On 3/18/2024 10:13 PM, Jimmy wrote:
It's possible that certain email accounts utilizing email services with easily guessable passwords were compromised, leading to abuse of the ".onmicrosoft.com <http://onmicrosoft.com>" subdomain for sending spam via email.
Well, there's (1) standard BEC, (2) stolen Exchange Administrator credentials, and (3) creation of new Microsoft 365 hosts. While .onmicrosoft.com encompasses the entire Microsoft 365 world, including GoDaddy 365 resale, it is worse than that. In Microsoft's case, the Azure Administration keys were pilfered as well. Probably most of us here have all seen the residual fallout from all the bogus 365 hosts.
In a couple of cases, Exchange Administration credentials (where you setup DKIM/SMTP and the initial <COMPANY>.onmicrosoft.com hostname) were changed such that they can no longer log in. They still have the Account and Mailbox Administrator permissions so they can still add/delete Accounts and Mailboxes.
Microsoft asserts that no billing information was compromised and to be fair, I've seen no evidence of compromise. Zero cred, IMHO.
Typical Microsoft: System Down, Billing Up
I've observed an increase in the blocking of IPs belonging to Microsoft Corporation by the SpamCop blacklist since November 2023, with a notable spike in activity during February and March 2024.
Yes, you are correct. I see there is a spat between Microsoft and SpamHaus also. Poor, poor Microsoft.
Thanks, -- Jared Hall
