This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 5%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
A client of ours was phished recently. They are using MS 365. The message header shows that the envelope sender is bounces+SRS=/rKyG=Q2@mydomain.com. The X-OriginatorOrg is also mydomain.com. How is this possible? Because of this, the message even passes DKIM and is sent to the recipient as a legitimate message. For some more context, The message appears to be a BCC, from a compromised domain. But my question is how is my domain being used in the spoof? Happy to share headers via PM if needed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Is there any update about your issue?
Any progress about this issue so far? Do you have any other concern about your question?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
IF you are seeing that in the sender, then the message is being relayed from an on-prem server through 365:
I would verify which IP these are coming from.
Additionally - If the client was phished, ensure passwords have been changed and check for any inbox rules in the mailboxes as well
Agree with Andy's suggestions, and below are some additional information for your reference as well:
You could try creating a mailflow rule on O365, if the message is sent from external and domain contains “yourdomain.com”, then reject the email or forward it to someone for approval. After setting the rule, observe if the SPAM mail occurs again.
More details please see the link: Setting Up Domain Spoof Protection in Exchange 2013, Exchange 2016, or Microsoft 365
And a similar issue discussed here: Office365 email spoofed or MITM, it tells that the mails was spoofed since tehy are originating from a South Africa IP address.
We need to check the rules both on the workstation and OWA, also make sure MFA is enabled for your organization.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.