Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Dave Crocker via mailop
On 9/20/2024 11:57 AM, Michael Wise wrote: Although ... if there is a standard header field that doesn't start with an X-, would love to know what it would be. I personally prefer the Comments: header, as documented in RFC-822 and subsequent, but nobody else seems to use it. As to the sys

Re: [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Robert L Mathews via mailop
On Sep 20, 2024, at 12:02 PM, L. Mark Stone via mailop wrote: > > FWIW, for a while now we have been outright blocking all email from any > subdomain of onmicrosoft.com , as well as email from > any azurewebsites.net domain/subdomain. > > To

Re: [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread L. Mark Stone via mailop
FWIW, for a while now we have been outright blocking all email from any subdomain of onmicrosoft.com, as well as email from any azurewebsites.net domain/subdomain. To my understanding, other than for any tenant who hasn't configured their email domain's settings per Microsoft's guidance, what w

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Michael Wise via mailop
The traffic really does start out coming from a Microsoft service; it’s an invoice. But it gets sent thru an onmicrosoft.com DL and expanded and sent to folks not originally specified. The only clue is in the actual “Benign” text of the message, which is a callback scam. … if this is the campa

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Michael Wise via mailop
Yes. Although ... if there is a standard header field that doesn't start with an X-, would love to know what it would be. I personally prefer the Comments: header, as documented in RFC-822 and subsequent, but nobody else seems to use it. As to the system design ... That's not something I

Re: [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Robert Giles via mailop
I've been reporting these to Microsoft (ab...@microsoft.com, ab...@outlook.com, j...@office365.microsoft.com), but I don't think they grok what's going on: --- Hi, Based on the information you provided, it appears to have originated from an Office 365 or Exchange Online tenant account. To r

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Bill Cole via mailop
On 2024-09-20 at 13:54:06 UTC-0400 (Fri, 20 Sep 2024 17:54:06 +) Slavko via mailop is rumored to have said: Dňa 20. septembra 2024 17:17:34 UTC používateľ Michael Wise via mailop napísal: X-Forefront-Antispam-Report: ...;SFV:SPM;... We have a policy on a per message basis o

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Sebastian Nielsen via mailop
Wouldn’t it be a better action to generate a separate DKIM key for onmicrosoft.com and use that to sign their mail? And also send it from a IP-pool that is **NOT** on the SPF list for microsoft.com, but for onmicrosoft.com Could however hit wrongly if people see the onmicrosoft.com adress as mi

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Robert L Mathews via mailop
I guess my question, though, is why are they signed with a DKIM key that lets people forge an address "@microsoft.com"? Wouldn't it be better to sign "@sheilaltd.onmicrosoft.com" (etc.) mail with a different key that wouldn't validate for a "From: someth...@microsoft.com" header? > On Sep 20,

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Slavko via mailop
Dňa 20. septembra 2024 17:17:34 UTC používateľ Michael Wise via mailop napísal: > > X-Forefront-Antispam-Report: ...;SFV:SPM;... > >We have a policy on a per message basis of not blocking anything from leaving >the site, but we do send it out a different pool, and we do try to flag

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Bill Cole via mailop
On 2024-09-20 at 13:17:34 UTC-0400 (Fri, 20 Sep 2024 17:17:34 +) Michael Wise via mailop is rumored to have said: As always, there can be both FNs and FPs, so be advised. For most sites, the FPs encountered when deeming all mail from *@*.onmicrosoft.com addresses that Microsoft has tagge

Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Michael Wise via mailop
X-Forefront-Antispam-Report: ...;SFV:SPM;... We have a policy on a per message basis of not blocking anything from leaving the site, but we do send it out a different pool, and we do try to flag it as spam. As always, there can be both FNs and FPs, so be advised. Aloha, Michael.

[mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing

2024-09-20 Thread Robert L Mathews via mailop
I've seen quite a few cases recently where it looks like people sign up for a Microsoft cloud service (Azure?), and are then able to send mail that claims to be from @microsoft.com in the "From" header. The resulting mail passes both SPF and DKIM checks. For example, this phishing message succe