Directory Harvest Attck

Jeff Hattendorf 0 Reputation points

Hi Everyone,

we will soon be upgrading our Azure subscription to Security but right now we are getting thousands of SPAM emails

can anyone please tell me if there is a way to create a conditional access policy in Entra to stop Directory Harvest Attacks?

Any and all help is greatly appreciated

thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,859 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harpreet Singh Matharoo 7,576 Reputation points Microsoft Employee

    Hello @Jeff Hattendorf

    Thank you for contacting Microsoft Azure QnA Platform. Typical Directory Harvest Attacks (DHAs) are a type of cyber-attack where an attacker attempts to determine the valid e-mail addresses associated with an e-mail server. However Conditional Access Policies are intended for Authorization level blocks for your tenant users and cannot prevent DHAs happening via SPAM emails.

    You should ideally look for Exchange Online Protection (EOP) policies as it can indeed help in preventing Directory Harvest Attacks (DHAs).

    • Recipient Lookups: By default, the transport server will use recipient lookups to notify the connecting host whether an email address is valid or not1. When an inbound email is addressed to a recipient that does not exist, a “550 5.1.1 User unknown” SMTP response is sent to the connecting host. When an email is addressed to a valid recipient, a “250 2.1.5 Recipient OK” SMTP response is sent. This behavior can be modified to prevent DHAs.
    • Disable Delivery Receipts: One method to combat DHAs is to disable delivery receipts for the Exchange organization. Disabling delivery receipts makes DHAs much less effective and might also save you bandwidth and other system resources.
    • Secure Email Gateways: Utilizing secure email gateways can help prevent DHAs.
    • SPF, DKIM, and DMARC: Implementing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) records for your domain can help prevent DHAs.
    • SMTP Settings: Configuring Simple Mail Transfer Protocol (SMTP) settings to delay or limit error messages can help prevent DHAs.
    • Catch-All Email Address: Using a catch-all email address can help prevent DHAs by ensuring that all emails sent to invalid addresses at your domain are redirected to this address.
    • Monitoring Email Traffic: Monitoring your email traffic for suspicious activity can help detect and prevent DHAs.

    For more detailed explanation and appropriate setup you can reach out to Microsoft Security and Compliance support team by raising a support case from Microsoft Admin Center.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments