Incident with 42,000 Spoofed Emails - Request for Guidance

Question

Hello,

We recently experienced an incident where approximately 42,000 spoofed emails were sent out using our ******@ourdomain.com address. The emails appeared to come from our address, but the originating IP address was traced to France, while we are located in the United States. The subject line of these emails was "SALARY BONUS UPDATE." Out of the total, about 34,000 emails were delivered, and only 8,000 were blocked.

Currently, we do not have our postmaster email account set up, as we do not utilize it. I attempted to send an email to our postmaster address and received a Non-Delivery Report (NDR).

My questions are:

If we do not have the postmaster@ourdomain email set up, should I create a mail flow rule to block any incoming or outgoing emails from this address?

What is the best way to mitigate this using Microsoft Exchange or Microsoft Defender?

Additionally, we are a small business using Microsoft 365 GCC with Outlook. Would it be beneficial for us to establish a postmaster account, and if so, why?

We are concerned about this incident as it links our company's name to these spoofed emails, making it appear as if we are sending them.

Thank you for your assistance; it is greatly appreciated!

Answer 1

Hi @LM-5132 ,

Thank you for posting your question in the Microsoft Q&A forum.

Based on your description, you are experiencing an issue with a spoofed email attack. Here are some suggestions to help you.

1. The postmaster mailbox is a special e-mail address in the mail system, which is often used to receive important notifications, bug reports and feedbacks from the mail system. If you directly block emails from this address, you may miss some critical system information. So it may not be advisable to block it directly, but to configure this mailbox correctly and make sure it can receive mail.
2. Regarding mitigation, you can check the existing SPF, DKIM and DMARC configurations. Because the attacker spoofed your domain, it is possible that these records were not set up correctly or not enforced strictly enough. For example, the SPF may not contain all legitimate sending sources, or the DMARC policy is p=none, resulting in not enforcing strict checks. Recommendations are needed to check and tighten these settings.
3. you can create and use Microsoft Exchange mail flow rules to block this spam. Since the subject line of these scam emails is “SALARY BONUS UPDATE”, you can create a rule to block when the email subject contains this keyword.

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.