FWIW, for a while now we have been outright blocking all email from any subdomain of onmicrosoft.com, as well as email from any azurewebsites.net domain/subdomain.
To my understanding, other than for any tenant who hasn't configured their email domain's settings per Microsoft's guidance, what we do should result in zero false positives. To date, none of our customers have reported any "missing" emails from this practice. If anyone has an example of how what we are doing would lead to a false positive, I would be grateful to know please. Regards, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- | From: "Robert Giles via mailop" <mailop@mailop.org> | To: "mailop" <mailop@mailop.org> | Sent: Friday, September 20, 2024 2:20:51 PM | Subject: Re: [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing | I've been reporting these to Microsoft (ab...@microsoft.com, | ab...@outlook.com, j...@office365.microsoft.com), but I don't think they | grok what's going on: | | --- | Hi, | | Based on the information you provided, it appears to have originated | from an Office 365 or Exchange Online tenant account. | | To report junk mail from Office 365 tenants, send an email to | j...@office365.microsoft.com and include the junk mail as an attachment. | | This link provides further junk mail education | https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx. | | Kindly, | | REDACTED | Microsoft Online Safety | Ref:MSG18380909_8Uka8PKHK4Q5gp8Fyly | --- | | | | On 9/20/2024 at 12:01, Robert L Mathews via mailop wrote: |> I've seen quite a few cases recently where it looks like people sign up |> for a Microsoft cloud service (Azure?), and are then able to send mail |> that claims to be from @microsoft.com in the "From" header. The |> resulting mail passes both SPF and DKIM checks. |> |> For example, this phishing message successfully passes SpamAssassin with |> "DKIM_VALID_AU Message has a valid DKIM or DK signature from author's |> domain": |> |> Return-Path: bounces+SRS=zWGj+=q...@sheilaltd.onmicrosoft.com |> X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 20.69.8.109) |> smtp.mailfrom=microsoft.com; dkim=pass (signature was verified) |> header.d=microsoft.com;dmarc=pass action=none header.from=microsoft.com; |> Received-SPF: Pass (protection.outlook.com: domain of microsoft.com |> designates |> 20.69.8.109 as permitted sender) receiver=protection.outlook.com; |> client-ip=20.69.8.109; |> helo=mail-nam-cu09-cy.westcentralus.cloudapp.azure.com; pr=C |> DKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo; |> c=relaxed/relaxed; i=microsoft-nore...@microsoft.com; t=1726749195; |> h=from:subject:date:message-id:to:mime-version:content-type; |> bh=7ly01TFWrXYbreqkdNSOhkq4Nz8y28Mdjn0eMxCBVTw=; |> b=MVlEt8w4NMMWwxGJTAIAsP/KVcxnZ8XV1QYNSkB5zqo/GQJf+fXednkdXQXZ4LWXqZkzSJFTshV |> pRM5q2Bk6rAsg1zNa8uCJ3YyNBcVzWnhkl0JJwr16zpdNBOuuex5Cehynjiwf+I/ZWLPzp4hmy3v1 |> 74cnBd9OLJD+vnu1CDQ= |> From: Microsoft <microsoft-nore...@microsoft.com> |> Date: Thu, 19 Sep 2024 12:33:15 +0000 |> Subject: Your Microsoft order on September 19, 2024 |> Message-ID: |> <703d1f73-6ccd-4265-888b-e0819add3...@az.westcentralus.microsoft.com> |> To: microsoft-re...@m365salesteam.onmicrosoft.com |> X-OriginatorOrg: sheilaltd.onmicrosoft.com |> |> I've omitted most of it here but you can see the full thing, with only a |> bit of redaction for privacy, at |> <https://tigertech.net/files/onmicrosoft.com.txt |> <https://tigertech.net/files/onmicrosoft.com.txt>>. |> |> I know that the recommended solution is probably to not accept anything |> at all from "onmicrosoft.com", but testing shows that would generate a |> few false positives. |> |> Is Microsoft aware this is happening, and working to stop it? |> |> -- |> Robert L Mathews |> |> |> _______________________________________________ |> mailop mailing list |> mailop@mailop.org |> https://list.mailop.org/listinfo/mailop | _______________________________________________ | mailop mailing list | mailop@mailop.org | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
