I guess my question, though, is why are they signed with a DKIM key that lets people forge an address "@microsoft.com"?
Wouldn't it be better to sign "@sheilaltd.onmicrosoft.com" (etc.) mail with a different key that wouldn't validate for a "From: someth...@microsoft.com" header? > On Sep 20, 2024, at 10:17 AM, Michael Wise via mailop <mailop@mailop.org> > wrote: > > > X-Forefront-Antispam-Report: …;SFV:SPM;… > > We have a policy on a per message basis of not blocking anything from leaving > the site, but we do send it out a different pool, and we do try to flag it as > spam. > As always, there can be both FNs and FPs, so be advised. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866> ? > > From: mailop <mailop-boun...@mailop.org> On Behalf Of Robert L Mathews via > mailop > Sent: Friday, September 20, 2024 10:01 AM > To: mailop@mailop.org > Subject: [EXTERNAL] [mailop] onmicrosoft.com customers forging @microsoft.com > addresses for phishing > > I've seen quite a few cases recently where it looks like people sign up for a > Microsoft cloud service (Azure?), and are then able to send mail that claims > to be from @microsoft.com in the "From" header. The resulting mail passes > both SPF and DKIM checks. > > For example, this phishing message successfully passes SpamAssassin with > "DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain": > > Return-Path: > bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com > <mailto:bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com> > > X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109) > > smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) > header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; > Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates > > 20.69.8.109 as permitted sender) receiver=protection.outlook.com; > client-ip=20.69.8.109; > helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C > DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; > > c=relaxed/relaxed; i=microsoft-nore...@microsoft.com > <mailto:i=microsoft-nore...@microsoft.com>; t=1726749195; > h=from:subject:date:message-id:to:mime-version:content-type; > bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=; > b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV > pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1 > 74cnBd9OLJD+vnu1CDQ= > From: Microsoft <microsoft-nore...@microsoft.com > <mailto:microsoft-nore...@microsoft.com>> > > Date: Thu, 19 Sep 2024 12:33:15 +0000 > > Subject: Your Microsoft order on September 19, 2024 > > Message-ID: > <703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com > <mailto:703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com>> > > To: > microsoft-re...@m365salesteam.onmicrosoft.com > <mailto:microsoft-re...@m365salesteam.onmicrosoft.com> > X-OriginatorOrg: sheilaltd.onmicrosoft.com > > > > I've omitted most of it here but you can see the full thing, with only a bit > of redaction for privacy, at > <https://tigertech.net/files/onmicrosoft.com.txt>. > > I know that the recommended solution is probably to not accept anything at > all from "onmicrosoft.com", but testing shows that would generate a few false > positives. > > > Is Microsoft aware this is happening, and working to stop it? > > -- > Robert L Mathews > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Robert L Mathews
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
