Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing

Fri, 20 Sep 2024 10:22:32 -0700 

              X-Forefront-Antispam-Report: ...;SFV:SPM;...

We have a policy on a per message basis of not blocking anything from leaving 
the site, but we do send it out a different pool, and we do try to flag it as 
spam.
As always, there can be both FNs and FPs, so be advised.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ?

From: mailop <mailop-boun...@mailop.org> On Behalf Of Robert L Mathews via 
mailop
Sent: Friday, September 20, 2024 10:01 AM
To: mailop@mailop.org
Subject: [EXTERNAL] [mailop] onmicrosoft.com customers forging @microsoft.com 
addresses for phishing

I've seen quite a few cases recently where it looks like people sign up for a 
Microsoft cloud service (Azure?), and are then able to send mail that claims to 
be from @microsoft.com in the "From" header. The resulting mail passes both SPF 
and DKIM checks.

For example, this phishing message successfully passes SpamAssassin with 
"DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain":

Return-Path: 
bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com<mailto:bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com>
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109)
smtp.mailfrom=microsoft.com; dkim=pass (signature was verified)
header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates
20.69.8.109 as permitted sender) receiver=protection.outlook.com;
client-ip=20.69.8.109;
helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo;
c=relaxed/relaxed; 
i=microsoft-nore...@microsoft.com<mailto:i=microsoft-nore...@microsoft.com>; 
t=1726749195;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=;
b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV
pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1
74cnBd9OLJD+vnu1CDQ=
From: Microsoft 
<microsoft-nore...@microsoft.com<mailto:microsoft-nore...@microsoft.com>>
Date: Thu, 19 Sep 2024 12:33:15 +0000
Subject: Your Microsoft order on September 19, 2024
Message-ID: 
<703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com<mailto:703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com>>
To: 
microsoft-re...@m365salesteam.onmicrosoft.com<mailto:microsoft-re...@m365salesteam.onmicrosoft.com>
X-OriginatorOrg: sheilaltd.onmicrosoft.com

I've omitted most of it here but you can see the full thing, with only a bit of 
redaction for privacy, at <https://tigertech.net/files/onmicrosoft.com.txt>.

I know that the recommended solution is probably to not accept anything at all 
from "onmicrosoft.com", but testing shows that would generate a few false 
positives.


Is Microsoft aware this is happening, and working to stop it?

--
Robert L Mathews


_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to