0

I manage our IT at my organization using O365. One of our users recently received an email from the address support@< domain >. I have not created this email address in our domain. Got on with Microsoft support and they did a message trace on it that showed the return path also was support@< domain >. They said this showed that someone was able to create email address within the domain. I am concerned about what this means and what access this person might have. Is it possible to spoof a return path?

We have MFA enabled for all users. We have SPF enabled and I'm now working on DMARC and DKIM. I've reset everyone's passwords.

What else can I do to protect against this? What can I do to ensure that there is no current unauthorized access to our domain?

Thanks very much.

SuperCede13
  • 3
  • 1

2 Answers2

3

  1. Perform your own message trace from the Security and Compliance center and verify that the email originated from your Office 365 tenant.

  2. Look at the sign-ins logs in Azure AD for suspicious sign-ins.

  3. Look at the Risky users, Risky sign-ins, and Risk detection logs in Azure AD and look for suspicious activity.

  4. Create a Display Name Spoofing transport rule in Exchange Online to help identify spoofed emails in the future. - https://jaapwesselius.com/2020/03/27/external-senders-with-matching-display-names/

EDIT:

Connect to Exchange Online with Powershell and run the following to find if any mailbox in your Office 365 tenant has the email address in question.

Get-Mailbox -Identity * |
Where-Object {$_.EmailAddresses -like 'SMTP:emailaddress@yourdomain.com'} |
Format-List Identity, EmailAddresses

Then run the following to check the same thing for all recipient types:

Get-Recipient | Select DisplayName, RecipientType, EmailAddresses | Export-CSV c:\temp\recpients.csv

If there are no mailboxes or other recipient types with that email address then you can rest assured that the email address did not originate from your Office 365 tenant. Then create your Display Name Spoofing transport rule to catch this in the future.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks a lot for the suggestions. 1. I ran my own message trace, but how can I verify where the email came from? 2. No suspicious sign-ins that I can see. 3. No suspicious activity that I can see. 4. Working on this now in order to help in the future. – SuperCede13 Sep 01 '20 at 21:32
  • The message trace will show the ip address of the sender. If the sender ip address is an Office 365 ip address then the email came from your O365 tenant or another O365 tenant. If you have auditing turned on you can also look at the audit logs for email activity for all users and try to track it down that way. – joeqwerty Sep 02 '20 at 00:03
  • Thanks. I found the originating IP address and looked it up and can confirm that it is not from an O365 tenant. Should I assume that the attacker simply spoofed the return path as well? – SuperCede13 Sep 02 '20 at 16:49
  • See my edit.... – joeqwerty Sep 02 '20 at 17:23
  • 1
    Ran those commands and not seeing the email address at all. Thank you very much for the help! – SuperCede13 Sep 02 '20 at 17:57
1

Its very easy to send from any domain within your network if you allow SMTP relay to O365 from your Corp IP range.

It a common security misconfiguration that I look for.

  1. login to your O365 Exchange admin center
  2. Browse to Mail flow > Connectors
  3. Check the connector rules set up, this will show which Public IPs/networks are allowed

Based on the IP(s) you find, this will show who can send spoofed emails from that IP(s) to anyone in your O365 tenant.

i2D
  • 21
  • 3
  • Thanks a lot for the suggestion. I do have a connector set up, but the email originated from an IP address outside of the specified range. Any thoughts? – SuperCede13 Sep 02 '20 at 16:51
  • OK then you have your answer, its external sender, no worries that you have a internal misconfiguration then that allowed this, but always worth checking your other config. You should expect numerous external malicious / suspicious senders a day, you just need user education to identify and report it. you can then use O365 controls to block it in the future with transport rules, IP filters, spam filters, or 3rd party email security solutions – i2D Sep 03 '20 at 09:01
  • I'll work on that. Thanks very much! – SuperCede13 Sep 04 '20 at 14:55