil,

Thank you for your answer. You are right the message did pass the group mail spam filter (the one saying delivered) but not for the users as you can see from the image. Do you know if there is anything to do, so this won't happen in the future?

 

Best regards,

Rasmus

Highlighted

I can only guess - all the details you need are in the message trace/detailed message trace and the message headers. It might be that it failed the dkim check because of the "forward" to the individual users, or the few seconds it took to do that were sufficient for the EOP filters to start recognizing it as actual spam, etc.