Hi everyone !
Today I wanted to share a strange problem I found in 0365. It seem really easy to bypass the antispam filter with the x-Sender property if you know how.
An example of a spam that went-tru.
This email was not tagged as spam, and the sender and the receiver thought they were in the same compagny. Both contoso.com email alias are hosted in 0365. You can see the x-sender there that it was not the case..
X-Originating-IP: 192.3.186.164
User-Agent: Workspace Webmail 6.9.59
Message-ID: <……@email23.godaddy.com>
From: Jacky <jacky@contoso.com>
X-Sender: cchj712@adm1ncare.com
Reply-To: Jacky <joshua.braga@aol.com>
To: <Mich@contoso.com>
To note the SPF record was setup correctly and was strict, but strangely 0365 check the SPF record of the x-sender, not the sender property ..
The SPF check was tricked that way;
Authentication-Results: spf=none (sender IP is 68.178.252.172) smtp.mailfrom=adm1ncare.com; contoso.com; dkim=none (message not signed) header.d=none;contoso.com; dmarc=none action=none header.from=contoso.com.com;compauth=fail reason=601
Received-SPF: None (protection.outlook.com: adm1ncare.com does not designate permitted sender hosts)
As you can see the SPF check was done on the x-sender email address, adm1ncare.com, not the contoso.com
To resolve the issue I had to a antispam strategy and to make it stricter.
That way into your 0365 admin portal;
You create a antispam strategy, name it;
You then apply it to your accounts;
Click to create the strategy.
Thanks everyone, a small tip it’s, but come handy if you receive spam/phishering email a lot, as it’s not a default option ticked.
Phil’s Blog | IT to the core ! 