Re: sharepoint phish routed through sharepointonline/outlook

Sun, 15 Jan 2023 13:02:16 -0800 

Alex skrev den 2023-01-15 20:47:

Hi,

X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
 FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
 LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01,
 LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
 RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1,
RELAYCOUNTRY_US=0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166]
autolearn=disabled

I'm reporting it to spamcop and training bayes, but does anyone have
any other ideas?

Is this just someone using their sharepoint account to send a phish?
Perhaps account takeover?

https://pastebin.com/2CJ3SLf2




Content analysis details:   (3.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- -------------------------------------------------- 
 0.7 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=no-reply%40sharepointonline.com;ip=199.199.178.197;r=localhost.junc.eu] 
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 ARC_VALID              Message has a valid ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 
 0.0 ARC_SIGNED             Message has a ARC signature
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict 
                            Alignment
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
2.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and 
                             the domain has a DMARC reject policy
 0.1 DMARC_REJECT           DMARC reject policy


it gets neutral score since its maillist of some kind imho ?
reject it by dkim valid, one of the signers is valid, if not just arc, if only arc is then do setup AuthRes plugin in spamassassin 4.x.x 

i dont know how, but i belive spammers die slowly in 2023

Reply via email to