Hi everyone!
I got a few suspicious emails from a user.
I wanted to check the DKIM Signature of that domain to validate the ownership
but the emails are coming from Microsoft, which signs the email using "{domain
name}[.onmicrosoft.com](http://aotearoaenergy.onmicrosoft.com)"
In my case, the sender is from aotearoa.energy and the d= part of the
dkim-signature is aotearoaenergy.onmicrosoft.com
Now, I wonder. Can I trust Microsoft that if they send an email on behalf of
aotearoa.energy, they initially validated the ownership or is there a way to
bypass that?
For those curious, the story is absolutely shady but valid at every step:
I got an initial email from "TP Icap", but with the domain "icap.com" saying
they acquired aotearoa.energy.
I checked and it's true, TP Icap really acquired the service Aotearoa.
If you go to aotearoa.energy, you'll see a blank "NGINX" page, and if you go to
www.aotearoa.energy, you'll get ... a logo.
A few days later, I got an email from them about an onboarding questionnaire
that I have to fill (but first need to create an account on another service,
Process Unity system).
This questionnaire includes general informations (company name, address, etc)
but also asks me about bank details!
All of this because Microsoft is unable to properly sign an email with the
sender's domain to prove ownership...
Cyril - [ImprovMX](https://improvmx.com)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
