M365 Users receiving spam from themselves
Posted by Cold_Profession_9394@reddit | sysadmin | View on Reddit | 15 comments
I've received a few reports from the same organization about spam emails originating from their own accounts. Trace logs indicate these emails are being "sent" internally, from the same user to the same user. I had them change their password as well, but MFA has been in place. I've reviewed inbox rules and confirmed DKIM is enabled, and I'm still unsure of the cause. Any suggestions on where to investigate next?
derfmcdoogal@reddit
Just curious, do you have a 3rd party spam filter? Barracuda, proofpoint, etc?
Spiritual-Yam-1410@reddit
check if it's actually spoofing vs true send
msg trace might show internal, but headers will tell you if it originated outside and just passed SPF/DMARC loosely
Cold_Profession_9394@reddit (OP)
It was via true send
Plus_Tale3233@reddit
its microsoft's direct send vulnerability. anyone with an exchange account can email other exchange accounts and it will bypass your seg. we had to set up a rule in exchange to block it and exempt certain email addresses because we are unable to turn off direct send at an org level
Cold_Profession_9394@reddit (OP)
Thank you for the info. I disabled it for now. In the event I have to enable it again, how would I go about setting up the exchange rules?
Evening_Plan_2302@reddit
Do you have a mail filter of any kind? Proofpoint, Mimecast, etc... I know these services have guides for configuring connectors in EXO. I'm sure there are other methods out there I just haven't configured them myself.
Cold_Profession_9394@reddit (OP)
To my knowledge none.
maximumtesticle@reddit
Uhm, that should be your knowledge.
Zaaper2005@reddit
ON GOD. FR FR! 😆
maximumtesticle@reddit
Just a heads up, the direction I got from Mimecast for setting up the rule straight up stopped ALL email inbound and outbound.
hellofairygodmotha@reddit
This is a simple one line powershell command. You can find it on google where it tells you how to turn it off and how to turn it on
Grand-Height9907@reddit
So when someone sends an email from their exchange online account
To another exchange online account in another organization? It bypass the 365 defender ?
j5kDM3akVnhv@reddit
To check status of org level direct send start Azure cloud shell
to update
doktormane@reddit
You can now turn off Direct Send at a tenant level.
EverOnGuard@reddit
Came here to say direct send. Disable direct send immediately. Make sure you have connectors for legit sending sources outside of office 365.