cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Malware Detections Report

Scott Preston
Iron Contributor

‎Oct 20 2017 06:31 AM

‎Oct 20 2017 06:31 AM

Malware Detections Report

I have been looking at the Malware Detections report for our tenant. I have noticed a lot of malware detections showing as outbound and the sender and recipient address is spo_arbitration_GUID@MyDomain.onmicrosoft.com (Changed MyDomain for privacy).

 

Any idea what these are and should I be worried that it is showing as Outbound. I was thinking it was a Sharepoint or OneDrive thing.

 

Any help appreciated.

3,011 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Oct 23 2017 10:25 AM

‎Oct 23 2017 10:25 AM

Re: Malware Detections Report

Probably is, but it's hard to guess without at least seeing the Message trace logs. Open a support case, just to be on the safe side.

0 Likes
Reply
Scott Preston

‎Oct 26 2017 07:44 AM

‎Oct 26 2017 07:44 AM

Re: Malware Detections Report

Thanks for the response. I opened up a support case shortly after posting on here. Response from them was it was probably nothing to worry about but on pressing them I asked them to provide some advice to understand what it may be. Up until now the steps they have asked have been unfruitful in tracking down any information. 

 

During my own investigation I found that the SPO_Arbitration thing may have come about from a rule we have setup to send specific emails  (Mainly zip attachments) to an exchange approval assistant mailbox. When these mails are not responded to within 2 days the message is automatically expired and a message is sent to the sender. This often means if an email contains a zip file with a malicious file and is expired then the mail flow shows the email going outbound from our domains with the SPO_Arbitration prefix. 

 

This is my theory and I have an email sitting in the Exchange approval mailbox awaiting to be expired so I can follow it.

0 Likes
Reply
Christopher Borders

‎Jun 06 2018 09:01 AM

‎Jun 06 2018 09:01 AM

Re: Malware Detections Report

I have noticed that we have messages flagged as outbound malware on the Malware Detections Report as well. When I dig deeper, the sender is xxxx@notmydomain.com, and there are always two rows with two different recipient addresses (but the same user) listed: yyyy@mydomain.onmicrosoft.com and yyyy@mydomain.com

 

Any idea why this may be?

0 Likes
Reply