A number of clients who have either Exchange hosted or Exchange as part of their M365 Subscription are receiving Fake Invoice Emails
Examples
Victim 1
- Building Contractor with Hosted Exchange received 2 invoices with emails advising of bank account changes and invoices attached.
- 1st came from a 'Window Manufacturer' who is using M365.
- 2nd came from a 'Joinery Firm' who are also using hosted exchange.
Victim 2
- An NGO who has M365 for not for profits received an email with an invoice attached
- The 'sender" a Law firm is using M365, confirmed the email did not originate from them
When any of these people fwd the scam emails to me it gets blocked (I use a 3rd party non msft affiliated email filtering provider)
In months gone by a large (100k plus staff) who also uses M365 "sent" an email loaded with malware to thousands of "clients" (2 of which were mine), the only ones to receive from their own discussion were co-tenants of M365 or Hosted Exchange or a well know domain registrant who on sells Hosted Exchange.
Q: Are emails sent between M365 Tenants not scanned for malware or checked for authenticity? It is agreed that the "sender" in each case may not necessarily be the legitimate tenant, but if the email is spoofed why isnt SPF/DMARC not addressing these.
The message Header for this email is below - I have replaced the entity's legitimate domain name with xxcontosoxx.org.au and names with roles
Received: from SY7PR01MB8109.ausprd01.prod.outlook.com (2603:10c6:10:1e0::10)
by ME3PR01MB7562.ausprd01.prod.outlook.com with HTTPS; Wed, 7 Sep 2022
02:45:28 +0000
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=xxcontosoxx.org.au;
Received: from SYCPR01MB3456.ausprd01.prod.outlook.com (2603:10c6:10:36::11)
by SY7PR01MB8109.ausprd01.prod.outlook.com (2603:10c6:10:1e0::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.11; Wed, 7 Sep
2022 02:45:27 +0000
Received: from SYCPR01MB3456.ausprd01.prod.outlook.com
([fe80::911b:d99a:c5b3:db64]) by SYCPR01MB3456.ausprd01.prod.outlook.com
([fe80::911b:d99a:c5b3:db64%7]) with mapi id 15.20.5612.012; Wed, 7 Sep 2022
02:45:27 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Mary Spora <GenMgr@xxcontosoxx.org.au>
To: Una Garland <paymOffr@xxcontosoxx.org.au>
Subject: Payment
Thread-Topic: Payment
Thread-Index: AQHYwmPHN9ltHdtTEUy2+DyJgW6IxQ==
Date: Wed, 7 Sep 2022 02:45:27 +0000
Message-ID:
<SYCPR01MB3456B70B370C5FCAC4A04D47FA419@SYCPR01MB3456.ausprd01.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
<SYCPR01MB3456B70B370C5FCAC4A04D47FA419@SYCPR01MB3456.ausprd01.prod.outlook.com>
msip_labels:
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: SYCPR01MB3456.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-MS-Exchange-Organization-Network-Message-Id:
c6933253-73a3-4184-0bbb-08da907b054d
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SYCPR01MB3456:EE_|SY7PR01MB8109:EE_
Return-Path: GenMgr@xxcontosoxx.org.au
X-MS-Exchange-Organization-ExpirationStartTime: 07 Sep 2022 02:45:27.2050
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id: c6933253-73a3-4184-0bbb-08da907b054d
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKI;H:SYCPR01MB3456.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:;DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2022 02:45:27.0190
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 27b84167-d62e-48a0-98dc-0ce59441f915
X-MS-Exchange-CrossTenant-AuthSource: SYCPR01MB3456.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-Network-Message-Id: c6933253-73a3-4184-0bbb-08da907b054d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TOLZ9U7hLyOUJEbr3olYqCDlkmFKm1EGCR1A2CTdnLAXAWNnPKygPt02bTkh6mE9azLdxJeruToCfpShfM6Yow==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7PR01MB8109
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0862638
X-MS-Exchange-Processed-By-BccFoldering: 15.20.5612.012
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097);
X-Microsoft-Antispam-Message-Info:
GeiwIIBKZjoofZkuqJo8HoUL5kduH19lhCTfzjnhuTPkk+2eNN5d8i3RJK3rU6IB+mDRw3sUYkv+GVjyD+KvBl4Fo2AtjW5HBCu5UwnnWvVbpZ3WqgL+nbP3hvTpH1HuHS/i3ScydF16HzvcjuzTvaFLQBepvzwOHNWaH+etGwwkP5xXBoT6IebScaREWINfRGkYgivL45BfNzFuY6nymiLsV6rd7YWCfneMgnj5NxU+YDzNzhP8pW9pCpuq0tE69yGWB4sxTeK0ITKdCn29oonu0B7EoH4sP063/as0ZptU5JoDq/3FNrmIOKPtQ7H/Opdrjxi6rWs/j/PkhMVEUFAlXwnrztsExkdnGrtM+qeH/0O9U2opWr6iM6OjAQmzPcP4vGuGbqIAiI1okrXD7NLzIZn2FuU0uOpywbOWd/PWTN9GXta9NgFzN+ephEdK9jVHKVYtPfANtxy6fl1Im1mdqC91YeyOjClGjabKatRi0vMz3mow2saRAUFvnH8P/8ejCOQ0bfhYQ4gMjo5G7uiQXL+IoT2lRIPCSaiyHP4q8EhqlDGxf1EOQW84USGrBKZOR1nw1SdXPrM1HQy/qfFYnYKZylXy8op19l9yUSBXE3zaKoDjwCqj1uQsxXLZjKNmwpG3ShS89s5CGjIL6tNEaPQ5z/Pv8/0PnO1dCtgkGBXay9mUSnILAFCwsSg3