Phishing emails coming from me?
Posted by Kitchen-Start-3828@reddit | sysadmin | View on Reddit | 50 comments
I have a small business, I use M365 via Godaddy and I have Godaddy Advanced email security filter on high.
I get phishing emails often where it will be from my own email, my payroll email, my AP email and my HR email that get sent to me directly.
I have changed my password multiple times and on the other accounts but it still has the same phishing emails that come from time to time. The godaddy email filter works well with blocking a lot of spam domains but clearly it can't block my own domain so maybe thats how it is getting through?
How do I stop this? This is really scary it feels like someone is on my domain just messing around with my business
hashbrownhenry@reddit
Google "direct send exploit" then follow the guidance
Kitchen-Start-3828@reddit (OP)
I'm reading it and it says to use powershell. How do you use powershell in M365 online.
hashbrownhenry@reddit
You can use powershell directly on your computer
Kitchen-Start-3828@reddit (OP)
What about on the Godaddy DNS records side? There's a GUI
hashbrownhenry@reddit
If you are using a hosted m365 service through GoDaddy then they should be providing support on that.
Part of being a sysadmin is being able to apply generic documentation to your specific environment. Support contracts help cover areas you dont understand or just dont have time for.
Evening_Plan_2302@reddit
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps .
Sillylilguyenjoyer@reddit
This is almost certainly the problem
AnonEMoussie@reddit
Definitely an overlooked comment. I had SPF records, dkim and dmarc all setup securely, but still got spoofed emails until I disabled DirectSend.
NH_shitbags@reddit
Do you have SPF and DMARC records set?
Kitchen-Start-3828@reddit (OP)
I have SPF set and DKIM already set up. I just set the DMARC records
PPan1c@reddit
That's the correct question. Configuring SPF and DMARC for your domain will probably solve this issue. Not only for yourself, but also for those that receive your emails.
You can find out from what IP the emails actually originate from here: https://mxtoolbox.com/EmailHeaders.aspx
And learn more about SPF/DMARC here:
What are DMARC, DKIM, and SPF? | Cloudflare
Tymanthius@reddit
While this is true, so many small biz's do not have it set up, and then when you do set it up to properly refuse emails that aren't set up w/ it you have to make a ton of exceptions b/c no one takes the time.
PPan1c@reddit
True.. I've requested a lot of companies to have a look at this. but we make no exceptions at all. If people want reliable communication with our company via email, they just have to fix it.
I did manually release a few emails, but whitelisting an entire domain is a no-go. You might "Trust" a domain now, but if they are victim of a cyberattack, the (malicious) mails will just arrive in your inbox. (This happened more than once here.. )
In our case, 99 out of 100 companies we have contact with managed to fix it.
DrMacintosh01@reddit
It’s a super easy fix. As long as the buisness has an M365 admin and access to their DNS records it literally takes line half an hour to set up if you watch a tutorial multiple times before actually changing settings.
solracarevir@reddit
OP Domain probably have direct send enabled and that's what being exploited.
ItsGotToMakeSense@reddit
I'd first try to rule out spoofing. Have you taken a close look at those phishing emails? See if they're actually from another address and are just changing the display name and/or the "from" address to match yours; that's the easiest possibility. Anyone can do that, but as another poster said this can be mitigated by setting up DNS authentication for your domain. GoDaddy support should be able to help you do that; you'll want SPF, DKIM, and DMARC to help make bogus messages go to the junk folder when they arrive.
clabern@reddit
This started happening to me/my org this past Friday into today, using M365 as well, directly through MS.
solracarevir@reddit
I got 3 new clients (SMB's) this weekend for this exact reason. Started receiving emails from "themselves" this Friday, all 3 of them had direct send enabled.
Also if you poke around here at r/sysadmin, a few posts like this one and this one confirm this is ongoing since Friday and a lot of business are being flooded with Direct Send phishing.
If you ask me, pretty confident this is related to the Iran / United States / Israel conflict
DrMacintosh01@reddit
Since enabling SPF, DKIM, and DMARC I’m not seeing these attempts anymore. But how do I verify that direct send is disabled, and is there a downside to disabling it?
DrMacintosh01@reddit
Your project for the week should be to enable SPF, DKIM, and DMARC for your m365 domain. It’s super easy and protects your users from the impersonation attacks. This tutorial helped me: https://youtu.be/sJ-5URX19d4?si=7bh7DZVSyBAQnrL9
AnonEMoussie@reddit
Unless he still has DirectSend enabled in M365
DrMacintosh01@reddit
DMARC policy of p=reject or p=quarantine should catch those fake direct send emails. At least it has for me. Header shows an unauthorized domain so M365 didn’t deliver the email.
ImFromBosstown@reddit
What pct percentage do you use?
DrMacintosh01@reddit
100%
clabern@reddit
SPF was already setup, DMARC was wrong since it got taken over at some point by Wix (we use for our website), so I axed that and corrected DMARC and DKIM. Set DMARC to quarantine.
Minimum-Net-7506@reddit
Make sure your domain is properly configured spoofchecker.com/spoof-checker-tool/
Ok-Influence-2162@reddit
I was just getting ready to ask this exact same question. We have M365 w/ Godaddy and the phishing emails we receive that show coming from our own domain have gotten crazy the past few weeks.
MalletNGrease@reddit
Disable direct send.
ohnonotagain94@reddit
SPF and DMARC. Sort it out and you’re good.
Icantread_good_at_al@reddit
I work at an MSP and a ton of our clients on Defender for O365 without a reject or quarantine in their dmarc record was hit with this. A ton of email coming from European servers. Running the headers, it's classifying it as non-spam with reason compauth=pass reason 703 with spf=fail dmarc=fail
This isn't exactly direct send exploit because if it was, the originating server would protection.outlook. com and would most likely pass SPF, since that's added when it's first setup in DNS.
This is a failure on Microsoft's spam filtering
This_Bitch_Overhere@reddit
This was also the same findings that I have. I have also pushed off to the person who is spearheading the defender project to update DMARC. Crickets thus far.
shokzee@reddit
don't panic, your account almost certainly isn't compromised. what's happening is someone is spoofing your domain in the "from" header, which is super easy to do if you don't have the right DNS records in place. they're not actually inside your mailbox.
the fix is setting up SPF, DKIM, and DMARC on your domain. SPF and DKIM tell receiving servers which mail servers are allowed to send as you, and DMARC tells them what to do when something fails (reject it). once you have DMARC at p=reject, those spoofed emails pretending to be from your domain will get blocked before they ever hit your inbox.
i'd start by running a quick check on your domain to see what you have set up already, you can use this domain health checker to see where you stand with SPF/DKIM/DMARC. if you're on M365 through GoDaddy you probably have SPF partially configured but DMARC might be missing entirely, which is why the spoofed mail is getting through.
bythepowerofboobs@reddit
Get a better provider than GoDaddy.
DrMacintosh01@reddit
GoDaddy is perfectly fine for domain hosting, dns management, and their website builder. But I would not buy any integrated services like M365 from them.
bythepowerofboobs@reddit
Only if you are perfectly fine with massively overpaying. Route 53 or Cloudflare is the way.
Few-Dance-855@reddit
Migrate to office and set up all the anti-spoofing on there . Microsoft has good tools godaddy - not so much
Sillylilguyenjoyer@reddit
Im guessing this is direct send. Disable it. If you need it for MFPs set up a connector between your site and o365 to allow them to use it without dealing with the spam
Adorable_Wolf_8387@reddit
This is probably an issue where the "envelope-from" address is being abused to make it look like it's on your own domain. Not sure how to fix that for your provider.
Minimum-Net-7506@reddit
I think SPF and DKIM are likely not set up and the emails are spoofing his domain. spoofchecker.com/spoof-checker-tool/ OP should check if the domain is properly configured
DrMacintosh01@reddit
SPF, DKIM, DMARC, and domain impersonation protection.
vnoice@reddit
Check out www.greyphish.com
Extra-Organization-6@reddit
this is almost always a missing or misconfigured SPF/DKIM/DMARC setup. spoofing the from address is trivial if your domain doesnt have a strict DMARC policy. check your DNS records at dmarcanalyzer.com or mxtoolbox.com. you want SPF with -all (hard fail), DKIM signing enabled, and DMARC set to p=reject. also get off godaddy email hosting if you can, their tooling for this stuff is painful compared to direct M365.
The_referred_to@reddit
Think of an email like regular post. Anyone can send a letter and write any from address on the back that they want. Whether it’s a correct from address or not is immaterial.
You need to look at services for your mail that offers impersonation detection and defence. One that springs to mind is Mimecast.
Optimaximal@reddit
You don't need to, it's already built into Exchange Online/Microsoft 365. You just need to turn it on.
The_referred_to@reddit
Yeah, as in look at services (which includes M365) that offer impersonation detection.
Minimum-Net-7506@reddit
is your email being spoofed? Try this tool Spoof Checker - Spoof Checker
40513786934@reddit
https://www.varonis.com/blog/direct-send-exploit
DrMacintosh01@reddit
Check your m365 defender admin panel and go to the Explorer tab and search for any outbound emails sent from those addresses. 99% there won’t be any malicious ones.
What is likely happening is that these addresses are being impersonated. You need to make sure SPF is enabled on your email domain and that DKIM and DMARC are also enabled. This video tutorial helped me roll out these features on my M365 tenant. https://youtu.be/sJ-5URX19d4?si=7bh7DZVSyBAQnrL9
Now whenever an email claims to be from my domain, it won’t get delivered unless the sender is from my domain.
PigeonRipper@reddit
r/techsupport
bythepowerofboobs@reddit
Disable direct send.