Hi, We received another of those phishes as a result of a compromised O365 account.
https://pastebin.com/raw/Fv5NKRAP Anyone able to take a look and provide ideas on how to block them? It passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS. It's missing headers, and I've written a rule to account for that, but it would be great to have some other input. Interestingly, it was passed through a mimecast system first. The amount of Outlook/O365/Exchange headers in this email is enormous! Thanks, Alex On Thu, May 10, 2018 at 3:20 PM, David Jones <djo...@ena.com> wrote: > On 05/10/2018 01:32 PM, RW wrote: >> >> On Thu, 10 May 2018 09:55:00 -0500 >> David Jones wrote: >> >>> On 05/10/2018 09:39 AM, RW wrote: >> >> >>>> Microsoft has a list of domains it hosts and a list of hosted >>>> domains (and/or its own addresses) tied to each account. Given how >>>> much reliance MS place on DMARC's preventing spoofing, and how easy >>>> it would be for them to prevent one user spoofing another's domain >>>> on submission, I'd be very surprised if they allow it. >>>> >>> >>> >>> They do. I saw an example a few weeks ago. >> >> >> The very fact that you are citing just one a few week ago strongly >> suggests that they don't. >> > > It's possible that it could have been months ago, I guess, so my memory > could be off. The fact that someone tested it recently and Microsoft blocks > it today is encouraging. Maybe they enabled this logic recently to match > what Google is doing which is the correct way to handle this and prevent > "SPF piggy-backing." > >>>> Paul Stead claims to have seen it, but it's important to positively >>>> identify it as spoofing and not hacking. >>>> >>> >>> >>> Not sure what the difference is from a mail filtering perspective. >> >> >> The difference is that if domains that include Micrsoft's SPF are as >> wide open to spoofing as you suggest, they shouldn't have >> def_whitelist_auth entries. >> > > You are correct. When they were added this issue of "SPF piggy-backing" > wasn't an issue. It may have been known to be a potential problem but > wasn't being actively exploited like the toyrus.com was last year when I > first noticed it. > > It's also possible that those whitelist_* domains have added the > "include:spf.protection.outlook.com" to their SPF record recently after > migrating their corporate mail hosting to O365. We don't have anything > actively monitoring whitelist entries for SPF record changes so we have to > rely on abuse reports to this list to remove/change them in SA. > > -- > David Jones