Wouldnt it be a better action to generate a separate DKIM key for
onmicrosoft.com and use that to sign their mail?
And also send it from a IP-pool that is **NOT** on the SPF list for
microsoft.com, but for onmicrosoft.com
Could however hit wrongly if people see the onmicrosoft.com adress as
microsoft-owned and implicitly trust it because of that.
Maybe make it a subdomain, like customer.microsoft.com
Or similiar. Then they know based on customer. subdomain that it is to be
implicitly being untrusted.
(They know then that customer.microsoft.com is a domain that Microsoft
Customers not employed by microsoft is permitted to use)
Its important to not just try to handle it internally, but also make sure
that external people can verify genuine Microsoft Email as genuine.
Especially if it comes to filling in credit card numbers or similiar.
Imagine getting a email about a expired Microsoft 365 subscription that
passes SPF and DKIM, and then clicking a link to fill in
Credit card info, and then losing any money.
It would be Microsofts fault, as they actually DKIM-signed a phishing email
with their key as sent by them. Its the same as a physical signature on
paper.
Then you SHOULD be able to trust it.
Best regards, Sebastian Nielsen, owner of sebbe.eu
Från: Michael Wise via mailop <mailop@mailop.org>
Skickat: den 20 september 2024 19:23
Till: mailop@mailop.org
Ämne: Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging
@microsoft.com addresses for phishing
X-Forefront-Antispam-Report:
;SFV:SPM;
We have a policy on a per message basis of not blocking anything from
leaving the site, but we do send it out a different pool, and we do try to
flag it as spam.
As always, there can be both FNs and FPs, so be advised.
Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for <http://go.microsoft.com/fwlink/?LinkID=614866> Hotmail ?
From: mailop <mailop-boun...@mailop.org <mailto:mailop-boun...@mailop.org> >
On Behalf Of Robert L Mathews via mailop
Sent: Friday, September 20, 2024 10:01 AM
To: mailop@mailop.org <mailto:mailop@mailop.org>
Subject: [EXTERNAL] [mailop] onmicrosoft.com customers forging
@microsoft.com addresses for phishing
I've seen quite a few cases recently where it looks like people sign up for
a Microsoft cloud service (Azure?), and are then able to send mail that
claims to be from @microsoft.com in the "From" header. The resulting mail
passes both SPF and DKIM checks.
For example, this phishing message successfully passes SpamAssassin with
"DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain":
Return-Path: bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com
<mailto:bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com>
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109)
smtp.mailfrom=microsoft.com; dkim=pass (signature was verified)
header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com
designates
20.69.8.109 as permitted sender) receiver=protection.outlook.com;
client-ip=20.69.8.109;
helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo;
c=relaxed/relaxed; i=microsoft-nore...@microsoft.com
<mailto:i=microsoft-nore...@microsoft.com> ; t=1726749195;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=;
b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTsh
V
pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v
1
74cnBd9OLJD+vnu1CDQ=
From: Microsoft <microsoft-nore...@microsoft.com
<mailto:microsoft-nore...@microsoft.com> >
Date: Thu, 19 Sep 2024 12:33:15 +0000
Subject: Your Microsoft order on September 19, 2024
Message-ID:
<703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com
<mailto:703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com>
>
To: microsoft-re...@m365salesteam.onmicrosoft.com
<mailto:microsoft-re...@m365salesteam.onmicrosoft.com>
X-OriginatorOrg: sheilaltd.onmicrosoft.com
I've omitted most of it here but you can see the full thing, with only a bit
of redaction for privacy, at
<https://tigertech.net/files/onmicrosoft.com.txt>.
I know that the recommended solution is probably to not accept anything at
all from "onmicrosoft.com", but testing shows that would generate a few
false positives.
Is Microsoft aware this is happening, and working to stop it?
--
Robert L Mathews
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
