This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
HI,
We have a situation where an internal user received an email from a departmental (internal) email address. So basically internal to internal. It had an attachment that was malware and I'm trying to determine what happened.
My thoughts are: (1) It's a spoofing phish sent from external sender made to look like it came from inside; or (2) It's a phish sent from inside using credentials that were obtained somehow (possibly via another phish sometime earlier).
In looking at the headers, I see some key parts below I'm puzzled about. There's a bunch of header pre-amble to the below that is all once it has hit internal office365 mail servers. What I find is pertinent below but I can paste the full header privately at some point if that is required. I've used extdomain and extip as the external domain and subnet and intdomain as the internal domain). Also, the TXT record of the extdomain is: v=spf1 a mx ~all And the TXT record of our domain is: =spf1 include:spf.protection.outlook.com -all
For clarity, our domain of intdomain does NOT have SPF protection enabled. I'm wondering if we should be enabling that as well as DKIM and DMARC but I admittedly do not know enough of those settings and what that might impact.
Any help is appreciated. In looking at the below it seems to me that this is a straight up spoof job, but I want to confirm
Authentication-Results: spf=pass (sender IP is extip)
smtp.mailfrom=extdomain; intdomain; dkim=none (message not signed)
header.d=none;intdomain; dmarc=none action=none header.from=intdomain;
Received-SPF: Pass (protection.outlook.com: domain of extdomain
designates extip as permitted sender) receiver=protection.outlook.com;
client-ip=extip; helo=mserv.extdomain;
Received: from mserv.extdomain (extip) by
XXXX.mail.protection.outlook.com (10.xx.xx.xx) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.xx.xx.xx via Frontend Transport; Tue, 18 Sep 2018 16:26:47 +0000
Received: (qmail 10347 invoked by uid 89); 18 Sep 2018 16:26:46 -0000
Received: from unknown (HELO 10.8.xx.xx.xx) (ckc?coo@******@189.218.xx.xx) -> note the 189.218.xx.xx is NOT extip
by mserv.extdomain with ESMTPA; 18 Sep 2018 16:26:46 -0000
Date: Tue, 18 Sep 2018 11:26:47 -0600
From: InternalSenderName <internaldept@intdomain>
To: <internaluser@intdomain>
Subject: <internalDeptName> Account Invoice
MIME-Version: 1.0
Return-Path: <>
Microsoft 365 features that help users manage their subscriptions, account settings, and billing information.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Is there any chance that the mail is sent by an application or device ?? That maybe be the reason
Thanks for your replies. Much appreciated.
I get what you're saying I think...and when we click Reply-To, there is no different email address there. There is no reply-to field set in the header either. But I think the spoofing scenario here could be not so much that they wanted to generate a reply, but rather they wanted it to look legitimately like it was sent from a trusted internal account so as to get them to open the attachment which was malware.
Can a spoofed email show up in message trace? From what you say above, it cannot, and that makes sense to me. But if this is the case and an email sent from within our tenant from internal account to another (no external reply-to address), then why does extdomain show up at all in my message headers?
Let's say I try to impersonate you. I send a mail to a third party. The message arrives from internaldept@intdomain, your account . But when you look at the headers , you will see a different "reply to" field. In the legit mail should be the same account . In the malicious email , the "reply to" can be any address but yours. And that outgoing message won't show up in your message trace , because the origin is outside your system.
HI, I meant to add, I did check out the message trace and it DID show up there. So I wasn't sure if a spoofed email from outside would be able to show up in message trace??
So if that's the case, the account was likely compromised. BUT, if that's the case, why is the extdomain showing up in my message headers??
Hello EastCoastM !!
As far as I can see . it seems a legit message, but better to inevestaigate further. I'd suggest you to perform a message trace in here: https://protection.office.com/?rfr=AdminCenter#...
Check the messages sent ,by InternalSenderName <internaldept@intdomain> . You can use the message ID to make sure is the same message. If the message is reflected in the message trace , is legit . If someone is impersonating the account , it won't show up in the messages sent by the account .
hope it helps !!
germain