Spoof Campaign??? š”
Posted by NotABoyAnAbomimation@reddit | sysadmin | View on Reddit | 16 comments
Spent this entire week explaining to clients that there is apparently an international conflict going on and that is why they are getting spoofed emails from themselves or thereās just some kinda new AI dark web spoofing tool (rough ideas but clients seem to react well to it lol)
+++++++
At this point I need to know if my checklist is sane or if I am missing anything obvious:
Check where the spoofed email landed
Inbox = bad
Quarantine = less bad
Check the domain auth immediately
I start with SPF, DKIM, and DMARC.
MXToolbox is the quick check, then I verify the real DNS records.
If DMARC is missing or weak, that is usually the first red flag.
End goal is p=reject, obviously only once the domain is actually ready for it.
Check Microsoft 365 protections
If the client is paying for Defender for Office 365, I am looking at impersonation protection, domain impersonation, anti-phishing policies, etc.
A lot of tenants have the licensing but nobody actually configured the protections.
Confirm whether it is true spoofing or something worse
I do not want to tell a client ājust spoofingā if the account is actually compromised, forwarding rules got abused, or something internal relayed it.
Headers and trace first, assumptions later.
Third-party filtering if needed
Ironscales / Mimecast type stuff if native filtering is not cutting it.
Not my first fix, but sometimes needed.
Let me know if Iām missing something obvious. Iām just a stressed out lvl 2 escalations.
Thanks
disclosure5@reddit
That's a whole lot of checklist to miss the most obvious issue being Direct Send.
NotABoyAnAbomimation@reddit (OP)
Very helpful comment. Added to the convo āļø
saltyslugga@reddit
Your checklist is solid, only thing I'd add is checking for mail rules and app consent grants early in the process. We see this with our clients all the time where someone gets popped, attacker sets up an inbox rule to hide replies, and the actual compromise goes unnoticed because everyone's focused on the spoofing angle. Always check unified audit logs and inbox rules before you close it out as "just spoofing."
Also fwiw you don't need to spin conspiracy theories about international conflicts or AI tools for clients. Just tell them email was designed in the 80s with zero authentication and bad actors abuse that. Spoofing is trivial, always has been. Clients actually respect the straight answer more than the scary story, and it makes the DMARC enforcement conversation way easier when you frame it as "this is the fix" rather than "the hackers are evolving."
On the tooling side, I'd ditch the MXToolbox dependency for ongoing monitoring. We switched our clients to Suped for the monitoring side. Fewer tickets, less chasing aggregate reports. For the one-off checks your workflow is fine though.
NotABoyAnAbomimation@reddit (OP)
Appreciate the knowledge share :)
40513786934@reddit
disable o365 direct send
https://www.varonis.com/blog/direct-send-exploit
NotABoyAnAbomimation@reddit (OP)
Thank you!!
anonymousITCoward@reddit
man i forgot about that, i haven't seen it used in a while
Rex_Bossman@reddit
I've been using O365 for years and thought I had everything locked down and just found out about direct send this week from another post here.
Mrgurth1@reddit
I got you. Give me 20 minutes and ill share with you a rule i made today to get it to stop
Mrgurth1@reddit
Okay, Okay sorry for the delay on getting this out to everyone I wanted to be thorough.
I dont know everyone's skill or expertise so I'm going to explain it like I would to someone who's never touched exchange.
Go to Exchange Admin Portal > Mail Flow (drop down) > Rules (option on drop down) > Add a Rule > Create a new rule
Apply this rule if.. Select "The message headers..."
2a. Then where it says "select one" click drop down. Select "Includes any of these words"
2b. Click the blue text that says "enter text" on the left. Enter "Authentication-Results" but without the quotes and click "Save" at the bottom.
2c: Next click the second blue text "enter words" once again you'll be prompted to add text. You'll enter " spf=fail" but without the quotes. Click add then click save.
To the right of "Apply this rule if" you will see a + icon click this to add another "apply this rule if" line. (You'll then see the new line has And at the top of it. This is adding an additional condition for the rule.)
3a. Set the first drop down to "the sender" and the second drop down to "domain is"
3b. This is pop-up a new window. Enter all your domains you own. for example: test123.com then click "add" then Save at the bottom.
again we're going to click the + icon at the top to add another row. Once you click it you'll see another condition with and above it.
4a. first drop down select "the message headers..." The second drop down select "matches these text patterns.
4b. Click the blue text that says "enter text" on the left. Enter "Received-SPF" but without the quotes and click "Save" at the bottom.
4c. Next click the second blue text "enter words" once again you'll be prompted to add text. You'll enter " helo=\[127\.0\.0\.1\]" but without the quotes. Click add then click save.
NOTE: I know the text is odd but this is regex update to look for specifically "127.0.0.1" which is local host and is in every spoof email you've received and the way it is formatted has meaning trust the process. I'll let you chatgpt it if you want more info can be
Now click on the drop down for "Do the following"
5a. first drop down click "forward the message for approval" second drop down click "to these people"
5b. Now enter the admins you want to approve these emails.
For settings tab at the top
6a. Set priority to #1 so it is the first rule every email goes through.
6b. Rule mode Set to "enforce"
6c. Severity set to "high"
6d. at the bottom set "match sender address in message" to "header"
BOOM you're done his save on that bad boy and be the IT hero.
NOTE: this is a temporary thing.. Once you've let this run for a week and nothing is getting stomped on internally you can change the last "do the following" to delete the email or send to quarantine.
NOTE 2: If something is getting stomped on.. no biggie.. approve it and it will be sent to the email / distro it was supposed to. then just add an additional condition to allow it through. but I'm 99.999% sure this will take care of everyone.
I'm including an image of what this should look like when done.
Mrgurth1@reddit
@NotABoyAnAbomimation hope this help brotha!
NotABoyAnAbomimation@reddit (OP)
Ur an absolute baws thanks for the share man!!!
TheRocketMannTV@reddit
Getting this today as well. Thank you everyone for the direct send tip
derfmcdoogal@reddit
If you are using a 3rd party spam filter (since you mention Mimecast / Ironscales not blocking them) you need to restrict the o365 Connector to only accept email from your 3rd party filter. It's a checkbox on the connector setup, then you give it the IP addresses provided by the filter provider.
We had this same issue with Barracuda. Previous admin set it up using the instructions at the time. Barracuda had later revised the instructions and sent out the change (which was ignored).
Or you can disable direct send.
DegaussedMixtape@reddit
One of my clients got hit by an extensive spoofing campaign yesterday. Somehow it was getting through 365 anti-spam and anti-phish policies despite having elevated SCL scores. I switched the anti-spam policy to black hole anything that doesn't pass SPF since the spoof emails are in fact failing SPF.
It's pretty easy in message trace to review the sending mail server and determine if it's an account compromise or an external email.
Tronerz@reddit
If they're getting spoofed emails from their own address, check if Direct Send is enabled in the tenant