Hi everyone, below is a notification recently sent by Microsoft to O365 tenant admins. As far as I understand this new subnet (40.95.0.0/16) is expected to deliver mostly traffic from compromised O365 tenants. I’d like to check whether my understanding is correct or not, any feedback is welcome.
We are apparently talking about outbound traffic that has been attributed to a tenant but with an envelope sender on a domain that is not part of the tenant’s accepted domains. For example the tenant has an inbound connector with TLS authentication, the email passes this authentication and is therefore attributed to the tenant, it is an outbound email but the envelope sender domain is not one of the tenant’s accepted domains. Today what happens with such an email is that the envelope sender is rewritten based on Microsoft’s specific SRS<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdocs.microsoft.com%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%23%3A~%3Atext%3DSummary%2520Sender%2520Rewriting%2520Scheme%2520%2528SRS%2529%2520functionality%2520was%2520added%2Cmessages%2520that%2520are%2520sent%2520externally%2520from%2520Office%2520365.&e=e195fb84&h=8a438386&f=n&p=y> scheme and the email is delivered from one of the IP addresses listed in Microsoft’s SPF record. What will happen on the 27th, as far as I understand, is that unless this email passes SPF or DKIM authentication, it will be delivered through the new outbound relay pool without any SRS rewriting. I don’t expect this new pool to be added to Microsoft’s SPF record. I anticipate that most of the traffic coming from this new pool will be from compromised tenants: email passing tenant attribution but having an envelope-sender not among the tenant’s accepted domains and not passing either SPF or DKIM validation. Is there any legit outbound traffic that can match this pattern? Below the notification message sent by Microsoft to our tenant a few days ago. Cheers Rodolfo -- Rodolfo Saccani CTO / Head of R&D New outbound relay pool We're making some changes to harden the configuration for relaying or forwarding email through Office 365. Starting July 27, 2021, we are updating special relay pools, a separate IP address pool that is used for relayed or forwarded mails that are sent from domains that are not a part of accepted domains in your tenant. Only messages that are sent from domains that are not accepted domains in your tenant are impacted by this change. How this will affect your organization: When this change is implemented, messages that do not meet the below criteria will route through the Relay Pool and the messages might potentially end up in recipient junk folder. 1. Outbound sender domain is an accepted domain of the tenant. 2. SPF passes when the message comes to M365. 3. DKIM on the sender domain passes when the message comes to M365. All messages that meet the above criteria will not be relayed through the Relay Pool. For relayed messages, we will skip SRS<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdocs.microsoft.com%2Foffice365%2Ftroubleshoot%2Fantispam%2Fsender-rewriting-scheme%23%3A~%3Atext%3DSummary%2520Sender%2520Rewriting%2520Scheme%2520%2528SRS%2529%2520functionality%2520was%2520added%2Cmessages%2520that%2520are%2520sent%2520externally%2520from%2520Office%2520365.&e=e195fb84&h=8a438386&f=n&p=y> rewrite. What you can do to prepare: When this change takes effect, you can tell a message was sent via the Relay Pool by looking at the outbound server IP (all Relay Pool IPs will be in the 40.95.0.0/16 range), or by looking at the outbound server name (will have "rly" in the name). For the messages to go through the regular pool you will need to make sure when a message arrives to Microsoft Office 365, SPF or DKIM passes, or sender domain of the outbound message matches an accepted domain of your tenant For DKIM to work, make sure you enable DKIM for sending domain for example fabrikam.com is part of contoso.com accepted domains, if the sending address is [email protected]<mailto:[email protected]>, the DKIM needs to be enabled for fabrikam.com. you can read on how to enable DKIM here<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fuse-dkim-to-validate-outbound-email%3Fview%3Do365-worldwide%23steps-to-manually-set-up-dkim&e=e195fb84&h=3cf12971&f=n&p=y>. To add custom domains follow the steps outlined here<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fadmin%2Fsetup%2Fadd-domain%3Fview%3Do365-worldwide&e=e195fb84&h=4872e6bb&f=n&p=y>.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
