cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SMTP via User

Tyler Miller
Contributor

‎Mar 07 2018 08:17 AM - edited ‎Mar 07 2018 08:55 AM

‎Mar 07 2018 08:17 AM - edited ‎Mar 07 2018 08:55 AM

SMTP via User

Our CFO has Multi-Factor authentication set up and working. Someone tried to send an email on his behalf to a non-existent email address, so he received the bounce back in his inbox. The original email was never in his Sent box, but how is it possible that someone (a hacker I presume) could send email on his behalf, through Office365, without authenticating as him?

 

Here are the message headers, I replaced the sender (our CFO) with YYYYY and the recipient (a non-existent mailbox) with XXXXX

Original Message Headers
Received: from BN3PR11CA0018.namprd11.prod.outlook.com
 (2a01:111:e400:51e4::28) by SN1PR11MB0574.namprd11.prod.outlook.com
 (2a01:111:e400:530f::21) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Wed, 7
 Mar 2018 15:43:47 +0000
Received: from DM3NAM05FT022.eop-nam05.prod.protection.outlook.com
 (2a01:111:f400:7e51::208) by BN3PR11CA0018.outlook.office365.com
 (2a01:111:e400:51e4::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.14 via Frontend
 Transport; Wed, 7 Mar 2018 15:43:47 +0000
Authentication-Results: spf=neutral (sender IP is 66.111.4.221)
 smtp.mailfrom=risebakingcompany.com; risebakingcompany.com; dkim=pass
 (signature was verified) header.d=messagingengine.com;risebakingcompany.com;
 dmarc=none action=none header.from=risebakingcompany.com;
Received-SPF: Neutral (protection.outlook.com: 66.111.4.221 is neither
 permitted nor denied by domain of risebakingcompany.com)
Received: from new1-smtp.messagingengine.com (66.111.4.221) by
 DM3NAM05FT022.mail.protection.outlook.com (10.152.98.132) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.548.7 via Frontend Transport; Wed, 7 Mar 2018 15:43:46 +0000
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
        by mailnew.nyi.internal (Postfix) with ESMTP id 573EE10F1
        for <XXXXX@risebakingcompany.com>; Wed,  7 Mar 2018 10:43:46 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
  by compute7.internal (MEProxy); Wed, 07 Mar 2018 10:43:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=content-transfer-encoding:content-type
        :date:from:message-id:mime-version:reply-to:subject:to
        :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=J5yc94p8OcoMielqo
        weJHr1/JS5dWOFLsW5ZI0n+giI=; b=Sros9ppkL1hz/XZGS/A7gcjWZy4Q1fdOB
        376jMEyio6zHl6jbNQdux/qAwsnrtTXqJr3IJqkjpOefkZ+hCO9buu7z+X5CEOZo
        FdwSzzmwQHgkZ6D+XMd/rUXXG0votMRAOUZErS1DdUTm64YZu6o+74Ti/I+DNPt/
        HCHaK5JxzYtIhk6Dydy0kXWL4IYx+zKoJJ+h90brysy6hk9l1L+FK4Lo1QjEgk4G
        t1w2MvwgjPaBRibLVwoZ5ic9DyYtXtoQdOEF4xNfvC7wSE4apAF2RqJZCc+I+YEQ
        lRVnPrD2Mt5s5WTgpIumqC2c14bJFNHz9PGzRn+sckLvLIroqZ9xA==
X-ME-Sender: <xms:sgigWt3l2Il5qJP0vi8x-g3P3mmsCsFjIkz3MPBYz2AwZZnY_PnjZA>
Received: from Ms-MacBook.local (unknown [23.108.31.122])
        by mail.messagingengine.com (Postfix) with ESMTPA id 9D2167E660
        for <XXXXX@risebakingcompany.com>; Wed,  7 Mar 2018 10:43:45 -0500 (EST)
Reply-To: YYYYY@mobiledevice.mobi
To: XXXXX@risebakingcompany.com
From: Chris YYYYY <YYYYY@risebakingcompany.com>
Subject: Kindly get back
Message-ID: <21c64a2b-f97e-09a7-c316-99d796c40de1@risebakingcompany.com>
Date: Wed, 7 Mar 2018 10:43:44 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0)
 Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Return-Path: YYYYY@risebakingcompany.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 9c9ca00d-d89b-441e-a989-1ae7f6387804:0
X-Forefront-Antispam-Report: CIP:66.111.4.221;IPV:NLI;CTRY:US;EFV:NLI;
X-Microsoft-Exchange-Diagnostics: 1;DM3NAM05FT022;1:22KTfsIJsrHtk/9hXI7qkXbLBstTxAbLpPufCoqKHWGJ4egiyN9wLIV2Evy2BOE4ZyF7IR3XeGyx94qwyUTSJ4yzyLM4x1stQhhuaziR6t+CkNW6DCOra22VCBBlc7/L
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c30401f0-1aeb-4fd8-d598-08d58442372f
X-Microsoft-Antispam:
 UriScan:;BCL:0;PCL:0;RULEID:(7020095)(5600026)(4604075)(4605076)(1401096)(8001031)(1405069)(71702078);SRVR:SN1PR11MB0574;
X-Microsoft-Exchange-Diagnostics:
 1;SN1PR11MB0574;3:JnjkmfARjIFKfRcfYH04lGJThsNTuDO2UXaa3HxjtBYDGHgp2u8EIwEVE7vdskPBMjMNYbTuTsGpy+Gm/28pnLF5t2J9NubNlIao4u43MQ2Z3QvkUNX7/iXeXqZ/3iuDYibXCqyQgg+IqpUoXisn88d9eJY2ScT4OZ2N6QTgpMyiwE2/Mcx5GrDV66e94aIDc79i1zPw9+NA89HB0sntt8lxyC6ksaNFnNrFwuMyVF+fl+U/sqExp1wlZjrxUpNrEpmMbDPMjFQE8zqRLhGwz4XAiWOJwM+GyC5C6J0mpxt9cAbW83sRkGUFlbgSz3L2xQKMMGWLkMkD9ZFXd0WgcOnLHphjkWihyv5ZYZjM014=;25:t4rn8dm6J9zqIzoLygCSGsmXepkYJWl+eJTmJ57mzPdsJaBI5uVSYNRp88A5rH0OoCnKcK5iuclzKOVzyAJZ54mA8HUBHtQ+DQVRr5aXpHGy85COQ3XFWBkeVlqedreVIqpK6ubd83vzJUc/7axsFWityzAudHxnqL9QXe4jJxAy1okbCJpAFK65Quk+RQfB9eJbqlq5RIH921S8YjhxswZ65/sok4+gTFmJ31rI0Q3eQpzUjcB1TLExVCw2biqGvKXyAvYxfOuBl7vLYDorbRBUePkzbGJlPf7O89HBeO5C08pQ9Bln0fwqTklt7uC68Vlk0n4UYG42ZoSPEyacow==
X-MS-TrafficTypeDiagnostic: SN1PR11MB0574:

Thanks!!

Labels:
8,280 Views
0 Likes
6 Replies
Reply
6 Replies

‎Mar 07 2018 12:05 PM - edited ‎Mar 07 2018 12:07 PM

‎Mar 07 2018 12:05 PM - edited ‎Mar 07 2018 12:07 PM

Re: SMTP via User

Looks like a typical spoof attempt to me. Anyone can send anything as anyone on the internet when it comes to SMTP. I could pop out to my SMTP server and send an e-mail as YYYY@risebakingcompany.com if I wanted to to anyone I wanted. If they aren't using DKIM or SPF etc. it could very well get through, but in this case it was blocked and returned whom the message was set as the from address.

0 Likes
Reply
Tyler Miller

‎Mar 07 2018 12:08 PM

‎Mar 07 2018 12:08 PM

Re: SMTP via User

This is hard for me to believe, simply because I have devices on my network that I have set up to send alerts via SMTP, and if I do not authenticate as the same email as the sender it fails to send the email. SMTP via O365 seems to be very picky on what it accepts, simply because SMTP use to be so open and allow for anyone to send anything. I thought that was fixed now.

0 Likes
Reply

‎Mar 07 2018 12:20 PM

‎Mar 07 2018 12:20 PM

Re: SMTP via User

This email originated from some other IP outside of 365. You don’t have to use their servers to send as their domains.
0 Likes
Reply
Tyler Miller

‎Mar 07 2018 12:24 PM

‎Mar 07 2018 12:24 PM

Re: SMTP via User

So you are saying that their servers allowed them to send email from our O365 domain to us, using their SMTP servers, not ours? If so, wouldn't it show the email address they used to authenticate against their SMTP server, or they just sent it anonymously with no authentication? 

0 Likes
Reply

‎Mar 07 2018 12:27 PM

‎Mar 07 2018 12:27 PM

Re: SMTP via User

They didn’t send anything to your servers you said it got blocked and then you got the NDR. I can go right now to my smtp server and send as you to some random place and if it got blocked you would get the NDR.
0 Likes
Reply
Tyler Miller

‎Mar 07 2018 12:30 PM

‎Mar 07 2018 12:30 PM

Re: SMTP via User

oh, we got a bounce back because the TO email address does not exist, not because it was blocked as spam. The email address they were sending to was not valid. If it would have been, the email would have been delivered and we would have never known about it.

0 Likes
Reply