I'm facing a weird problem at my workplace where our Office 365 hybrid Exchange setup is being exploited. Two users reported phishing emails that seem to come from themselves, complete with a .pdf attachment, and both reports look identical. The emails show: From: [email protected] To: [email protected] with a subject line claiming to have salary and remuneration details.
These phishing attempts are managing to bypass our Proofpoint email filter, implying the problem is happening within the Microsoft network itself. The sender's IP address traces back to a hosting company in Germany.
I'm really puzzled about how someone can send an email that appears to be from an employee to that same employee. Has anyone dealt with this before? What steps can I take to investigate this issue further? And how do I go about reporting this to Microsoft? Any advice would be greatly appreciated!
5 Answers
These types of emails are getting common these days. It's known that some senders use smart hosting techniques to bypass filters. You really need to restrict inbound email to your Proofpoint connector.
True! It can be a bit tricky, but a good chat with their support can clarify a lot.
You need to set up a mail flow rule to block emails that aren’t coming from the Proofpoint IPs. It can help prevent similar phishing attempts. If the emails aren't from a recognized IP, kick them over to Proofpoint for proper scanning.
Yep, solid advice! Make sure you're regularly reviewing these rules to keep up with evolving threats.
Exactly! That way, you can ensure unauthorized messages are filtered out before they reach anyone's inbox.
Before you dive into the details, it's worth checking how secure your overall system is. Are you using any Unified Endpoint Management (UEM) systems? They might help tighten security.
It sounds like the spammers are exploiting your tenant connector. You should definitely tighten up those security settings. The attackers can sometimes slip through if the system isn’t well-protected. I recommend checking out a guide on how attackers bypass spam filters for more insights.
Absolutely! Every time I've seen this, it's been related to connectors not being tightly managed. Make sure to check Proofpoint's best practices; they have useful resources to help you strengthen your defenses.
For sure! We initially overlooked it with one of our clients too. Just double-check all connectors; it only takes one vulnerability to let these types of emails in.
Have a look at the impersonation protection feature in your email security settings. It helps flag emails from external sources that appear to come from internal addresses. If it's bypassing that, check your Exchange connectors to limit who can send messages through.
Good point! You might want to reach out to Proofpoint support for specific instructions on how best to set that up.