SOLVED

Phising e-mail from microsoft domain?!

%3CLINGO-SUB%20id%3D%22lingo-sub-3300068%22%20slang%3D%22en-US%22%3EPhising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300068%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20this%20e-mail%20today%20and%20it%20was%20in%20my%20Junk%20folder%20so%20I%20thought%20it%20was%20phishing%20email.%20But%20once%20I%20opened%20it%20sender%20had%20microsoft.com%20in%20email%20as%20domain.%20After%20inspecting%20similar%20e-mails%20I%20noticed%20that%20the%20structure%20of%20this%20e-mail%20is%20nothing%20like%20when%20Outlook%20sends%20this%20e-mail.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EMy%20question%20is%20how%20the%20hell%20did%20the%20sender%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41501%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E.com%20domain%20for%20his%2Fhers%20email%3F%3CBR%20%2F%3E%3CBR%20%2F%3EHere%20is%20the%20e-mail%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22usanzadunje_0-1651476186503.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368366i69AFFCBFD473542E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22usanzadunje_0-1651476186503.png%22%20alt%3D%22usanzadunje_0-1651476186503.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301298%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301298%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20you%20are%20not%20an%20enterprise%20administrator%2C%20this%20is%20unlikely%2C%20but%20such%20sharing%20in%20the%20enterprise%20is%20dangerous!may%20lead%20to%20data%20encryption.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301236%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301236%22%20slang%3D%22en-US%22%3ECould%20this%20log%20file%20lead%20to%20my%20account%20being%20compromised%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301221%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301221%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20you%20should%20remove%20the%20log%20dumps%20-%26gt%3B%20there%20is%20information%20that%20should%20not%20be%20shared%20in%20a%20public%20forum.%3CBR%20%2F%3EAnd%20other%20MTC%20Members%20should%20not%20ask%20for%20this%20-%20for%20safety.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301124%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301124%22%20slang%3D%22en-US%22%3EOhh%2C%20good%20to%20know%20this.%20Thanks%20for%20that.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20guess%20these%20malicious%20users%20have%20become%20very%20crafty%20these%20days%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300810%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300810%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20a%20good%20catch%20from%20your%20end%2C%20as%20this%20is%20definitely%20a%20phishing%20email.%20See%20below.%3C%2FP%3E%3CP%3EDkim%2C%20dmarc%2C%20spf%20failed...%20There%20is%20no%20doubt%20that%20message%20was%20tagged%20to%20go%20to%20junk%2C%20but%20I%20also%20see%20that%20action%3Doreject%20might%20have%20been%20the%20reason%20it%20went%20to%20Inbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20you%20won't%20have%20these%20issues%20in%20the%20future%2C%20but%20if%20you%20suspect%20to%20anything%20you%20can%20analyze%20the%20heard%2C%20go%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmha.azurewebsites.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMessage%20Header%20Analyzer%20(mha.azurewebsites.net)%3C%2FA%3E%26nbsp%3Band%20paste%20the%20header.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_0-1651523225109.png%22%20style%3D%22width%3A%20731px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368649i9889C21C35DB4BCD%2Fimage-dimensions%2F731x68%3Fv%3Dv2%22%20width%3D%22731%22%20height%3D%2268%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_0-1651523225109.png%22%20alt%3D%22Adin_Calkic_0-1651523225109.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_1-1651523575116.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368652i7E6DA7BAAA552FB1%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_1-1651523575116.png%22%20alt%3D%22Adin_Calkic_1-1651523575116.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300209%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1370919%22%20target%3D%22_blank%22%3E%40Adin_Calkic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESure%2C%20here%20is%20the%20log.%20It%20wont%20let%20me%20upload%20.txt%20file%20so%20I%20dumped%20whole%20log%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300205%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300205%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20for%20your%20reply.%20It%20is%20challenging%20to%20understand%20what%20is%20happening%20because%20we%20don't%20have%20access%20to%20the%20mailbox%2C%20but%20would%20you%20be%20able%20to%20View%20message%20source%20and%20upload%20the%20logs%3F%20Thanks!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_0-1651490103670.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368400i0D63BF9D7FFBBD6E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_0-1651490103670.png%22%20alt%3D%22Adin_Calkic_0-1651490103670.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300177%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300177%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%20I%20checked.%20There%20is%20nothing%20similar%20to%20information%20I%20got%20in%20that%20e-mail.%3CBR%20%2F%3ESo%20now%20I%20am%20convinced%20that%20it%20is%20100%25%20phishing%20e-mail.%3CBR%20%2F%3E%3CBR%20%2F%3ECould%20you%20maybe%20explain%20how%20did%20that%20e-mail%20used%20microsoft.com%20domain%20as%20sender%3F%3C%2FP%3E%3CP%3EThis%20is%20really%20%22scary%22%20since%20it%20comes%20from%20Microsoft%20and%20you%20said%20that%20you%20have%20seen%20legit%20Microsoft%20e-mails%20go%20in%20Junk%2C%20there%20is%20no%20way%20to%20know%20if%20this%20is%20phishing%20or%20not.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20will%20click%20links%20right%20away%2C%20others%20might%20check%20domain%20if%20they%20were%20burnt%20before%20but%20even%20those%20who%20do%20check%20it%20are%20going%20to%20get%20tricked.%20Luckily%20I%20do%20not%20trust%20anyone%20when%20it%20comes%20to%20these%20kind%20of%20things.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300169%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300169%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20order%20to%20be%20100%25%20certain%20that%20your%20account%20is%20safe%2C%20please%20visit%3A%3C%2FSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faccount.microsoft.com%2Fsecurity%3Flang%3Den-US%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faccount.microsoft.com%2Fsecurity%3Flang%3Den-US%3C%2FA%3E%26nbsp%3Band%20check%20Sign-in%20activity.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20seen%20legitimate%20emails%20from%20Microsoft%20in%20the%20junk%20folder%20in%20the%20past.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adin_Calkic_0-1651487460605.png%22%20style%3D%22width%3A%20329px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368391iC93BE4B2EC38D8D0%2Fimage-dimensions%2F329x472%3Fv%3Dv2%22%20width%3D%22329%22%20height%3D%22472%22%20role%3D%22button%22%20title%3D%22Adin_Calkic_0-1651487460605.png%22%20alt%3D%22Adin_Calkic_0-1651487460605.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300140%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300140%22%20slang%3D%22en-US%22%3EDo%20not%20expect%20confirmation%20in%20a%20public%20forum%20-%20this%20is%20not%20possible.%3CBR%20%2F%3EEmails%20can%20always%20be%20crafted%2C%20so%20it's%20best%20to%20enter%20your%20account%20directly%20without%20using%20the%20shared%20link%3CBR%20%2F%3EBest%20regards%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300127%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300127%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F968545%22%20target%3D%22_blank%22%3E%40Andrzej1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20confirm%20this%20is%20phishing%20e-mail%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20for%20this%20particular%20e-mail%20there%20are%20flags%20(%20'!'%20and%20'flag%20icon')%20and%20I%20think%20Microsoft%20never%20sends%20those%2C%20at%20least%20it%20did%20not%20in%20e-mails%20I%20received%20before.%20Can%20you%20also%20confirm%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22usanzadunje_0-1651483015254.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F368381i921924E98FCA149F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22usanzadunje_0-1651483015254.png%22%20alt%3D%22usanzadunje_0-1651483015254.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20mean%20I'm%2099%25%20sure%20it%20was%20phishing%2C%20why%20the%20heck%20would%20Outlook%20send%20its%20own%20e-mail%20to%20Junk%20xd.%20But%20domain%20part%20is%20confusing%20to%20me%20and%20if%20it%20happened%20to%20me%20it%20may%20happen%20to%20others%20which%20could%20easily%20click%20on%20link%20sent%20in%20that%20e-mail..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300119%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300119%22%20slang%3D%22en-US%22%3EYou%20can%20do%202%20things%20to%20check%3A%3CBR%20%2F%3ESet%20Edge%20by%20default%20-%20of%20course%2C%20then%20you%20can%20change%20it.%3CBR%20%2F%3EAnd%20I%20suggest%20you%20add%20an%20Outlook%20account%20-%20to%20the%20mail%20app%20for%20Windows10%20-%26gt%3B%20is%20the%20most%20secure%20configuration!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300103%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300103%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F968545%22%20target%3D%22_blank%22%3E%40Andrzej1%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ENope%2C%20I%20am%20using%20Brave%2C%20not%203rd%20party%20extension.%20I%20just%20went%20on%20live.com%20website%20as%20I%20always%20do%20to%20check%20my%20e-mail.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300099%22%20slang%3D%22en-US%22%3ERe%3A%20Phising%20e-mail%20from%20microsoft%20domain%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1378548%22%20target%3D%22_blank%22%3E%40usanzadunje%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20is%20your%20guess%20browser%20Edge%3F%3CBR%20%2F%3EAre%20you%20using%20a%20third-party%20Outlook%20extension%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I got this e-mail today and it was in my Junk folder so I thought it was phishing email. But once I opened it sender had microsoft.com in email as domain. After inspecting similar e-mails I noticed that the structure of this e-mail is nothing like when Outlook sends this e-mail.


My question is how the hell did the sender use @microsoft.com domain for his/hers email?

Here is the e-mail: 

usanzadunje_0-1651476186503.png

 

14 Replies

@usanzadunje 

Hi, is your guess browser Edge?
Are you using a third-party Outlook extension?

@Andrzej1 
Nope, I am using Brave, not 3rd party extension. I just went on live.com website as I always do to check my e-mail.

You can do 2 things to check:
Set Edge by default - of course, then you can change it.
And I suggest you add an Outlook account - to the mail app for Windows10 -> is the most secure configuration!

@Andrzej1 

 

Can you confirm this is phishing e-mail?

 

Also for this particular e-mail there are flags ( '!' and 'flag icon') and I think Microsoft never sends those, at least it did not in e-mails I received before. Can you also confirm this?

 

usanzadunje_0-1651483015254.png

 

I mean I'm 99% sure it was phishing, why the heck would Outlook send its own e-mail to Junk xd. But domain part is confusing to me and if it happened to me it may happen to others which could easily click on link sent in that e-mail..

 

Do not expect confirmation in a public forum - this is not possible.
Emails can always be crafted, so it's best to enter your account directly without using the shared link
Best regards

Hi @usanzadunje ,

 

In order to be 100% certain that your account is safe, please visit: https://account.microsoft.com/security?lang=en-US and check Sign-in activity. 

 

I have seen legitimate emails from Microsoft in the junk folder in the past.

 

Adin_Calkic_0-1651487460605.png

 

Yeah I checked. There is nothing similar to information I got in that e-mail.
So now I am convinced that it is 100% phishing e-mail.

Could you maybe explain how did that e-mail used microsoft.com domain as sender?

This is really "scary" since it comes from Microsoft and you said that you have seen legit Microsoft e-mails go in Junk, there is no way to know if this is phishing or not. 

Many will click links right away, others might check domain if they were burnt before but even those who do check it are going to get tricked. Luckily I do not trust anyone when it comes to these kind of things.

Hi @usanzadunje ,

 

Thanks for your reply. It is challenging to understand what is happening because we don't have access to the mailbox, but would you be able to View message source and upload the logs? Thanks!

 

Adin_Calkic_0-1651490103670.png

 

@Adin_Calkic 

 

Sure, here is the log. It wont let me upload .txt file so I dumped whole log here.

best response confirmed by usanzadunje (Occasional Contributor)
Solution

Hi @usanzadunje ,

 

It's a good catch from your end, as this is definitely a phishing email. See below.

Dkim, dmarc, spf failed... There is no doubt that message was tagged to go to junk, but I also see that action=oreject might have been the reason it went to Inbox.

 

Hopefully you won't have these issues in the future, but if you suspect to anything you can analyze the heard, go to Message Header Analyzer (mha.azurewebsites.net) and paste the header.

 

Adin_Calkic_0-1651523225109.png

 

Adin_Calkic_1-1651523575116.png

 

Ohh, good to know this. Thanks for that.

I guess these malicious users have become very crafty these days :)

@usanzadunje 

I think you should remove the log dumps -> there is information that should not be shared in a public forum.
And other MTC Members should not ask for this - for safety.

Could this log file lead to my account being compromised?

@usanzadunje 

Since you are not an enterprise administrator, this is unlikely, but such sharing in the enterprise is dangerous!may lead to data encryption.