User Profile
vand3rlinden
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
self-to-self spoofing attack with honor DMARC policy turned on
Dear Community, I have a concern, I am an absolute fan of the ‘Honor DMARC record policy when the message is detected as spoof’ setting in the Anti-phishing policy. Especially the action ‘If the message is detected as spoof and DMARC Policy is set as p=reject’ to set this on reject the message. However, from the field I have seen that when a user is attacked by self-to-self spoofing. They will receive an NDR from Exchange Online with the original email attached in .eml format, expected but unwanted. This .eml file contains all the links that could be exploited by an attacker. I have reproduced the problem from my own mail server, and my demo tenant with a DMARC compliant domain on p=reject. Here is an example: -The user received a Non-Delivery Report (NDR) from Exchange Online indicating that their message was rejected by DMARC because the sending domain has a DMARC policy set to reject. -As you can see in the screenshot above, the original email is attached as an .eml, which may contain suspicious content and links to AitM phishing sites. This is expected, but unwanted by self-to-self spoofing attacks. I found two solutions: Solution 1: Set the detection ‘If the message is detected as spoof and DMARC Policy is set as p=reject’ on “Quarantine the message” instead of “Reject the message”. But that is not exactly you want when you want to honor the DMARC policy, and the Configuration Analyzer also recommend to set it on “Reject the message”. Solution 2: Creating a mail flow rule with the following content I'm curious if there are other smarter solutions, or if Microsoft needs to investigate this issue within the Defender for Office 365 product team. What are your thoughts? Have a nice Sunday! 🙂 RicardoWindows Sandbox No Internet Connection after KB5028185
Hi all, I'm using Windows Sandbox for a while now, but since KB5028185 which was installed on my device, my Windows Sandbox keep saying 'No Internet Connection'. When looking around, I have tried plenty of possible solutions: -Reinstalled Windows Sandbox -Have verified that the following features are enabled: Containers, Hyper-V, virtual machine platform, Windows hypervisor platform -Flushed my DNS -Run Internet Connection Troubleshooter, but I don't have any network issues on my host device I'm also not using a VPN, it just stopped working since KB5028185. Can someone confirm if this KB let Windows Sandbox stop working, or someone knows the golden fix? Thanks in advance. Kr, RicardoExchange Online: Connector creation failed
Hi all, I have a dev tenant running to do some POCs for customers. I need to do a POC and for this POC I need to create a connector in Exchange Online. I was always able to doing so, but now I get the error: ################################### Connector creation failed Error: Error executing request. For this service offering, you can’t create or update inbound connectors in your organization ‘TENANT ID’. ################################### I'm trying to search online, but it does not bring any luck. Created a case at Microsoft, also no luck (yet). I was (2 months ago) always able to create or edit connectors (in the GUI or PS) and now suddenly not. Does someone knows how to fix this? Regards, RicardoRecover calendar items from a Microsoft 365 group
Hi! Someone at an organization I work for have accidentally delete all the calendar items of a Microsoft 365 Group. I am trying to restore those items, I added the Microsoft 365 Group as a shared folder in OWA. From there the deleted items folder is visible, with all the deleted items, but it give not a restore option. Normally you see something like this: At this moment, I do not have any option to restore the calendar items in the deleted items folder of the Microsoft 365 Group. I'm trying to search online on how to restore this, but didn't find any answers. Hope someone knows the trick 🙂 Regards, RicardoUser get onmicrosoft.com instead of default domain
Hi, I got an environment with a local AD, synced with AAD. If I create a user on the local AD with User.LogonName@mydomain.com and sync this with AAD. The user get the right UPN in AAD, also in admin.microsoft.com -> users. Mydomain.com is default. But only in Exchange Online the user get User.LogonName@mydomain.onmicrosoft.com. I can quick fix that to fill the Mail attribute in the Local AD and sync this again. But I want to fix it that if I create a user, he get the right email domain in Exchange Online. Also under EXO -> accepted domain is mydomain.com as default. Please guys help me out, Thanks in advance RicardoCannot Delete a Mailbox with Retention Policies Enabled
Dear, In my environment I have a retention policy in the Secure & Compliance center for Exchange Online mail. Now I have an service account that had a mailbox in the past, but not needed anymore and the service account still need to exist in the environment for some reason. If I open the user in de admin portal a message appear: "Exchange: An unknown error has occurred. Refer to correlation ID: xxx-xx-xxx". Now I got the error message with command; (Get-MsolUser -UserPrincipalName domain@domain.com).errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription Get-MsolUser -HasErrorsOnly | Format-Table DisplayName,UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize "Exchange can't disable the mailbox, because it is on In-Place Hold." What I've done for trouble shooting: 1. Give the service account back the license, exclude him from the retention policy, wait till the policy is success and remove the license. No luck. 2. Re provision mailbox with "Redo-MsolProvisionuser -ObjectID". No luck. 3. Follow this great guide: https://masterandcmdr.com/2020/04/24/cannot-delete-a-mailbox-with-retention-policies-enabled/ No luck In the guide on step 3, they are speaking over a inactive mailbox. My service account is not inactive, it still exist. I just want to delete the mailbox for this service account. I hope anyone can help me out. Regards, Ricardo
