Aug 09 2023 02:22 PM
I checked our Defender for Cloud Apps portal this morning, just looking around at different activity logs and queries. I found something odd.
The activity shows usage on a mobile device, Apple iOS using MS Outlook, a creation of an email with attachments, both of which were in Kanji and Hanzi characters. This is not due to encoding as some were translated like "Please note that you should practice the customs of the process." as the email subject. Plus there were many files attached as well, some names translated.
"Hirojozhi Jie"
"Hirojozuke"
The file extensions do not translate, unfortunately.
User has confirmed that he did not create or send out emails from the mobile device.
Investigation in Mail Explorer in Defender does not show the email as ever existing.
I am considering it a spoof email.
How do I verify it was a spoof?
How is it that a spoof is listed in the cloud portal coming from a mobile device, that seems too specific.