Phishing email sent on behalf of one of our own distribution groups?

%3CLINGO-SUB%20id%3D%22lingo-sub-2755549%22%20slang%3D%22en-US%22%3EPhishing%20email%20sent%20on%20behalf%20of%20on%20of%20our%20own%20distribution%20groups%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755549%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20distribution%20group%20set%20up%20for%20receiving%20messages%20from%20a%20monitoring%20service.%20Due%20to%20this%20service%20being%20outside%20of%20our%20organisation%2C%20the%20DL%20is%20currently%20set%20to%20allow%20senders%20from%20inside%20and%20outside%20of%20the%20organisation%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JC1231530_0-1631786080787.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310775i210D384E95BEB087%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JC1231530_0-1631786080787.png%22%20alt%3D%22JC1231530_0-1631786080787.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20distribution%20group%20is%20configured%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Allow%20all%20senders%20outside%20and%20inside%20the%20organisation%3C%2FP%3E%3CP%3E-%20There%20are%20no%20'send%20on%20behalf'%20or%20'send%20as'%20permissions%20set%20on%20the%20DL%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JC1231530_0-1631785691222.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310771i7E97EDB01E9FF344%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JC1231530_0-1631785691222.png%22%20alt%3D%22JC1231530_0-1631785691222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JC1231530_1-1631785705998.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310772i7A98A81430E82A6B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JC1231530_1-1631785705998.png%22%20alt%3D%22JC1231530_1-1631785705998.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20could%20you%20shed%20some%20light%20on%20how%20this%20external%20phishing%20attempt%20was%20able%20to%20%22Send%20on%20behalf%20of%22%20a%20distribution%20list%20that%20doesn't%20have%20any%20send%20on%20behalf%20permissions%20set%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3EJ%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2755549%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2755866%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20email%20sent%20on%20behalf%20of%20on%20of%20our%20own%20distribution%20groups%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755866%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20notice%20it%20says%20send%20messages%20TO%20this%20group%20(not%20from)%2C%20so%20you%20have%20allowed%20anyone%20to%20send%20email%20to%20this%20group%20-%20so%20I%20can%20use%20an%20SMTP%20tool%20to%20send%20an%20unauthenticated%20email%20to%20the%20group%20'from%20any%20address%20I%20like'%20seeing%20as%20you%20have%20allowed%20it.%26nbsp%3B%20If%20you%20know%20the%20sending%20IP%20(or%20range%20of%20IPs)%20of%20the%20monitoring%20system%2C%20the%20best%20option%20would%20be%20a%20Mail%20Flow%20rule%20using%20the%20following%20settings%3A%3CBR%20%2F%3E-%20when%20message%20is%20sent%20to%3A%20distrbutiongroup%40yourplace.com%3CBR%20%2F%3E-%20drop%20the%20message%20without%20delivering%3CBR%20%2F%3E-%20except%20when%20it%20comes%20from%20these%20IPs%3A%20IP%20or%20range%20of%20IP%20of%20valid%20sending%20servers.%3CBR%20%2F%3EYou%20could%20also%20do%20'except%20when%20from%20this%20address'%20%2C%20but%20on%20it's%20own%20that%20could%20still%20be%20exploited.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2756511%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20email%20sent%20on%20behalf%20of%20on%20of%20our%20own%20distribution%20groups%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2756511%22%20slang%3D%22en-US%22%3EThank%20you%20for%20your%20response%20SimBur.%3CBR%20%2F%3E%3CBR%20%2F%3EThat's%20a%20good%20suggestion%2C%20thank%20you.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20do%20you%20have%20any%20idea%20what%20may%20have%20caused%20the%20message%20to%20appear%20as%20%22on%20behalf%20of%22%20when%20it%20was%20received%20by%20the%20members%20of%20the%20distribution%20group%3F%20This%20is%20what%20is%20confusing%20me%20the%20most.%3C%2FLINGO-BODY%3E
Occasional Contributor

Good morning,

 

We have a distribution group set up for receiving messages from a monitoring service. Due to this service being outside of our organisation, the DL is currently set to allow senders from inside and outside of the organisation:

 

JC1231530_0-1631786080787.png

 

 

 

This distribution group is configured to:

 

- Allow all senders outside and inside the organisation

- There are no 'send on behalf' or 'send as' permissions set on the DL

 

JC1231530_0-1631785691222.png

 

JC1231530_1-1631785705998.png

 

 

 

Please could you shed some light on how this external phishing attempt was able to "Send on behalf of" a distribution list that doesn't have any send on behalf permissions set?

 

Thank you in advance.

J

3 Replies

Hi, notice it says send messages TO this group (not from), so you have allowed anyone to send email to this group - so I can use an SMTP tool to send an unauthenticated email to the group 'from any address I like' seeing as you have allowed it.  If you know the sending IP (or range of IPs) of the monitoring system, the best option would be a Mail Flow rule using the following settings:
- when message is sent to: distrbutiongroup@yourplace.com
- drop the message without delivering
- except when it comes from these IPs: IP or range of IP of valid sending servers.
You could also do 'except when from this address' , but on it's own that could still be exploited.

Thank you for your response SimBur.

That's a good suggestion, thank you.

However, do you have any idea what may have caused the message to appear as "on behalf of" when it was received by the members of the distribution group? This is what is confusing me the most.

A message truly sent on behalf would be considered authenticated and internal.  Anything can be put in the From field - are you able to post the header (remove any of your IPs) have you confirmed it came from external, not an internal machine? If the address list has been extracted at some point an attacker could know to add the on behalf to the from address. Cheers.