0

So we've been a bit of an indirect target of spammers recently... my company has gotten a lot of complaints from customers that they are getting a lot of spam from our sales people. Normally (considering the nature of sales) I'd just smack the sales staff and move on... but this isn't us!

Some spammer has been sending emails... to OUR customers... using OUR email addresses. doing a quick message trace and sure enough, these emails appear to be coming from our account. At first I thought it was a hacked account or two so I had everyone change their passwords and set 2fa... but the next day, a batch more emails went out. I ran an audit on the affected accounts and there were no failed logins and no attempts to reset passwords (we disabled password reset because of this).

Normally, I'd say this was just normal spoofing... but these emails are passing THROUGH our exchange online account, the message header even shows our dkim and dmarc. As far as I can tell, Microsoft honestly thinks they are coming from US!

I've added the x-originating-ip to the block list under threat-management. hopefully that will help, but it wont take long for the spammers to update their IP and if that happens while I'm off the clock... well our customers get another massive load of spammy spam... I'd add our IP's to the allow list and block all others, but most of our sales staff are working from home with dynamic IPs so that's not really possible right now. How do I fight this?

rudepeople
  • 33
  • 6
  • Has one of the sales people had their laptop compromised, perhaps? – Michael Hampton Sep 17 '20 at 19:05
  • I thought that too, nope and nope. even with PCs offline, the emails go out. additionally, the origin ip is in another state. of course it's probable the spam is being sent over a proxy. – rudepeople Sep 17 '20 at 21:32
  • My thinking is that you could use the **message trace** feature in the EAC to trace these spam emails. At the same time, maybe EOP(https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-controls?view=o365-worldwide) could help you manage outbound spam? – Ivan_Wang Sep 18 '20 at 06:50
  • I did a message trace, that's how I know the spam is being processed inside our tenant! for all intents and purposes, the sales people are sending those emails. the problem is, I personally went through and cleared their rules, reset their passwords, set 2fa, disabled password resetting, dropped all active connections (force logoff), AND blocked sign in! spam is STILL going out! my next option is to delete those mailboxes and set a flow rule to bulk delete all messages going through them... the problem is our clients use those email addresses. starting over like that would be a dissaster. – rudepeople Sep 18 '20 at 15:01
  • Do these spam emails have the common content or keywords? If so, I think you could try to create a transport rule(e.g. **"If the senders are the two mailboxes, and the subject or body includes some keywords, these emails will be deleted."**) – Ivan_Wang Sep 23 '20 at 02:45
  • Yeah, that was my next attempt. so far there's been nothing to show for it. no emails period after blocking the source IP... either the spammers aren't aware we blocked their IP, or they just moved on to another scam. we'll see. – rudepeople Sep 23 '20 at 14:47
  • If there is any update, you're welcome to post it. Hope everything goes well with you:) – Ivan_Wang Sep 24 '20 at 09:42
  • so far, nothing. like I said, I just blocked their source IP and we haven't seen anything more. I suspect it's just not worth their time to keep trying, but my original concern is still valid. if they change their IP, they could just pick back up again. I'm putting together a plan to set allowed IPs and block everything else. that of course necessitates our users having static IPs or connect over a VPN... blarg. – rudepeople Oct 12 '20 at 15:16
  • Do their PCs have an anti-virus program? Scan and see if there is a malware sending these spam emails. – Ivan_Wang Oct 16 '20 at 06:34

1 Answers1

1

My thinking is that you could use the message trace feature in the EAC to trace these spam emails: enter image description here At the same time, maybe EOP(https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-controls?view=o365-worldwide) could help you manage outbound spam?

Ivan_Wang
  • 1,323
  • 1
  • 3
  • 4