I've been dealing with a frustrating issue where we've received phishing emails that are spoofing our domain. The sender shows a null sender (MAIL FROM: ), and for some reason, M365 isn't performing a DMARC lookup on that domain in the email header, which leads to accepting the emails instead of rejecting them. I've tried to replicate the issue using telnet and connecting to our third-party server, and during those tests, M365 does properly reject emails after performing DMARC lookups. We're currently transitioning to Defender for our email filtering, which complicates matters. Can anyone shed some light on this?
2 Answers
The reason M365 is bypassing the DMARC check is due to the null sender ('MAIL FROM: '), which is a sneaky spoofing technique. DMARC checks look for a domain in that field, and when it's empty, the lookup just doesn't happen. To resolve this, setting up a specific anti-phishing rule in Microsoft Defender can help. This rule should identify external emails spoofing your domain in the From header and block or quarantine them, skipping the normal DMARC check.
It sounds like you might be facing an issue with DirectSend. There's a useful guide that explains how this can happen when dealing with phishing emails. Check it out to see if it helps you understand the issue better!
Yes! I've encountered this too and it took us weeks to figure it out. We created a rule to block any emails sent directly to the exchange server, with a few exceptions like voicemail notifications from MS Teams.
Thanks a lot for this info! When creating that rule, do you also include '<>' in the Mail From fields? I'm puzzled because all my Telnet tests failed to produce the same result as M365.