I've seen quite a few cases recently where it looks like people sign up for a Microsoft cloud service (Azure?), and are then able to send mail that claims to be from @microsoft.com in the "From" header. The resulting mail passes both SPF and DKIM checks.
For example, this phishing message successfully passes SpamAssassin with "DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain": Return-Path: bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.69.8.109 as permitted sender) receiver=protection.outlook.com; client-ip=20.69.8.109; helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-nore...@microsoft.com; t=1726749195; h=from:subject:date:message-id:to:mime-version:content-type; bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=; b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1 74cnBd9OLJD+vnu1CDQ= From: Microsoft <microsoft-nore...@microsoft.com> Date: Thu, 19 Sep 2024 12:33:15 +0000 Subject: Your Microsoft order on September 19, 2024 Message-ID: <703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com> To: microsoft-re...@m365salesteam.onmicrosoft.com X-OriginatorOrg: sheilaltd.onmicrosoft.com I've omitted most of it here but you can see the full thing, with only a bit of redaction for privacy, at <https://tigertech.net/files/onmicrosoft.com.txt>. I know that the recommended solution is probably to not accept anything at all from "onmicrosoft.com", but testing shows that would generate a few false positives. Is Microsoft aware this is happening, and working to stop it? -- Robert L Mathews
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
