0365 – Exchange Online X-Sender Spam Problem

Hi everyone !

Today I wanted to share a strange problem I found in 0365. It seem really easy to bypass the antispam filter with the x-Sender property if you know how.

An example of a spam that went-tru.

This email was not tagged as spam, and the sender and the receiver thought they were in the same compagny. Both contoso.com email alias are hosted in 0365. You can see the x-sender there that it was not the case..

X-Originating-IP: 192.3.186.164
User-Agent: Workspace Webmail 6.9.59
Message-ID: <……@email23.godaddy.com>
From: Jacky <jacky@contoso.com>
X-Sender: cchj712@adm1ncare.com
Reply-To: Jacky <joshua.braga@aol.com>
To: <Mich@contoso.com>

To note the SPF record was setup correctly and was strict, but strangely 0365 check the SPF record of the x-sender, not the sender property ..

The SPF check was tricked that way;

Authentication-Results: spf=none (sender IP is 68.178.252.172) smtp.mailfrom=adm1ncare.com; contoso.com; dkim=none (message not signed) header.d=none;contoso.com; dmarc=none action=none header.from=contoso.com.com;compauth=fail reason=601
Received-SPF: None (protection.outlook.com: adm1ncare.com does not designate permitted sender hosts)

As you can see  the SPF check was done on the x-sender email address, adm1ncare.com, not the contoso.com

To resolve the issue I had to a antispam strategy and to make it stricter.

That way into your 0365 admin portal;

You create a antispam strategy, name it;

Capture0

You then apply it to your accounts;

Capture

Click to create the strategy.

Capture1

 

Thanks everyone, a small tip it’s, but come handy if you receive spam/phishering email a lot, as it’s not a default option ticked.

Advertisements
This entry was posted in microsoft. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s