Jul 25 2018 12:49 AM
Jul 25 2018 12:49 AM
Usually Exchange Online spam filter is quite good on filtering spam and emails with malicious links. But one user has received fake "Mail Validation" email with Office 365 logo and links going into some random site. I have checked the headers and it looks weird:
Received: from VE1EUR01FT041.eop-EUR01.prod.protection.outlook.com
(2a01:111:f400:7e01::204) by VI1PR0801CA0081.outlook.office365.com
(2603:10a6:800:7d::25) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.973.16 via Frontend
Transport; Tue, 24 Jul 2018 19:37:52 +0000
Authentication-Results: spf=pass (sender IP is 184.108.40.206)
smtp.mailfrom=bartimeus.nl; esf.lt; dkim=pass (signature was verified)
header.d=Bartimeus.onmicrosoft.com;esf.lt; dmarc=bestguesspass action=none
Received-SPF: Pass (protection.outlook.com: domain of bartimeus.nl designates
220.127.116.11 as permitted sender) receiver=protection.outlook.com;
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (18.104.22.168) by
VE1EUR01FT041.mail.protection.outlook.com (10.152.3.103) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.952.17 via Frontend Transport; Tue, 24 Jul 2018 19:37:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
esf.lt is our domain. It seems that this Bartimeus.nl is using Office 365 as well and these fake emails are sent through legitimate servers and maybe that's the reason for Exchange Online to accept them. Should i try to inform this company that their email is probably being used for malicious activity?
Jul 25 2018 10:35 AM
Lots of scammers/phishers are using cloud services nowadays, which are often times implicitly trusted by clients/providers. You can try reaching someone at the company and let them take action, and you can also report this as phishing so that the O365 team can take a deeper look why it failed detection.
Jul 25 2018 10:53 AM
I know. I had to fight spammers using AWS with dynamic IPs when still using hosted Exchange. And a few months back have reported same spammer to MailChimp 3 times i think. Anyway, is there some form to report phishing in Office 365 admin center, Security & Compliance center?
Jul 28 2018 05:19 AM
Same user received another similar email. This time from another server. It has same design. Office 365 logo, green message "This message is from trusted user". It is unsettling that such an obvious phishing practice is not blocked. It uses some gibberish links in the email, which alone should mark this email as useless junk. We don't have ATP. Will try to report this email from Outlook on Monday.
Jul 30 2018 04:12 AM
Headers of this last message:
Authentication-Results: spf=pass (sender IP is 22.214.171.124)
smtp.mailfrom=abconkenya.com; esf.lt; dkim=pass (signature was verified)
header.d=AbconKenya.onmicrosoft.com;esf.lt; dmarc=bestguesspass action=none
Received-SPF: Pass (protection.outlook.com: domain of abconkenya.com
designates 126.96.36.199 as permitted sender) receiver=protection.outlook.com;
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (188.8.131.52) by
DB5EUR01FT060.mail.protection.outlook.com (10.152.5.232) with Microsoft SMTP
We havfen't found a way to report phishing in Oultook (aside of regular Junk mail settings), so we have reported it via OWA (a few last messages).
Aug 01 2018 11:08 PMSolution
Every email had the same IP address of a sending device, some Windows box with default computer name (DESKTOP-blabla). I've been advised to create a mail flow rule to block emails from this IP and so far the user is not receiving them.