Home / server / Questions / 1032332
Accepted
SuperCede13
Asked: 2020-09-02 12:42:00 +0800 CST

O365 spoofed email from inside domain

  • 772

I manage our IT at my organization using O365. One of our users recently received an email from the address support@< domain >. I have not created this email address in our domain. Got on with Microsoft support and they did a message trace on it that showed the return path also was support@< domain >. They said this showed that someone was able to create email address within the domain. I am concerned about what this means and what access this person might have. Is it possible to spoof a return path?

We have MFA enabled for all users. We have SPF enabled and I'm now working on DMARC and DKIM. I've reset everyone's passwords.

What else can I do to protect against this? What can I do to ensure that there is no current unauthorized access to our domain?

Thanks very much.

email domain return-path

2 Answers

  1. Best Answer

    1. Perform your own message trace from the Security and Compliance center and verify that the email originated from your Office 365 tenant.

    2. Look at the sign-ins logs in Azure AD for suspicious sign-ins.

    3. Look at the Risky users, Risky sign-ins, and Risk detection logs in Azure AD and look for suspicious activity.

    4. Create a Display Name Spoofing transport rule in Exchange Online to help identify spoofed emails in the future. - https://jaapwesselius.com/2020/03/27/external-senders-with-matching-display-names/

    EDIT:

    Connect to Exchange Online with Powershell and run the following to find if any mailbox in your Office 365 tenant has the email address in question.

    Get-Mailbox -Identity * |
Where-Object {$_.EmailAddresses -like 'SMTP:[email protected]'} |
Format-List Identity, EmailAddresses

    Then run the following to check the same thing for all recipient types:

    Get-Recipient | Select DisplayName, RecipientType, EmailAddresses | Export-CSV c:\temp\recpients.csv

    If there are no mailboxes or other recipient types with that email address then you can rest assured that the email address did not originate from your Office 365 tenant. Then create your Display Name Spoofing transport rule to catch this in the future.

    • 3

  2. Its very easy to send from any domain within your network if you allow SMTP relay to O365 from your Corp IP range.

    It a common security misconfiguration that I look for.

    1. login to your O365 Exchange admin center
    2. Browse to Mail flow > Connectors
    3. Check the connector rules set up, this will show which Public IPs/networks are allowed

    Based on the IP(s) you find, this will show who can send spoofed emails from that IP(s) to anyone in your O365 tenant.

    • 1