The traffic really does start out coming from a Microsoft service; it’s an invoice. But it gets sent thru an onmicrosoft.com DL and expanded and sent to folks not originally specified. The only clue is in the actual “Benign” text of the message, which is a callback scam.
… if this is the campaign that I think it is. We’re aware of this issue, but it’s a bit tricky to close this particular loophole. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ? From: mailop <mailop-boun...@mailop.org> On Behalf Of Robert L Mathews via mailop Sent: Friday, September 20, 2024 11:11 AM To: mailop@mailop.org Subject: Re: [mailop] [EXTERNAL] onmicrosoft.com customers forging @microsoft.com addresses for phishing I guess my question, though, is why are they signed with a DKIM key that lets people forge an address "@microsoft.com"? Wouldn't it be better to sign "@sheilaltd.onmicrosoft.com" (etc.) mail with a different key that wouldn't validate for a "From: someth...@microsoft.com<mailto:someth...@microsoft.com>" header? On Sep 20, 2024, at 10:17 AM, Michael Wise via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: X-Forefront-Antispam-Report: …;SFV:SPM;… We have a policy on a per message basis of not blocking anything from leaving the site, but we do send it out a different pool, and we do try to flag it as spam. As always, there can be both FNs and FPs, so be advised. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ? From: mailop <mailop-boun...@mailop.org<mailto:mailop-boun...@mailop.org>> On Behalf Of Robert L Mathews via mailop Sent: Friday, September 20, 2024 10:01 AM To: mailop@mailop.org<mailto:mailop@mailop.org> Subject: [EXTERNAL] [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing I've seen quite a few cases recently where it looks like people sign up for a Microsoft cloud service (Azure?), and are then able to send mail that claims to be from @microsoft.com in the "From" header. The resulting mail passes both SPF and DKIM checks. For example, this phishing message successfully passes SpamAssassin with "DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain": Return-Path: bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com<mailto:bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com> X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109) smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 20.69.8.109 as permitted sender) receiver=protection.outlook.com; client-ip=20.69.8.109; helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; c=relaxed/relaxed; i=microsoft-nore...@microsoft.com<mailto:i=microsoft-nore...@microsoft.com>; t=1726749195; h=from:subject:date:message-id:to:mime-version:content-type; bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=; b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1 74cnBd9OLJD+vnu1CDQ= From: Microsoft <microsoft-nore...@microsoft.com<mailto:microsoft-nore...@microsoft.com>> Date: Thu, 19 Sep 2024 12:33:15 +0000 Subject: Your Microsoft order on September 19, 2024 Message-ID: <703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com<mailto:703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com>> To: microsoft-re...@m365salesteam.onmicrosoft.com<mailto:microsoft-re...@m365salesteam.onmicrosoft.com> X-OriginatorOrg: sheilaltd.onmicrosoft.com I've omitted most of it here but you can see the full thing, with only a bit of redaction for privacy, at <https://tigertech.net/files/onmicrosoft.com.txt>. I know that the recommended solution is probably to not accept anything at all from "onmicrosoft.com", but testing shows that would generate a few false positives. Is Microsoft aware this is happening, and working to stop it? -- Robert L Mathews _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://list.mailop.org/listinfo/mailop -- Robert L Mathews
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
