I received an inquiry today from a user that reports that several of the industry newsletters she subscribes to are now going into her quarantine. I tracked down the dozen email she noted from the last two days and found they were all sent from the domain in.constantcontact.com.
I started down a rabbit hole in the Threat Protection Status Reports, view data by Email > Phish, break down by Detection Technology. I found a spike of Phishing Campaigns on June 1 caught by Advanced Filter and a few by Spoof External.
Also the emails caught by Advanced Filter have the Anti-spam policy applied, where the Spoof External has the Anti-phish policy. Both of these policies are set to direct messages to junk, only the malware policy is set to quarantine messages. Yet all the messages in question are going straight to quarantine.
I suspect it's somehow related to NOBELIUM response; due to our industry, constant contact being the only domain involved, and the timing. US-based nonprofit working with the federal and state government but our work is completely domestic and this seems to have started June 1, the third business day after NOBELIUM announcement and the first business day after Memorial Day.
Here's a sample of the report, with confidential information removed.
Source of Compromise
So I'm considering my options, do I create a mail flow rule to allow anything from the Constant Contact Domain or IP through, that will let too much junk through? Do I try and create a list of our safe senders that using Constant Contact and create mail flow rules based on sender email address, seems like too much ongoing work and still a bit risky?
Any advice or relevant links are be appreciated. Many thanks in advance!