Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Suspicious emails not blocked

Silver Contributor

Usually Exchange Online spam filter is quite good on filtering spam and emails with malicious links. But one user has received fake "Mail Validation" email with Office 365 logo and links going into some random site. I have checked the headers and it looks weird:

 

Received: from VE1EUR01FT041.eop-EUR01.prod.protection.outlook.com

(2a01:111:f400:7e01::204) by VI1PR0801CA0081.outlook.office365.com

(2603:10a6:800:7d::25) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.973.16 via Frontend

Transport; Tue, 24 Jul 2018 19:37:52 +0000

Authentication-Results: spf=pass (sender IP is 40.107.4.77)

smtp.mailfrom=bartimeus.nl; esf.lt; dkim=pass (signature was verified)

header.d=Bartimeus.onmicrosoft.com;esf.lt; dmarc=bestguesspass action=none

header.from=bartimeus.nl;

Received-SPF: Pass (protection.outlook.com: domain of bartimeus.nl designates

40.107.4.77 as permitted sender) receiver=protection.outlook.com;

client-ip=40.107.4.77; helo=EUR03-DB5-obe.outbound.protection.outlook.com;

Received: from EUR03-DB5-obe.outbound.protection.outlook.com (40.107.4.77) by

VE1EUR01FT041.mail.protection.outlook.com (10.152.3.103) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

15.20.952.17 via Frontend Transport; Tue, 24 Jul 2018 19:37:51 +0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=Bartimeus.onmicrosoft.com; s=selector1-bartimeus-nl;

 

esf.lt is our domain. It seems that this Bartimeus.nl is using Office 365 as well and these fake emails are sent through legitimate servers and maybe that's the reason for Exchange Online to accept them. Should i try to inform this company that their email is probably being used for malicious activity?

9 Replies

Lots of scammers/phishers are using cloud services nowadays, which are often times implicitly trusted by clients/providers. You can try reaching someone at the company and let them take action, and you can also report this as phishing so that the O365 team can take a deeper look why it failed detection.

I know. I had to fight spammers using AWS with dynamic IPs when still using hosted Exchange. And a few months back have reported same spammer to MailChimp 3 times i think. Anyway, is there some form to report phishing in Office 365 admin center, Security & Compliance center?

You can report it directly from within Outlook/OWA.

Same user received another similar email. This time from another server. It has same design. Office 365 logo, green message "This message is from trusted user". It is unsettling that such an obvious phishing practice is not blocked. It uses some gibberish links in the email, which alone should mark this email as useless junk. We don't have ATP. Will try to report this email from Outlook on Monday.

An example of such email:

 

office365validate-fake.png

 

Headers of this last message:

Authentication-Results: spf=pass (sender IP is 40.107.2.103)

smtp.mailfrom=abconkenya.com; esf.lt; dkim=pass (signature was verified)

header.d=AbconKenya.onmicrosoft.com;esf.lt; dmarc=bestguesspass action=none

header.from=abconkenya.com;

Received-SPF: Pass (protection.outlook.com: domain of abconkenya.com

designates 40.107.2.103 as permitted sender) receiver=protection.outlook.com;

client-ip=40.107.2.103; helo=EUR02-VE1-obe.outbound.protection.outlook.com;

Received: from EUR02-VE1-obe.outbound.protection.outlook.com (40.107.2.103) by

DB5EUR01FT060.mail.protection.outlook.com (10.152.5.232) with Microsoft SMTP

 

We havfen't found a way to report phishing in Oultook (aside of regular Junk mail settings), so we have reported it via OWA (a few last messages).

best response confirmed by wroot (Silver Contributor)
Solution

Every email had the same IP address of a sending device, some Windows box with default computer name (DESKTOP-blabla). I've been advised to create a mail flow rule to block emails from this IP and so far the user is not receiving them.

@wroot I was curious since these responses are dated back to 2018, have you been able to learn how to report such phishing? I’m the victim of cyberabuse with the abuser continuously and maliciously using any form to harass. With that being said, I received just the other day, Sept. 2022, the exact same phishing email message header BUT the email itself was from the individual due to having children together. The email body was of a normal message but knowing his history of hacking I analyzed the email and it came back exactly what this discussion was about to a ‘T.’ I know he’s a hacker, has hacked many of my accounts, he’s violated a restraining order on many occasions, how can I report this and is there any way anyone reading this knows how I can prove the hacking?? He’s escalating and that puts me at a high risk for my safety and our children’s. Please if someone can help me find ways to prove and use to hold him accountable, it would be much appreciated. 

I have tried to contact the news agency nieuwsuur.nl to inform them about organized slavery, racisms and crimes committed against me and some other people in the Europe(Benelux). I got a reply back from someone pretending to be nieuwsuur.nl

from: Nieuwsuur Mail <email address removed for privacy reasons>
to: Vincent Rogiest <email address removed for privacy reasons>
date: Aug 19, 2023, 5:57 PM
subject: Automatisch antwoord: onderzoek
mailed-by: eur02-vi1-obe.outbound.protection.outlook.com
signed-by: nieuwsuur.nl
security: Standard encryption (TLS) Learn more
: Important according to Google magic.

Can anyone inform me what is going on here in the old Europe ?
1 best response

Accepted Solutions
best response confirmed by wroot (Silver Contributor)
Solution

Every email had the same IP address of a sending device, some Windows box with default computer name (DESKTOP-blabla). I've been advised to create a mail flow rule to block emails from this IP and so far the user is not receiving them.

View solution in original post