I've been reporting these to Microsoft (ab...@microsoft.com,
ab...@outlook.com, j...@office365.microsoft.com), but I don't think they
grok what's going on:
---
Hi,
Based on the information you provided, it appears to have originated
from an Office 365 or Exchange Online tenant account.
To report junk mail from Office 365 tenants, send an email to
j...@office365.microsoft.com and include the junk mail as an attachment.
This link provides further junk mail education
https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx.
Kindly,
REDACTED
Microsoft Online Safety
Ref:MSG18380909_8Uka8PKHK4Q5gp8Fyly
---
On 9/20/2024 at 12:01, Robert L Mathews via mailop wrote:
I've seen quite a few cases recently where it looks like people sign up
for a Microsoft cloud service (Azure?), and are then able to send mail
that claims to be from @microsoft.com in the "From" header. The
resulting mail passes both SPF and DKIM checks.
For example, this phishing message successfully passes SpamAssassin with
"DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain":
Return-Path: bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109)
smtp.mailfrom=microsoft.com; dkim=pass (signature was verified)
header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com
designates
20.69.8.109 as permitted sender) receiver=protection.outlook.com;
client-ip=20.69.8.109;
helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo;
c=relaxed/relaxed; i=microsoft-nore...@microsoft.com; t=1726749195;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=;
b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV
pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1
74cnBd9OLJD+vnu1CDQ=
From: Microsoft <microsoft-nore...@microsoft.com>
Date: Thu, 19 Sep 2024 12:33:15 +0000
Subject: Your Microsoft order on September 19, 2024
Message-ID:
<703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com>
To: microsoft-re...@m365salesteam.onmicrosoft.com
X-OriginatorOrg: sheilaltd.onmicrosoft.com
I've omitted most of it here but you can see the full thing, with only a
bit of redaction for privacy, at
<https://tigertech.net/files/onmicrosoft.com.txt
<https://tigertech.net/files/onmicrosoft.com.txt>>.
I know that the recommended solution is probably to not accept anything
at all from "onmicrosoft.com", but testing shows that would generate a
few false positives.
Is Microsoft aware this is happening, and working to stop it?
--
Robert L Mathews
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
