We're being bombarded with phishing emails

[-]

doctorevil30564@reddit

In the last week, in addition to tons of the usual fake office 365 notification emails that we have been filtering and blocking for quite some time, we have started getting emails coming from Amazon EC2 instances running exchange that has a png file attachment as well as embedded html code that isn't showing up when I look at the raw message as a text file that makes it look like an official email from microsoft, the PNG file has a QR code that at first glance appears to be authentic (at least to the end user's perspective) that goes to a office 365 credential phishing site. the emails are coming from [anomalysquared.com](https://anomalysquared.com). Despite several reports to proofpoint with permalinks to the offending emails and a description of the problem they are still coming and I had to block that domain, but it will only stop them until they change to another domain. I am also filtering for the phrase "Please Protect your account" the subjects so far have been userfirstname.userlastname, Please Protect your account, with the same thing showing up as the first line in the email I have saved the .eml files for several dozen of these emails and sent them to Amazon EC2 abuse and they have been extremely unhelpful. You would think they would want to stop these assholes as it is making them look bad for allowing it to happen. I am to the point of just blocking all emails coming from any amazon aws or ec2 site.

Reply

[-]

uSnooGoats4582@reddit

I also got suspicious from " u/Kelly-Newton mentioned you in r/u_Kelly\-Newton" · When I put her user name in the Reddit search I find she doesn't exist. The comment she sent was " **. . . . . . . . . . . . . . . Impossible-Law260** u/Impossible-Law260 " and that user name also is not on Reddit.

Reply

[-]

Middle-Program-8839@reddit

We have had a attack with the subject “Direct ACH Deposit Processed” and a .html link. The weird part is, our 3rd party live mail trackers could only see 1 instance of this email but I found it was in multiple different inboxes. Anyone got any idea why? We use Hornet Security (inherited recently).

Reply

[-]

DeifniteProfessional@reddit (OP)

> our 3rd party live mail trackers could only see 1 instance of this email but I found it was in multiple different inboxes. Anyone got any idea why? Was it sent to a DL maybe?

Reply

[-]

Middle-Program-8839@reddit

Turns out we had the microsoft default domain and aliases assigned to all users. This default domain was not covered by our 3rd party spam filter hence why it never saw most of the mails. All fixed now 😀 thanks

Reply

[-]

dustdealer@reddit

Same here. Are you using Office365 too? Nobody else has acknowledged it yet, but we're suddenly getting 30x more phishing attempts past our filters.

Reply

[-]

Smart_Dumb@reddit

Was the subject "Direct ACH Deposit Processed"? If so, we got a ton of those as well.

Reply

[-]

Gene_McSween@reddit

I'm getting a ton of these but Defender has been catching them and blocking delivery. Do you have E5 license or S5 addon to your E3 license? We added S5 addon about 2 years ago and it was the best decision I've ever made.

Reply

[-]

DeifniteProfessional@reddit (OP)

We have MS Defender licenses, but not E3 or S5 - do they provide genuine email security advantages? Could be our way to sell E3 to the board of partners

Reply

[-]

Gene_McSween@reddit

The S5 addon gives you all the advanced defender stuff for email and endpoints. It's like crowdstrike and mimecast in one. It's a huge difference over the default stuff.

Reply

[-]

smoke2022@reddit

>Deposit same i checked, we got 8 of those, but they got quarantained phishing - file detonation : gzip;gz Phish\_HTML\_MacLer\_A

Reply

[-]

Smart_Dumb@reddit

No. But I shouldn't need extra licenses for what I see as basic phish/spam protection.

Reply

[-]

Gene_McSween@reddit

This isn't basic protection, these are much more sophisticated than you think. Cheap out on security at your own peril.

Reply

[-]

FoxDoesNot@reddit

We’ve been getting loads of those this year

Reply

[-]

smartas@reddit

Same. 😞

Reply

[-]

skflight@reddit

Oh yes I'm familiar with this one

Reply

[-]

odinsdi@reddit

Us too

Reply

[-]

brosauces@reddit

Yes, those are hitting us.

Reply

[-]

DeifniteProfessional@reddit (OP)

Oooh yes, 365 indeed. I even increased the spam protection aggressiveness recently. To be fair, our quarantine is absolutely packed (probably because we block emails with .htm attachments), but so many emails are still coming through. It's like MS Defender is just doing jack shit. You'd really think that an email with the text "update your SharePoint password" would be picked up by any respectable filter

Reply

[-]

manvscar@reddit

Create a custom mail flow rule that blocks any email that: - is sent from any of your domains - comes from outside the organization This will catch a huge portion of those phishing password reset emails.

Reply

[-]

Gene_McSween@reddit

Otherwise known as spoofed mail. It will block less good mail if you say: * From your domain * Fails SPF checks

Reply

[-]

manvscar@reddit

I like it.

Reply

[-]

wazza_the_rockdog@reddit

That should be handled by a rule blocking any email that fails SPF - this way if you have any genuine external systems that send emails from your domain but not through 365, they'll still arrive - but non approved IPs still can't spoof you.

Reply

[-]

manvscar@reddit

You're assuming that all phishing emails fail SPF. They don't...

Reply

[-]

Someone_Says_Hello@reddit

We recently set up a transport rule to quarantine emails with a bunch of extensions, including htm/html. It is catching a lot of this type of phishing.

Reply

[-]

dustdealer@reddit

Good luck. We've had that same rule in place for years and it's still letting .htm files zip right through. Here's a [thread](https://old.reddit.com/r/sysadmin/comments/11ytigx/office365_cant_block_htm_attachments/) I started yesterday describing the issue:

Reply

[-]

Pork_Bastard@reddit

ours are catching all the htm and html, although i'm not sure if they are the "special" ones being discussed. but good lord the amount in last 36 hours is VERY disturbing

Reply

[-]

nocturnal@reddit

Something about Microsoft recently updated their protection policies and they’re overriding our custom rules regardless. And of course they say it’s for our own safety.

Reply

[-]

manvscar@reddit

I noticed the same thing. And they magically enabled end user spam notifications AGAIN, where I specifically disable it and tell end users those emails are always malicious.

Reply

[-]

PowerShellGenius@reddit

>those emails are always malicious. Various major ERPs will send purchase orders to vendors, as well as various other business documents to customers, as .html files because it gives them the flexibility to format how they do, and have expand/collapse sections, etc.

Reply

[-]

manvscar@reddit

You misunderstood. I'm taking about end user spam notification emails.

Reply

[-]

jmbpiano@reddit

We've had a marked increase as well over the past month and our filter is Barracuda, not O365. Anecdotally, I've been seeing an increase in folks bypassing the spam filter on my personal gmail too. Not sure what breakthrough the spammers have had recently, but it seems to be a widespread impact.

Reply

[-]

secret_configuration@reddit

Same here, definitely noticed an uptick in phishing emails getting through the Barracuda. Barracuda is thrash though and we are moving to Proofpoint.

Reply

[-]

tankerkiller125real@reddit

We have not experienced this yet. However our phishing filters on M366 are set to be extremely tight.

Reply

[-]

Sow-pendent-713@reddit

Same for us

Reply

[-]

0xC0ntr0l@reddit

For us its been a flood making it into inboxes because it is coming from real accounts with either compromised domains or just that one email account. No attachments but sharepoint links that goes to a One Note in someones 365 account that shows a picture of the phishing email to click on.

Reply

[-]

GhoastTypist@reddit

Pretty much same. A lot of new things coming though mostly.

Reply

[-]

boot_strap_@reddit

+1 : Many of our users are reporting bounce backs for emails they never sent out, And our M365 quarantine contains the same emails (The from and to address appear to be the same), Analyzing the headers indicate that the emails are sent via some random mailgun host. Super confusing.

Reply

[-]

wasteoide@reddit

Someone is spoofing your domain using mailgun. Receiving servers are using your MX record to send the bounceback instead of the return path.

Reply

[-]

boot_strap_@reddit

Oof, Need to investigate this - Thanks for the insight! :)

Reply

[-]

wasteoide@reddit

Just make sure you have an SPF record that ends in -all, and configure DKIM on as many services as you can.

Reply

[-]

Imhereforthechips@reddit

Strict SPF,DKIM, DMARC rules. Strict anti-spam, strict anti-malware and anti-phishing. Also, mail flow for spf=fail at a min and voila, no more spam shit. But yea, my honeypot has seen so much more than normal.

Reply

[-]

DeifniteProfessional@reddit (OP)

> my honeypot Is that just an email address you created and started publishing around the place? Seems like a really good idea to catch emails that users may otherwise not report

Reply

[-]

Imhereforthechips@reddit

That is exactly what it is!

Reply

[-]

tryfor34@reddit

Something you can do is a mail rule for htm and html files. Potentially having them go to junk automatically.

Reply

[-]

DeifniteProfessional@reddit (OP)

That has caught a *lot* of them, but there's plenty of emails that are just a shitty 365 looking email with a link to a compromised but legitimate WordPress based website

Reply

[-]

8FConsulting@reddit

Hi there: I have set up rules in both Workspace and M365 to block HTML and HTM file attachments; in Workspace it is working fine, but in M365 what I am noticing is that if the recipient receives an email from an address in the past, the email still shows the attachments - when I emailed them using a new email never used before, it went into spam folder and stripped the attachments per the rule. Any idea why I can't get it to do the same to previously accepted email addresses? I want to make sure it does it for any and all incoming email addresses in case one of their vendors/customers are hacked and sending out garbage....

Reply

[-]

DeifniteProfessional@reddit (OP)

What's your rule look like in 365?

Reply

[-]

manvscar@reddit

Now is a good time to setup proper conditional access rules in Azure. It's a bit of work, but it ensures that attackers can't login to your accounts outside the users' home country, even if they have their creds and are able to trick an MFA push.

Reply

[-]

DeifniteProfessional@reddit (OP)

Already have a force MFA CA rule, is there anything else we should consider? As I'm fairly sure MFA is useless against these phishing attacks

Reply

[-]

dareyoutomove@reddit

Yes. And, they can steal session cookies now, defeating most MFA setups.

Reply

[-]

PowerShellGenius@reddit

How someone can steal a session cookie for [login.microsoftonline.com](https://login.microsoftonline.com) * \[Extremely unlikely\] They are control of a your network or an ISP network, to play man in the middle, AND possess a cert for Microsoft's login domain from a CA your workstations trust * If this is true, an end-user O365 account only the beginning of the nightmare... * \[Fairly unlikely\] They have a zero-day for your browser that can get it to return the cookie to the wrong site. * Keep things patched * \[More likely\] They have malicious software or a malicious browser extension on the client to access this data directly * Group/MDM policy for browsers should prevent unauthorized extensions * Software Restriction Policy or AppLocker should prevent users from running executables * Antivirus, of course * \[MOST LIKELY\] **The user did not actually log into Microsoft's real site - they logged into a clone.** * Even "phishing resistant MFA" via Microsoft Authenticator can't stop this if it's passing data to/from the real [login.microsoftonline.com](https://login.microsoftonline.com) in realtime * **FIDO2 keys will stop this in its tracks.** *You are no longer relying on a human to verify they are really on a Microsoft site.* The browser will only look up credentials stored on the security key under the domain it's connecting to. Not ones that are one character off or look similar.

Reply

[-]

HighOnLife@reddit

Any thoughts on tweaking traditional MFA tokens? We get the last one and no way I'd get buy off on getting keys for a company of my size.

Reply

[-]

PowerShellGenius@reddit

There are schemes where you can use a mobile device as a security key, you have to scan a QR code to connect it and then it talks to Chrome via Google's cloud - I have never really used it. The only way to be completely immune to users logging in via a fake portal is for trusted software, instead of a human prone to missing minor variations, to verify the domain is correct before doing whatever needs to be done to complete MFA. So whatever holds the tokens for MFA needs unbroken electronic communication with the web browser. Nothing on a phone that doesn't electronically communicate with your web browser will ever be idiot-proof.

Reply

[-]

manvscar@reddit

Great summary!

Reply

[-]

skipITjob@reddit

And even if you have number matching, they will be able to set up MFA...

Reply

[-]

PowerShellGenius@reddit

Foreign hackers in "high cybercrime" nations have a good number of compromised "zombie" PCs in "trusted" / "first world" nations in their botnets. Once they abuse them heavily, they get found and remediated, so they are a consumable asset to crooks. They are not likely to burn them on bot spam, so geo-blocking will stop a lot of minor compromises by bots looking for email accounts to spam from. But as soon as they spearphish a worthwhile target like an exec or accountant, they'll be connecting "from" your home country without any difficulty at all.

Reply

[-]

manvscar@reddit

I'm aware of the workarounds, but that's hardly reason not to set it up. Some new ransomware isn't detected by EDR. So probably just throw out EDR because it's not worth it, right? This has saved us on a couple different occasions. If you have a P1 and don't set it up it's just laziness.

Reply

[-]

PowerShellGenius@reddit

>If you have a P1 and don't set it up it's just laziness. Agreed. The question is whether it is worth P1 or not.

Reply

[-]

manvscar@reddit

Ah. A good question indeed.

Reply

[-]

Blue_Zoji@reddit

Haven't seen a dramatic increase. I am seeing a lot of "Voicemail" phishing in the quarantine folder, though. I'm very happy with our KnowBe4 training, though. Almost all of my users are very suspicious of incoming emails now. (No commission, just a happy customer.)

Reply

[-]

DeifniteProfessional@reddit (OP)

KnowBe4 tried to sell us their stuff a long time ago and honestly I think it could be worth trying to invest in training for users. Though MS365 has built in functionality for this, which I believe only requires Business Premium licenses

Reply

[-]

RobotTreeProf@reddit

Yes it started a week or so ago. SO many attempts with Microsoft password expired type of things. Fake insurance things that look like they are legit forms our company expects.  Mr. C-suite put his 365 credentials in one of them and the only thing that saved him from complete compromise was MFA and him quickly calling us when he realized he effed up. It's nasty and I wish we had budget for a 3rd party email filtering service.

Reply

[-]

vrtigo1@reddit

We're using Mimecast and they still get through. Maybe not in the same volume, but one is all it takes. At least your users call you when they realize they effed up. Ours just turn off their computer and go to lunch. Compromise? What compromise? I have no idea what you're talking about.

Reply

[-]

DeifniteProfessional@reddit (OP)

> Ours just turn off their computer and go to lunch. Compromise? What compromise? I had this with a user a few weeks ago. They got a password expiry email, followed the link, "reset" their password (including entering in MFA) and then called it a day. I only got alerted because the email got picked up by ZAP and alerted me to the link click. Fortunately didn't look like the account was properly compromised, but still they didn't seem to care they cocked up

Reply

[-]

PowerShellGenius@reddit

>At least your users call you when they realize they effed up. Ours just turn off their computer and go to lunch. Compromise? What compromise? I have no idea what you're talking about. What does your company do if people report that they think they fell for phishing? If the answer is disciplinary action of any sort, what you are observing is simply inevitable. People will not testify against themselves without immunity. There should be a clear policy that disciplinary action is possible when IT traces an unreported breach to their account, but absolutely off the table if someone messes up and reports themselves first.

Reply

[-]

xSevilx@reddit

Anyone who fails gets published with the same training they already watched in my company. It's really unfortunate but also necessary.

Reply

[-]

Gene_McSween@reddit

This! I won't reveal this information to their managers. If asked; I tell them it's confidential and a matter for the IT department. Basically, None of your damn business!

Reply

[-]

Luxily@reddit

Check out ZIX email security. They were once called Appriver but got bought by openText. They seem to do a good job and their web interface has been nice.

Reply

[-]

commissar0617@reddit

Proxmox has a mail filter that's pretty effective

Reply

[-]

Zulgrib@reddit

Care to share your experience with it? Was curious and didn't have time to test it yet.

Reply

[-]

commissar0617@reddit

Well, for the time i used it before we migrated, it worked well.

Reply

[-]

Zulgrib@reddit

Was it performing well in not creating false positives etc?

Reply

[-]

commissar0617@reddit

Yeah, not to many. But we were a small buisness

Reply

[-]

phalangepatella@reddit

We use AppRiver Email Threat Protection and it dirt cheap. I’m sure we’re paying less than $50 month for about 60 years.

Reply

[-]

anonymousITCoward@reddit

Our users have been too, 3 verified suckers yesterday, all of which downloaded and tried running the file, some .js thing thankfully it was caught by our S1 in time... I'm just not emotionally ready for another crypto event.

Reply

[-]

Middle-Program-8839@reddit

Oh no, clickers! 😞

Reply

[-]

supaphly42@reddit

We've been getting blasted as well, definitely some big push going on.

Reply

[-]

maggotses@reddit

Using only 365 filters? Recipe for disaster!

Reply

[-]

caponate@reddit

We have begun putting our O365 clients behind the spam mail filtering service as our on prem email clients. No matter how strict I made the settings in 365 this shit was still coming through.

Reply

[-]

MadJax_tv@reddit

Install AA batteries and shot the bombers down pew pew pew

Reply

[-]

Sreeper@reddit

We’ve noticed the exact same thing - I've gone ahead and made a mail flow rule to send anything with the subject 'Expired Password Notification' (and a few variations) straight to quarantine and then I handle it from there.

Reply

[-]

Xaan83@reddit

Anything with an HTM or HTML attachment from outside the organization goes straight to quarantine. Also check the message header sent field for your domain/company name. Most of them will come from garbage like * Company Support * Company Portal * Company Helpdesk Dump anything that isn't a match for any real ticketing system / service that you are using. This will cover most of the attempts. It's the single image as the fake body of email from a random sender that are the hardest to deal with, no real content to inspect.

Reply

[-]

InquisitiveMeatbag@reddit

Same for us. I work for the canadian govt. Keep getting phishing attempts sent to inactive mailboxes that forward to the new mailboxes. old inbox are something like @OldDomain.ca but just forwards everything to @NewDomain.ca the phishing emails are titled as "Password Expiry notification for @OldDomain.ca password". and we are getting an ass-load of these, every day for the past like 2 weeks.

Reply

[-]

PlasmoJones@reddit

Invested in the KnowBe4 platform. Force all users to undertake training twice a year, and the Phish Alert button embedded in Outlook works great. It sends their suspect message to their deleted items folder and forwards a clone copy with original envelope info to me for review. I tell them: ALWAYS remember to think before you click, and use that Phish Alert button WHENEVER you’re suspicious. It’s working great. Our users are rock solid against being suckered now.

Reply

[-]

SmallFormalWear@reddit

Our users take it monthly.

Reply

[-]

DruidSpider@reddit

Has else anyone noticed that the latest barrage of ‘expired password’ phishes are all coming from domains that are using outlook.com for their email?

Reply

[-]

PXranger@reddit

Feeling lucky, all the ones I get are from the Security team. I think I’ve had one slip past the filters this year. We keep our email locked fairly tight, not that many users can even use external email, all of us with Admin access have it, it’s almost a game now from IT security trying to see how creative they can be. “Not this time Satan!” (Clicks phish alert button)

Reply

[-]

jdog7249@reddit

Just report any external email as phishing and let someone else decide if it is safe.

Reply

[-]

PowerShellGenius@reddit

I have a user that reports all marketing email from legit major retailers as phishing. And I'm fine with it. I'm not telling someone technically incompetent to click unsubscribe links - if I recognize a reputable company's domain in the *actual* URL I'll do it, otherwise I'll block it.

Reply

[-]

jdog7249@reddit

I report anything that looks fake even if it cam from trusted and verified sources. Now to play a little game of spot the phish using a wonderful gem that my college sent out last month. You can assume any blacked information is the name of a person or the school. https://imgur.io/a/NzrAc0e If you guessed >!legitimate email!< you would be correct. One of these days I am going to train our school admin in not sending out emails that are better phishing emails than actual attempts.

Reply

[-]

AmazedSpoke@reddit

I'm so upset with you right now.

Reply

[-]

PXranger@reddit

I have users that actually do that….

Reply

[-]

MasterIntegrator@reddit

Check domain validation methods advanced email security audit and start "staring and comparing" and writing dump rules.

Reply

[-]

despich@reddit

We have a couple exchange server rules that forward to IT for approval, but yea they have been pounding us hard. I deny about 40 emails a day that fit the criteria every day... We are just about to the point of rejecting any email with any .htm or .html or any .xml attachment like 98% of them are phishing. *Is received from 'Outside the organization' and has an attachment with a file extension that matches one of these values: 'htm' or 'html' or 'xml' or 'one'* We also forward to IT for approval any that have a sending address (name or email address) that has a employee name in it or our company name. That one gets a ton as well. They only send about 5 to 10 from each email address. So by the time you block the sending address it's worthless. I had one a few days ago that took content from a real email the user had sent 6 months prior to another destination and used that in the email to make it look like it was a typical reply from a email they had sent.

Reply

[-]

ryank3nn3dy@reddit

"pounding us hard"... Must.. Resist.... Mum joke...

Reply

[-]

Patchewski@reddit

I have inbound spam filter quarantine .htm and .html (among others). If it’s legit I can release to the user (they’re not). The only downside is that we encourage users to submit suspicious email to helpdesk by sending as an attachment. I’ve also been using Powershell to find and remove phishing email hundreds at a time. Been trying to script it but haven’t been able to get it to work - If anyone has something they’re willing to share.

Reply

[-]

AppIdentityGuy@reddit

The way you route email in out of EOP can dramatically impact this especially if you are doing centralised transport or have something in front of EOP. Have you investigating advanced filtering?

Reply

[-]

AppIdentityGuy@reddit

If you still have hybrid exchange mode do you have a policy that everything coming across the connector from on premises has the SCL set to -1? I’ve seen that a few times… Enhanced filtering is more about the other problem where mail is being dropped into junk or quarantined because of SPF failures

Reply

[-]

FletchGordon@reddit

Care to elaborate?

Reply

[-]

OrganicSciFi@reddit

Same here, it's getting so bad I'm setting mail flow rules to quarantine

Reply

[-]

nocturnal@reddit

What wording are you looking for in the rule?

Reply

[-]

Patchewski@reddit

I’m using inbound spam filter to quarantine.

Reply

[-]

0solidsnake0@reddit

I've seen a lot of phish emails with a clickable picture to reset password or access a shared file.

Reply

[-]

usmclvsop@reddit

We all are

Reply

[-]

opticalnebulous@reddit

This is the second thread about this that I’ve seen in a few days.

Reply

[-]

Yogurtdestroyer@reddit

 https://preview.redd.it/obu9c66dmlpa1.jpeg?width=595&format=pjpg&auto=webp&v=enabled&s=337262e6d88204cc17f93f603cbcfd882bf3516e

Reply

[-]

QuesadillaGATOR@reddit

We've seen many, many token/cookie hijacks through O365. I wasn't even aware of this 2 weeks ago and I've already seen it 2 times. Conditional Access policies forced-MFA be damned!

Reply

[-]

cool-nerd@reddit

Same here but we're not on O365 and use Barracuda cloud filter.

Reply

[-]

GoogleDrummer@reddit

I've seen the 365 expired passwords pretty consistently for a while. Recently we've had a flood of attempts from icloud addresses with .eml attachments.

Reply

[-]

torbar203@reddit

We've been getting a bunch of fake voicemail and fax emails lately, and all of those seem to be coming from compromised iCloud accounts as well.

Reply

[-]

iusethisforquestion@reddit

We have also seen an increase in these types of phishing attempts in the last week and a half or so. Luckily, we've also had an increase of people reporting said emails, although those are obviously only from the people who recognize the phishing attempts. The majority include an .htm or .html attachment that redirects to a random website, or in the case of one we got today, a Google Sites page, which looks like our orgs Microsoft login page. I have been reporting the emails and attachments to Microsoft as well as reporting the source of the emails to the respective abuse channels for whoever is hosting the compromised server. Thought it was a targeted attack to our org, but it is interesting to see a lot of people here having the same experience.

Reply

[-]

williamogle@reddit

Us too, it’s becoming a problem

Reply

[-]

BrobdingnagLilliput@reddit

Your email filtering software is blocking these from reaching the users, right? *RIGHT?!?*

Reply

[-]

TheDaoistTech@reddit

Seeing an increase here myself though we've got multiple layers for filtering and most are being caught. Still had a handful slip through and a couple staff opened up the payloads which tripped other layers and automatons that kicked in saving their endpoints and our network from total catastrophe. Still too close to my liking as well as disappointing as I'll have to change up my training regimen.

Reply

[-]

KiefKommando@reddit

Yeah we are seeing the same thing with our O365, been spending a lot of time submitting things that absolutely should have been blocked. Recent exploits certainly seem to be contributing to the bulk of the new crap flying around out there.

Reply

[-]

bigkahuna1986@reddit

In the last week we've got a rash of "Contract Obligations" emails which have an html attachment. The file (if opened) downloads some scripts 3-4 sites and runs them. We don't know what happens next, since we've only analyzed the first part of the attack but I suspect it's a going to be a expired password prompt. Thankfully my users have been reporting this so none have opened as far as I know. We had to implement a rule to just immediately quarantine all html attachments until we get past this.

Reply

[-]

basec0m@reddit

Between my constant reminders and mimecast rewriting urls and blocking people, I haven't seen a massive increase.

Reply

[-]

ranger_dood@reddit

Yep, have gotten 2 reports in the last 2 weeks, which is more than the 0 I usually get (Small environment) This is funny, because at the same time, Microsoft cranked up their spam rules and we've been seeing a large increase in legitimate emails being caught in quarantine.

Reply

[-]

Sykomyke@reddit

Assuming that these issues are a result of spoofing either microsoft or your internal domain you should have both SPF and DMARC records to help prevent these things from ever hitting your end users mailbox.

Reply

[-]

lechango@reddit

It's not just spoofing, really most of it isn't. It's a loop of people falling for the phishing emails, getting their accounts compromised, and then their accounts being used to blast out more phishing emails, which majorly get through until email providers detect the behavior and block sending from those accounts. Also have been seeing multiple accounts with MFA compromised recently, so obviously the phishing pages are getting advanced in this regard.

Reply

[-]

Bane8080@reddit

Not really. I just took a quick look. We're getting a lot that are filtered, we always do. But only 1 or 2 that got past the filter.

Reply

[-]

J-VV-R@reddit

I have noticed a massive increase of spam emails with the companies I currently work with; especially, with O365. We just block the domain from the first email sent and that usually solves the problem (for that domain), but it doesn't mean you won't get other emails from other domains.. One of the companies I work with tracks and documents every domain from a spam sender for reference.

Reply

[-]

rustic_lan@reddit

Yes I have seen an increase in scammers emails lately, everything started a few weeks back, we also use 0365. I'm lucky users do report this crap 98% of the time. My blocked domain list and blocked senders have increased exponentially in the last 3 months.

Reply

[-]

elasticweed@reddit

Yup, experienced the same thing the past few weeks. All of a sudden getting hundreds of spam e-mails, luckily a majority of them were similar enough that we could create some new policies to deal with it, but it is certainly strange.

Reply

Reply to Post

125 Comments