Massive spam attack today?
Posted by CeC-P@reddit | sysadmin | View on Reddit | 133 comments
Anyone else seeing a gigantic spam attack today, all impersonating employees at the company or their vendors but coming from various worldwide servers.
4 of our major customers all reported massive amounts of spam of this nature today (we're an MSP)
NovaKlone427@reddit
Been happening for about a week now. It forced us a few days ago to make sure that DMARC, DKIM, SPF, and anti-phishing policies are all in place for everyone.
Jazzlike-Vacation230@reddit
I would say yes but it felt more like internal testing. Did all Security teams happen to run testing the same day? Was it some Cybersecurity Industry thing?
mspbay@reddit
All this is true BUT something happened last week where MS changed something where no protection is kicking in at all. We have worked with them to understand this issue and they have acknowledged it.
“Please note that all updates regarding this incident are now published directly by the engineering team actively working on the fix. These updates are visible in the Service Health Dashboard (SHD), under SHD ID EX1287056”
RainofOranges@reddit
Many admins are misinformed about this and the cargo cult answer is to disable Direct Send, which is wrong. I am in MSP land and just today I watched as spoofed phishing went from getting through to getting quarantined as I finally put a DMARC policy of quarantine in. I did not disable Direct Send whatsoever.
Direct Send does not bypass SPF/DKIM/DMARC either. How could it? Direct Send is defined as email that passes at least SPF. Microsoft docs say to put at least the public sending IP in your SPF record. These phishing messages will (hopefully) not pass SPF, therefore do not count as Direct Send!
At that point it’s just your domain being spoofed, and admins complaining about the influx of phishing simply do not have a proper DMARC policy in place. I know because I worked on several environments just today where that was the case, and it was immediately fixed by DMARC p=quarantine.
This document https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790 is often cited but people do not read. It’s in the second paragraph: “The Direct Send method assumes that customers have properly configured SPF, DKIM, and DMARC for their tenants.” They’re saying Direct Send is defined by the message with an Envelope From on your domain that passes at least SPF. Otherwise it’s just anonymous mail like all other external mail. And even then it would still be subject to SPF/DKIM/DMARC!
Plus_Stable3165@reddit
Were you seeing DMARC or SPF in the header with temperror on lookup in some messages? We saw some messages still bypassing p=reject since the DMARC does not fail in this instance but instead shows a Temporary Error. compauth=pass reason=703 was another indicator. This required a mail flow rule to block those emails still getting through.
Running our DMARC and SPF records through any “checker” type tools comes back clean.
RainofOranges@reddit
I just spot-checked a few messages that got through from before I put in DMARC p=quarantine and they have compauth pass reason 703, but no SPF temperror, just SPF fail.
No spoofed phishing emails from today or overnight got through either. Same malicious sender as before, they’re now being quarantined.
BlueWater321@reddit
Quarantine is just peoples spam folders.
RainofOranges@reddit
No, it’s the admin-only quarantine since this makes them get flagged as high-confidence phishing.
BlueWater321@reddit
If you trust Microsoft sure. p=reject is right there and actually does the thing.
RainofOranges@reddit
Going from no DMARC policy immediately to p=reject can be a disaster. I had to do something though, so p=quarantine it is for now. These spoofs will always fail DMARC, thus they’ll always be admin quarantined. It’s a good step while we strive for p=reject at some point in the future.
BlueWater321@reddit
Oh, yeah I keep forgetting that people might not have any DMARC.
DrMacintosh01@reddit
Thanks Bro. Coincidentally I got my work (an 8 person org) all configured with SPF/DKIM/DMARC late last month. I followed a great tutorial on YouTube on how to make the DNS entries on our domain and how to make sure everything is configured properly. I was seeing all of these posts so I went to look at Explorer in my Defender admin portal, and yeah, loads of spoofed emails that were dropped or failed.
SemicolonMIA@reddit
Turn off direct send. It's hitting a lot of orgs right now.
I bet every email is the user to themselves, correct?
CeC-P@reddit (OP)
Wait, what's direct send and how does it relate to this attack? I thought I knew email systems pretty well but never heard that term.
SemicolonMIA@reddit
I may be misunderstanding your situation but if the sender is the same as the recipient, I am willing to bet it is Direct Send. You are not alone in this uptick.
They attempt to spoof as a sender but change the return to address to be the spoofed address. This allows the bounce back from when they attempt the spoof to be redirected to the person they are trying to spoof from my understanding. I am sure there is more too it and I am unsure how they are making the bounce back look like docusigns, voicemails, etc, but this was my headache the past 2 days.
https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790
SimpleSysadmin@reddit
Can you confirm if your dmarc is set to reject? As dmarc should be stopping this kind of attack.
SemicolonMIA@reddit
It is different than how DMARC handles them. Direct send doesn't get inspected by EOP. So it cruises on through.
SimpleSysadmin@reddit
It absolutely does, I have seen it first hand. Not having the appropriate spf record will stop things being delivered if direct sent.
Read the updated blog below.
If direct send didn’t get inspected what’s the point of having spf or dmarc. Direct send as a concept has conceptually existed since the smtp standard was created. I struggle to believe that Microsoft would let people bypass standard long established security standards just because someone sends and email to you from an external source with the same domain in your tenancy.
https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865
nitroed02@reddit
I would have thought spf, dkim and dmarc would have stopped this. But I saw cases where the headers showed spf failed, dkim none, dmarc failed, action accept. Domain had dmarc policy of quarantine, and spf configured.
SimpleSysadmin@reddit
I’d be super interested in seeing examples of this. We did have one client who we found a years back who had a policy to allowlist anything from their own domain, essentially ignoring those failures, is it possible something similar or you could find the reason it was accepted?
3sysadmin3@reddit
I saw examples of this in my tenant running query like below. It's rare and it looks like ZAP went back and cleaned them up in every case I looked at. For example, one I dug into, the spoof went out to hundreds of people, but only one user got it inbox it got Zapped back to quarantine for whatever reason.
Email entity shows
The KQL Advanced Hunt below shows we're not using direct send legitimately, so looking to disable it here.
SimpleSysadmin@reddit
Fascinating, it looks like in this example dmarc evaluation failed due to some temporary error “temperror” and it failed back to composite authentication to not delay delivery. The question, which maybe hard to answer easily is how quick did ZAP deal with it.
SemicolonMIA@reddit
I will not pretend to be an expert on this. I will check my records in the morning. I see mixed things in blogs and other articles mentioning that it runs through EOP but doesn't have the same level of checks. I think one of the articles was from Proofpoint but I'll look later. Im done for the day. I just was hoping to help another admin.
SemicolonMIA@reddit
See I keep finding contradicting stuff. I will have to double check my records in the am.
https://powerdmarc.com/microsoft-365-direct-send-phishing-attack/
medium0rare@reddit
Pretty sure direct send only applies to emails originating from the tenant being delivered to the same tenant. The spoofs we’ve been seeing are coming from external mail senders, which dmarc should take care of.
itsverynicehere@reddit
DMARC/SPF are being ignored and sent through for compauth. MS has something wrong.
Everyone blaming direct send but it's being given the go by MS .
Motor-Marzipan6969@reddit
We have our DMARC set to quarantine, and yes, it catches direct send emails.
ranhalt@reddit
Microsoft exchange online direct send. Addresses the cloud domain address, hitting exchange online directly, bypassing the MX record.
SimpleSysadmin@reddit
This is not what direct send is. This doesn’t bypass mx or the usual security checks
https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865
mountaindrewtech@reddit
This, audit and turn off direct send asap while moving towards dmarc enforcement. Disabling direct send is a lower hanging fruit.
itsverynicehere@reddit
Direct send doesn't seem to be the issue. It's happening after SMTP handshakes. The issue is that even if it fails dmarc and SPF, the MS allows it through with "compauth" meaning the MS AI decided it's safe and then sends it straight to the mailbox with a low (1) SCL.
Compauth is effectively MS's internal whitelist that bases it's "decisions" on internal rankings and lists. It allows for places like Google to be sure it doesn't get blocked.
MS has either got something in it's compauth settings that a group is taking advantage of, or it's been compromised.
Don't forget we are in a war. This little campaign probably gleaned quite a few credentials.
Whatever happened, MS basically turned all of exchange online into an open relay for spoofed emails. The only way we fixed it was to make some new transport rules.
ancientpsychicpug@reddit
We made a transport rule, internal to internal email address where the sender originates from outside the org. Having all of those emails send to a mailbox we set up where we are manually approving emails. While we get a handle on it and final approval for direct send. We are still doing our impact analysis and needed to apply a bandage.
Total-Ingenuity-9428@reddit
I've been reading about direct send issues lately. Does anyone know whether it also affect personal MS accounts?
I recall seeing such emails in a bunch, recently.
MS Infra is fk'd, ain't it?
angrydeuce@reddit
Yep, literally was getting hammered across multiple tenants with direct send bullshit starting mid week last week after quite a while of nothing.
Normally they wait until a major holiday weekend is coming up...nothing like that in the US that Im aware of, is some other major holiday about to kick off? They like to do this shit when they know recipients are off day drinking enjoying an extra day off and checking in on emails via mobile, and this arent paying quite as close attention to what theyre doing as they normally would.
Ehenderson5400@reddit
Same thing here - found it to be this. Maybe this will help someone
https://www.varonis.com/blog/direct-send-exploit
ranhalt@reddit
It’s been a thing for a whole year already.
SemicolonMIA@reddit
Truth. I was waiting for a better way to audit it and forgot all about it until shit hit the fan yesterday. 1 man ship struggles.
Confident_Guide_3866@reddit
Yep we just finally disabled it this morning
DP187@reddit
Also received alot of these complaints from our Clients in Miami. I am also in a MSP evironment. Can't block the sender as it is if from themselves, clever.
YaManMAffers@reddit
Apparently bad actors have figured out how to bypass MSP's algorithm for detecting spoofing emails. Fun! :(
IranianAlan@reddit
Seeing alot of these threads across various subs in the last 24 hours weird
Gunnilinux@reddit
yep, lots of emails where the sender appears to be the same as the recipient with a subject like "note to self" and some "urgent, sign this doc" with malicious links.
SimpleSysadmin@reddit
Are these emails failing dmarc for you? I suspect many companies don’t have a correct dmarc record, there are still heaps of companies where it’s set to the none option instead of quarantine or reject
CeC-P@reddit (OP)
Yes
SimpleSysadmin@reddit
Then how are they getting delivered? a failed dmarc for our clients means emails rejected outright.
In anti-phishing policies, you can control whether p=quarantine or p=reject values in sender DMARC policies are honored. Is it possible someone told your mail filter to ignore it?
Fragrant-Hamster-325@reddit
I’m pretty sure Direct Send bypasses DMARC, SPF, and DKIM checks.
FlyingStarShip@reddit
It does not unless you have it misconfigured
https://techcommunity.microsoft.com/blog/exchange/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email-security/3878883
daniel643@reddit
I first noticed this by checking the quarantine, all self to self spam was rejected and quarantined due to DMARC failing.
CeC-P@reddit (OP)
Because a lot of our vendors and customers are careless and haven't configured DMARC properly for all of their 3rd party senders.
GradeAccomplished322@reddit
I had like a dozen people click links today because the email started with a cheerful green box with text like "your IT department has deemed the links in this email to be safe and login prompts to be secure to enter your credentials"
I can't believe all it took to ignore their training was literally writing "this is trustworthy" on the spam, id be laughing if i wasn't so tired
CeC-P@reddit (OP)
With my old company's email system it'd say
[LIKELY SCAM] followed by the spammer's fake tag [VERIFIED SAFE] followed by our yellow Defender impersonation warning for top level execs followed by their fake green banner saying IT was safe, and the whole thing would be in quarantine.
burny@reddit
Dwight still clicked on it…
Opposite_Bag_7434@reddit
Yep, that sounds about right. “This is trustworthy”.
Fortunately we really did not see much of an issue this time.
House_Indoril426@reddit
We had someone get phished earlier, the link in their email was to "trustabledomains.de"
Like, come on.
Gunnilinux@reddit
Yep, the "this Emil has been verified by it" message RIGHT BELOW THE EXTERNAL SENDER BANNER. it almost fooled our cio
Particular-Poem-7085@reddit
"ignore all previous instructions"
theEvilQuesadilla@reddit
I am both surprised and not. Holy shit. The phishers finally cracked the code to hack any human!
cookerz30@reddit
I'm thankful it's not just my company, but yes it sucks and seems to be getting worse.
ifpfi@reddit
If you have SPF checking enabled at your spam firewall, how can an Email get through that is from your own domain?
Japjer@reddit
I'm seeing the exact same thing in the last few days. More are getting through the filters than before, which is increasingly annoying
KaliUK@reddit
Direct sent abuse turn it off.
spez-is-a-loser@reddit
Fix your DMARC and SPF. Ours was fubar yesterday also. To minor changes to DNS and it all went away...
DrMacintosh01@reddit
100%
CraftedPacket@reddit
seeing tons of those across clients today. They are all failing SPF/DMARC and getting stopped by Avanan but lots of clients requesting them to be released and us having to educate them.
SimpleSysadmin@reddit
Bump your dmarc up to reject and your avanan policy to not even quarantine them
CraftedPacket@reddit
this is my current setting. What is your recommendation?
indochris609@reddit
How much will this affect legitimate emails? Anything at all?
SimpleSysadmin@reddit
How many legitimate emails are you having to release from quarantine that were quarantined with a failed dmarc? If you answer is none, then safe to reject. If something is not authed by spf or dkim already and you are confident you are aware of any external apps sending mail on behalf of your org, it’s pretty safe.
Smith6612@reddit
The answer is "Yes"
The second answer is "Vendor, fix it!"
BaconEatingChamp@reddit
Speaking of Harmony, we are currently trialing Cisco's 'Email Threat Defense' which is a similar API based product. So far a week in, it would be making our lives wrose all of the false positives. How is your experience with Checkpoint?
CraftedPacket@reddit
We were on proofpoint prior. We have been on harmony for about 4-6 months now. Avanan stops way more phishing emails than proofpoint did. On proofpoint we still had clients getting phished occasionally. Has not happened on harmony as of yet. The migration was noisy at first, as expected, until we cleaned up policies and whitelists. We currently still get more false positives every week than we did with proofpoint but we also stop a lot more bad stuff. Most of the false positives are emails with a sender with no previous history and emails that contain no body text, just attachments.
The details and information we get with harmony makes it much easier to confirm an emails legitimacy prior to releasing than we had with proofpoint.
I have about 2000 mailboxes in harmony currently.
AwkwardSecurity715@reddit
My org has been on Checkpoint Harmony for about 2 years now. For the most part it's been set it and forget it. When we have needed to whitelist/blacklist it's straight forward and easy. It's also got really good logging for investigation of any email delivery issues.
Substantial_Luck2634@reddit
Started over the weekend for us. Came in on Monday to about 70+ tickets and ongoing as of today. Slowing down a bit but we have users requesting release of some of these emails and others just clicking links that they obviously didn’t send themselves.
Bane8080@reddit
Spam no. Our authentication portals have been getting hit hard for about 2 weeks now
ceebeezie@reddit
Dealing with this big time. Clients are getting hit like crazy.
Excellent-Program333@reddit
100% seeing this. Its not Spam, but Phishing emails spoofed from and to the same person. Disabled Direct Send, broke Scan to Email, and had to setup a new connector for those. 4 different tenants. All started last Thursday or so.
I feel like it’s politically/war motivated. Seems odd.
SimpleSysadmin@reddit
Have you fixed you dmarc as reject direct send won’t stop threat actors and spammers impersonating your domain to other tenancies?
sp3ctrume@reddit
I'm amused everyone is fixated on email settings. If you're getting hit with spam, some idiot clicked on it. Probably Jan in finance. Do you have measures in place to monitor such clicks? Do you know where the spam links lead? Have you blocked them? Have you checked for traffic? In my opinion, a click means an instant account lockdown and reset regardless of whatever lie the user tells. If MS ecosystem, how many SharePoint docs have already been downloaded? How many mysterious email rules installed? How many mystery apps dropped into place?
Spam mitigation is just the first step.
its_mayah@reddit
Damn yes! I had a whole bunch of fake “ you’ve been invited to an event” envelope images sent from the user to themselves. I spent all day auditing logs and didn’t find anything excessively suspicious.
thesals@reddit
Something I see different compared to what you all are reporting. We're getting spf=temperror which Microsoft allows. These already to be DNS failures, but we only have 4 includes in our records with no nested includes.
the-recluse@reddit
For me I saw this last week Friday in the US west coast. Our dmarc is set to p=none I’ve tried to explain we need to disable direct send and update dmarc but I’m just a lowly Helpdesk tech no one listens to me
Entire_Dependent8214@reddit
Lol to p=none
Smith6612@reddit
A friend of mine confirmed yesterday they had a spoof come in with a fake DocuSign and as a "Sent from self" type message. SPF failed and it was from a server located in India.
I did in the meantime have them set up a DMARC and DKIM policy so these obvious spoofs get dropped. SPF had failed but that wasn't enough...
Entire_Dependent8214@reddit
SPF must be hard fail (-all) at the end not ~all(soft fail). Otherwise it won’t matter and pass. Also double check Dmarc is set to reject and pct=100
Entire_Dependent8214@reddit
Do this immediately! Set Dmarc to reject “v=DMARC1;p=reject;sp=reject;pct=100” (ensure its configured correctly) , double check you have not added your domain to the allowlist in the antispam policy rule! Microsoft will block these pesky phishers due to Marc spoofing! Do this now!
CashlinRap@reddit
Sadly this will get worse as long as the war rages on
yspud@reddit
yes !!!!
twolfhawk@reddit
Harden that dmarc
Rebelliou24@reddit
Same. This has officially kicked off "Check all of our client DMARC/SPF/DKIM records check and fix 2026" for us. Good times.
smilaise@reddit
glad it's not just me. having massive headaches. I've helped change some spf records for a few folks and I feel like I'm becoming an Avanan sales rep at this point. I should get a commission.
BaconEatingChamp@reddit
I just said this in another comment....supposedly our VAR couldn't get Checkpoint to respond. Will need to try again. "Speaking of Harmony, we are currently trialing Cisco's 'Email Threat Defense' which is a similar API based product (we currently have their hosted inline filter in front of 365). So far a week in, it would be making our lives worse all of the false positives. How is your experience with Checkpoint?"
smilaise@reddit
honestly it seems to work pretty well. the interface is good, quarantines and restore requests work well for clients. we get a good amount of control and can inspect the email headers and body. not many false positives but they do happen. we add whitelists when needed but overall I think it does a good job. I don't say those words very often lol
CeC-P@reddit (OP)
We don't have the budget for Avanan from most of our clients, so I bought the Avalon series from Spiderweb Software on Steam sale instead lol. But seriously, the budget is usually "Hey Paul, you still got those powershell rule exports from the last place you worked?"
And yes. Yes, I do.
btw if anyone wants to do this quick and dirty without properly configuring better impersonation stuff in Defender. It's like 80-90% effective because of how the SPF check order happens and what is considered "outside the organization." MS made a HUGE improvement about 2 years ago to when those things occur, and the rule login went from 0% success rate to near perfect except for fringe cases.
Watch out for flagging your own company's newsletter since HR never told you about SPF records for it and just did it on their own. Ask how I know.
Master-IT-All@reddit
We've seen a few more, but nothing extreme. A few tickets last week and one today. I looked into the one today and it was due to missing DKIM/DMARC for the customer domain.
Primer50@reddit
I saw it yesterday
SuprNoval@reddit
Yes, saw this in my org
TheDarkRedFox@reddit
Yep been cleaning up all day. It’s all coming FROM the user TO the user, so it’s a direct-send exploit. Would recommend disabling that for all your tenants anyways since that’s something that has targeted every so often for years now. (Just never seen it this bad till today. Looks like someone turned on a bot.)
Disabling direct send via powershell and setting p=reject for DKIM should kill most of it.
Alarming-Road-9967@reddit
Yeah, inboxes are getting hammered today.
Little_Ad_6873@reddit
Been observing this all day for a number of days. At least for the infra that we have email security running. Now for all of my independent owners (650+) who leverage an email system that I can’t monitor, I’m sure a number of them have fallen victim.
Extra-Organization-6@reddit
same pattern since yesterday. what most folks are hitting is the m365 direct send abuse (smtp client submission from unauthenticated sources, default on). two things:
if any of your msp clients are on google workspace, the equivalent is tightening the approved senders list in admin console.
semicolonmia and stiffgerman already nailed it above, those are the two levers that stop 95% of the wave.
delightfuldraws@reddit
Am I tripping. I didn't think there was a toggle in exchange admin
Extra-Organization-6@reddit
fair pushback, i was loose with the labels. the actual path is mail flow > settings (not 'disable direct send'), and the specific toggle is 'reject direct send' which ms added last year as a mitigation for this exact attack class.
powershell equivalent: Set-OrganizationConfig -RejectDirectSend \
if you don't see it in the ui, check your exchange online module version. some older tenants haven't gotten it yet. the workaround most of those orgs use is a mail flow rule that rejects when 5321.MailFrom equals the recipient.
delightfuldraws@reddit
Dead internet
Extra-Organization-6@reddit
ha, accurate. 2026 internet is just automated emails from one set of scripts getting blocked by another set of scripts, with us in the middle trying to explain it to the finance team.
kangy3@reddit
This really picked up for us starting last Thursday. Today I turned on dmarc verification and quarantining everything else. I have a small org. Roughly 170 licensed accounts. The rule has intercepted over 80 emails since 2pm ct
mickeykarimzadeh@reddit
See my other threads. I posted a powerhsell to make a transport rule to block these messages that fail SPF. This has worked for all my tenants.
absurdhierarchy@reddit
... yes suprisingly
WhodieTheKid@reddit
A few months ago microsoft posted on a similar issue. People are abusing direct send through unsecure SMTP (direct send.) Also verify your companies SPF, DMARC, and DKIM records are setup properly.
Other than that, you can create a transport rule that quarantines "external" emails that state the sender is from the recipient domain. (Even if the sender domain is spoofed, 365 still knows its external.)
SettleBurgers@reddit
Would that transport rule then quarantine legit emails that users send to themselves?
iama_bad_person@reddit
Then that would be an internal message to themselves. Spoofed direct send messages are still labled as External.
NotABadPirate@reddit
Have you all disabled direct send?
medium0rare@reddit
We’ve seen a huge uptick in spoofing lately. Defender also isn’t doing a great job of preventing a lot of it.
greenonetwo@reddit
Yes, fix your SPF records to be hard reject “-all” and not soft reject “~all”.
DJMagicHandz@reddit
For me it's been going on for at least a month. I'm getting weird attendance phones calls about kids I don't have, random emails at work from vendors I don't use in my line of work. I know the two aren't linked but it started around the same time which I find peculiar.
gamayogi@reddit
Huge wave of spam started last week and this week. Check your domains spf, make sure they are set to hardfail -all, not softfail ~all.
Devious_Halo@reddit
Shut off direct send if you are on MS 365
MarkWeak578@reddit
Yes. So annoying. Had to tighten polices.
-GenlyAI-@reddit
We don't accept international emails and use regex scripts to stop impersonation attempts. So no issues here.
anonymousITCoward@reddit
yea, actually since last thursday we've seen a serious uptick...
ITNetWork_Admin@reddit
Disable direct send and make sure DMARK is set to reject. We had some problems early this year and that fixes our issues. We also said screw it and me make all senders have a SPF configured to send emails to our organization as well.
ztoundas@reddit
I have all of those redirect to an inbox (I'm always afraid my filters will scoop up something important) and it just kept blowing up today. All weekend, I got over 200 of them when I usually just get one to two a day.
CeC-P@reddit (OP)
I'm just happy to find someone smart enough to do this. We got so aggressive with our rules and experiments that we set up a emailcatch@ourdomain and checked it hourly. We found A LOT of weird, fringe exceptions.
ztoundas@reddit
My mail rule is set so that it sends the email for approval to that email box, too. That way if it's an legit email, I just have to hit 'approve' from within the email in that monitoring box and it will allow it through.
Grantsdale@reddit
Yes, major uptick in impersonation emails in the last couple of weeks.
Exotic-Razzmatazz379@reddit
Just dealt with this. We needed to disable direct send.
Hey_Giant_Loser@reddit
Watch your financial controls. We had this happen at the same time as someone attacked one of our banks to compromise our account there. They almost wired out 350k before we caught it at Morgan Stanley.
GandalfDanimator@reddit
Same here, recent uptick in spoofing over past 4 days.
igiveupmakinganame@reddit
i had to set up a direct send rule in exchange online, and then specifically allow domains through that spoof us
matt5on@reddit
Do reject dmarc
Happy_Kale888@reddit
Identity based email filtering really works.
stiffgerman@reddit
Make sure you've got live DMARC set up on your domains, not "p=none". It makes a difference, at least for Exchange Online folks.
TipIll3652@reddit
It started yesterday for us. I was off today but saw the company wide email about it earlier.
Ill-Barracuda9031@reddit
Everyday