Thank you all for your input.
@Graeme, I'd join @John on this; if Microsoft can validate a domain DNS, they
should make it mandatory to sign using the domain name and not some
unverifiable *.onmicrosoft.com.
Nowadays even more when you want to have domain alignment with DMARC.
@Olivier, your input is interesting. I agree that an account can be
compromised, but I'm more worried about ways to send an email on behalf of a
domain without compromising the account, which isn't great.
Cyril - ImprovMX
Le mercredi 5 juin 2024 à 13:53, Gellner, Oliver via mailop <mailop@mailop.org>
a écrit :
> On 05.06.2024 at 09:48 Cyril - ImprovMX via mailop wrote:
>
> > I got a few suspicious emails from a user.
> > I wanted to check the DKIM Signature of that domain to validate the
> > ownership but the emails are coming from Microsoft, which signs the email
> > using "{domain name}http://aotearoaenergy.onmicrosoft.com";
> > In my case, the sender is from aotearoa.energy and the d= part of the
> > dkim-signature is http://aotearoaenergy.onmicrosoft.com
>
> > Now, I wonder. Can I trust Microsoft that if they send an email on behalf
> > of aotearoa.energy, they initially validated the ownership or is there a
> > way to bypass that?
>
>
> There is some validation, but researchers have discovered various ways to
> send emails on behalf of a domain without:
> https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwen
> https://research.utwente.nl/en/publications/forward-pass-on-the-security-implications-of-email-forwarding-mec
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
> Besides that Microsoft does not enforce MFA for email accounts, so a weak or
> reused password of one user is all that it takes to send authenticated emails
> from that domain.
>
> I'd closely check the headers whether anything looks suspicious.
>
> --
> BR Oliver
> ________________________________
>
> dmTECH GmbH
> Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
> Telefon 0721 5592-2500 Telefax 0721 5592-2777
> dmTECH@dm.demailto:dmt...@dm.de * www.dmTECH.dehttp://www.dmtech.de
>
> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
> Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
> ________________________________
> Datenschutzrechtliche Informationen
> Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
> ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
> Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder
> sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen
> unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren
> Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie
> hierhttps://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832.
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
