M365 to M365 Tennant Spam/malicious email Filtering

Shane King 66 Reputation points
2022-09-07T23:44:26.843+00:00

A number of clients who have either Exchange hosted or Exchange as part of their M365 Subscription are receiving Fake Invoice Emails

Examples

Victim 1

  • Building Contractor with Hosted Exchange received 2 invoices with emails advising of bank account changes and invoices attached.
  • 1st came from a 'Window Manufacturer' who is using M365.
  • 2nd came from a 'Joinery Firm' who are also using hosted exchange.

Victim 2

  • An NGO who has M365 for not for profits received an email with an invoice attached
  • The 'sender" a Law firm is using M365, confirmed the email did not originate from them

When any of these people fwd the scam emails to me it gets blocked (I use a 3rd party non msft affiliated email filtering provider)

In months gone by a large (100k plus staff) who also uses M365 "sent" an email loaded with malware to thousands of "clients" (2 of which were mine), the only ones to receive from their own discussion were co-tenants of M365 or Hosted Exchange or a well know domain registrant who on sells Hosted Exchange.

Q: Are emails sent between M365 Tenants not scanned for malware or checked for authenticity? It is agreed that the "sender" in each case may not necessarily be the legitimate tenant, but if the email is spoofed why isnt SPF/DMARC not addressing these.

The message Header for this email is below - I have replaced the entity's legitimate domain name with xxcontosoxx.org.au and names with roles 

Received: from SY7PR01MB8109.ausprd01.prod.outlook.com (2603:10c6:10:1e0::10)  
by ME3PR01MB7562.ausprd01.prod.outlook.com with HTTPS; Wed, 7 Sep 2022  
02:45:28 +0000  
Authentication-Results: dkim=none (message not signed)  
header.d=none;dmarc=none action=none header.from=xxcontosoxx.org.au;  
Received: from SYCPR01MB3456.ausprd01.prod.outlook.com (2603:10c6:10:36::11)  
by SY7PR01MB8109.ausprd01.prod.outlook.com (2603:10c6:10:1e0::10) with  
Microsoft SMTP Server (version=TLS1_2,  
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.11; Wed, 7 Sep  
2022 02:45:27 +0000  
Received: from SYCPR01MB3456.ausprd01.prod.outlook.com  
([fe80::911b:d99a:c5b3:db64]) by SYCPR01MB3456.ausprd01.prod.outlook.com  
([fe80::911b:d99a:c5b3:db64%7]) with mapi id 15.20.5612.012; Wed, 7 Sep 2022  
02:45:27 +0000  
Content-Type: application/ms-tnef; name="winmail.dat"  
Content-Transfer-Encoding: binary  
From: Mary Spora <GenMgr@xxcontosoxx.org.au>  
To: Una Garland <paymOffr@xxcontosoxx.org.au>  
Subject: Payment  
Thread-Topic: Payment  
Thread-Index: AQHYwmPHN9ltHdtTEUy2+DyJgW6IxQ==  
Date: Wed, 7 Sep 2022 02:45:27 +0000  
Message-ID:  
<SYCPR01MB3456B70B370C5FCAC4A04D47FA419@SYCPR01MB3456.ausprd01.prod.outlook.com>  
Accept-Language: en-US  
Content-Language: en-US  
X-MS-Has-Attach: yes  
X-MS-Exchange-Organization-SCL: -1  
X-MS-TNEF-Correlator:  
<SYCPR01MB3456B70B370C5FCAC4A04D47FA419@SYCPR01MB3456.ausprd01.prod.outlook.com>  
msip_labels:  
MIME-Version: 1.0  
X-MS-Exchange-Organization-MessageDirectionality: Originating  
X-MS-Exchange-Organization-AuthSource: SYCPR01MB3456.ausprd01.prod.outlook.com  
X-MS-Exchange-Organization-AuthAs: Internal  
X-MS-Exchange-Organization-AuthMechanism: 04  
X-MS-Exchange-Organization-Network-Message-Id:  
c6933253-73a3-4184-0bbb-08da907b054d  
X-MS-PublicTrafficType: Email  
X-MS-TrafficTypeDiagnostic: SYCPR01MB3456:EE_|SY7PR01MB8109:EE_  
Return-Path: GenMgr@xxcontosoxx.org.au  
X-MS-Exchange-Organization-ExpirationStartTime: 07 Sep 2022 02:45:27.2050  
(UTC)  
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit  
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000  
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit  
X-MS-Office365-Filtering-Correlation-Id: c6933253-73a3-4184-0bbb-08da907b054d  
X-Microsoft-Antispam: BCL:0;  
X-Forefront-Antispam-Report:  
CIP:255.255.255.255;CTRY:;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKI;H:SYCPR01MB3456.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:;DIR:INB;  
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2022 02:45:27.0190  
(UTC)  
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted  
X-MS-Exchange-CrossTenant-Id: 27b84167-d62e-48a0-98dc-0ce59441f915  
X-MS-Exchange-CrossTenant-AuthSource: SYCPR01MB3456.ausprd01.prod.outlook.com  
X-MS-Exchange-CrossTenant-AuthAs: Internal  
X-MS-Exchange-CrossTenant-Network-Message-Id: c6933253-73a3-4184-0bbb-08da907b054d  
X-MS-Exchange-CrossTenant-MailboxType: HOSTED  
X-MS-Exchange-CrossTenant-UserPrincipalName: TOLZ9U7hLyOUJEbr3olYqCDlkmFKm1EGCR1A2CTdnLAXAWNnPKygPt02bTkh6mE9azLdxJeruToCfpShfM6Yow==  
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7PR01MB8109  
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0862638  
X-MS-Exchange-Processed-By-BccFoldering: 15.20.5612.012  
X-Microsoft-Antispam-Mailbox-Delivery:  
              ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097);  
X-Microsoft-Antispam-Message-Info:  
              GeiwIIBKZjoofZkuqJo8HoUL5kduH19lhCTfzjnhuTPkk+2eNN5d8i3RJK3rU6IB+mDRw3sUYkv+GVjyD+KvBl4Fo2AtjW5HBCu5UwnnWvVbpZ3WqgL+nbP3hvTpH1HuHS/i3ScydF16HzvcjuzTvaFLQBepvzwOHNWaH+etGwwkP5xXBoT6IebScaREWINfRGkYgivL45BfNzFuY6nymiLsV6rd7YWCfneMgnj5NxU+YDzNzhP8pW9pCpuq0tE69yGWB4sxTeK0ITKdCn29oonu0B7EoH4sP063/as0ZptU5JoDq/3FNrmIOKPtQ7H/Opdrjxi6rWs/j/PkhMVEUFAlXwnrztsExkdnGrtM+qeH/0O9U2opWr6iM6OjAQmzPcP4vGuGbqIAiI1okrXD7NLzIZn2FuU0uOpywbOWd/PWTN9GXta9NgFzN+ephEdK9jVHKVYtPfANtxy6fl1Im1mdqC91YeyOjClGjabKatRi0vMz3mow2saRAUFvnH8P/8ejCOQ0bfhYQ4gMjo5G7uiQXL+IoT2lRIPCSaiyHP4q8EhqlDGxf1EOQW84USGrBKZOR1nw1SdXPrM1HQy/qfFYnYKZylXy8op19l9yUSBXE3zaKoDjwCqj1uQsxXLZjKNmwpG3ShS89s5CGjIL6tNEaPQ5z/Pv8/0PnO1dCtgkGBXay9mUSnILAFCwsSg3
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,175 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,206 Reputation points
    2022-09-08T02:12:12.607+00:00

    @Shane King

    As far as I know, Exchange online will check SPF for emails which sent from other tenant.

    The 'sender" a Law firm is using M365, confirmed the email did not originate from them

    These messages are sent by third parties disguised as the sender tenant. You need to tell the sender tenant to configure SPF/DKIM record (Increase the level of protection for SPF) to prevent other user relay emails from their tenant.

    Authentication-Results: dkim=none (message not signed)

    The sender side also could configure DKIM record to validate outbound email.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments