How are these phish messages appearing to come from our domain?

Art Singlaterry 1 Reputation point
2021-12-10T22:57:07.967+00:00

A client of ours was phished recently. They are using MS 365. The message header shows that the envelope sender is bounces+SRS=/rKyG=Q2@mydomain.com. The X-OriginatorOrg is also mydomain.com. How is this possible? Because of this, the message even passes DKIM and is sent to the recipient as a legitimate message. For some more context, The message appears to be a BCC, from a compromised domain. But my question is how is my domain being used in the spoof? Happy to share headers via PM if needed.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,040 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 137.9K Reputation points MVP
    2021-12-11T12:38:01.2+00:00

    IF you are seeing that in the sender, then the message is being relayed from an on-prem server through 365:

    https://learn.microsoft.com/en-us/office365/troubleshoot/antispam/sender-rewriting-scheme#relaying-from-a-customers-on-premises-server

    156779-image.png

    I would verify which IP these are coming from.

    Additionally - If the client was phished, ensure passwords have been changed and check for any inbox rules in the mailboxes as well

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide

    0 comments No comments

  2. Joyce Shen - MSFT 16,626 Reputation points
    2021-12-13T02:42:10.923+00:00

    Hi @Art Singlaterry

    Agree with Andy's suggestions, and below are some additional information for your reference as well:

    You could try creating a mailflow rule on O365, if the message is sent from external and domain contains “yourdomain.com”, then reject the email or forward it to someone for approval. After setting the rule, observe if the SPAM mail occurs again.
    156877-image.png
    More details please see the link: Setting Up Domain Spoof Protection in Exchange 2013, Exchange 2016, or Microsoft 365

    And a similar issue discussed here: Office365 email spoofed or MITM, it tells that the mails was spoofed since tehy are originating from a South Africa IP address.
    We need to check the rules both on the workstation and OWA, also make sure MFA is enabled for your organization.
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments