Malware Detections Report

%3CLINGO-SUB%20id%3D%22lingo-sub-118667%22%20slang%3D%22en-US%22%3EMalware%20Detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118667%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20looking%20at%20the%20Malware%20Detections%20report%20for%20our%20tenant.%20I%20have%20noticed%20a%20lot%20of%20malware%20detections%20showing%20as%20outbound%20and%20the%20sender%20and%20recipient%20address%20is%26nbsp%3B%3CSPAN%3Espo_arbitration_GUID%40MyDomain.onmicrosoft.com%20(Changed%20MyDomain%20for%20privacy).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20idea%20what%20these%20are%20and%20should%20I%20be%20worried%20that%20it%20is%20showing%20as%20Outbound.%20I%20was%20thinking%20it%20was%20a%20Sharepoint%20or%20OneDrive%20thing.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20help%20appreciated.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201389%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20Detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201389%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20noticed%20that%20we%20have%20messages%20flagged%20as%20outbound%20malware%26nbsp%3Bon%20the%20Malware%20Detections%20Report%20as%20well.%20When%20I%20dig%20deeper%2C%20the%20sender%20is%20xxxx%40notmydomain.com%2C%20and%20there%20are%20always%20two%20rows%20with%20two%20different%20recipient%26nbsp%3Baddresses%20(but%20the%20same%20user)%26nbsp%3Blisted%3A%20yyyy%40mydomain.onmicrosoft.com%20and%20yyyy%40mydomain.com%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20why%20this%20may%20be%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-121208%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20Detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20response.%20I%20opened%20up%20a%20support%20case%20shortly%20after%20posting%20on%20here.%20Response%20from%20them%20was%20it%20was%20probably%20nothing%20to%20worry%20about%20but%20on%20pressing%20them%20I%20asked%20them%20to%20provide%20some%20advice%20to%20understand%20what%20it%20may%20be.%20Up%20until%20now%20the%20steps%20they%20have%20asked%20have%20been%20unfruitful%20in%20tracking%20down%20any%20information.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20my%20own%20investigation%20I%20found%20that%20the%20SPO_Arbitration%20thing%20may%20have%20come%20about%20from%20a%20rule%20we%20have%20setup%20to%20send%20specific%20emails%26nbsp%3B%20(Mainly%20zip%20attachments)%20to%20an%20exchange%20approval%20assistant%20mailbox.%20When%20these%20mails%20are%20not%20responded%20to%20within%202%20days%20the%20message%20is%20automatically%20expired%20and%20a%20message%20is%20sent%20to%20the%20sender.%20This%20often%20means%20if%20an%20email%20contains%20a%20zip%20file%20with%20a%20malicious%20file%20and%20is%20expired%20then%20the%20mail%20flow%20shows%20the%20email%20going%20outbound%20from%20our%20domains%20with%20the%20SPO_Arbitration%20prefix.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20theory%20and%20I%20have%20an%20email%20sitting%20in%20the%20Exchange%20approval%20mailbox%20awaiting%20to%20be%20expired%20so%20I%20can%20follow%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119246%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20Detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119246%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20is%2C%20but%20it's%20hard%20to%20guess%20without%20at%20least%20seeing%20the%20Message%20trace%20logs.%20Open%20a%20support%20case%2C%20just%20to%20be%20on%20the%20safe%20side.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I have been looking at the Malware Detections report for our tenant. I have noticed a lot of malware detections showing as outbound and the sender and recipient address is spo_arbitration_GUID@MyDomain.onmicrosoft.com (Changed MyDomain for privacy).

 

Any idea what these are and should I be worried that it is showing as Outbound. I was thinking it was a Sharepoint or OneDrive thing.

 

Any help appreciated.

3 Replies

Probably is, but it's hard to guess without at least seeing the Message trace logs. Open a support case, just to be on the safe side.

Thanks for the response. I opened up a support case shortly after posting on here. Response from them was it was probably nothing to worry about but on pressing them I asked them to provide some advice to understand what it may be. Up until now the steps they have asked have been unfruitful in tracking down any information. 

 

During my own investigation I found that the SPO_Arbitration thing may have come about from a rule we have setup to send specific emails  (Mainly zip attachments) to an exchange approval assistant mailbox. When these mails are not responded to within 2 days the message is automatically expired and a message is sent to the sender. This often means if an email contains a zip file with a malicious file and is expired then the mail flow shows the email going outbound from our domains with the SPO_Arbitration prefix. 

 

This is my theory and I have an email sitting in the Exchange approval mailbox awaiting to be expired so I can follow it.

I have noticed that we have messages flagged as outbound malware on the Malware Detections Report as well. When I dig deeper, the sender is xxxx@notmydomain.com, and there are always two rows with two different recipient addresses (but the same user) listed: yyyy@mydomain.onmicrosoft.com and yyyy@mydomain.com

 

Any idea why this may be?