I'm dealing with some suspicious phishing emails that ended up in my quarantine, and I'm a bit puzzled by them. The emails are appearing to come from [email protected] to [email protected]. When I looked into it using Defender, I saw that the sender's IP was recorded as 0.0.0.0 and labeled as 'Intra-org'. I dug deeper into the headers and found this: Received: from AS4PR09CA0010.eurprd09.prod.outlook.com (2603:10a6:20b:5e0::14) by DB9PR09MB5731.eurprd09.prod.outlook.com (2603:10a6:10:30b::9), but the Authentication-Results indicated a failure for SPF (sender IP is 141.95.113.169). I'm struggling to determine if these emails are originating from inside or outside my organization due to conflicting logs. Any insights?
5 Answers
This could simply be an email spoofing situation. It's a sneaky trick some folks use since SMTP can’t always verify the sender address. The SPF fail is a huge tell here—definitely check your SPF, DKIM, and DMARC settings to tighten things up!
You've definitely stumbled upon the infamous "direct send" problem in Office 365. I've faced the same dilemma, and let me tell you, disabling direct send can lead to a whole mess of issues. Microsoft really put us in a tough spot here! But it's essential to thoroughly grasp what direct send is to identify genuine problems and kind of fix things.
Exactly! Once I nailed down the details of direct send, it became a lot easier to spot legitimate issues. Figured out how to fix the ones I could and then cut off direct send altogether.
Another way to handle this is by creating an inbound connector for your domains that only accepts messages from known good sender IPs. Switching to an SMTP relay instead of direct send could help, too, since direct send misusers will likely fail that.
It sounds like you might be dealing with a direct send issue, which is pretty common in Exchange 365. These emails could be a result of someone using direct send, which lets someone send emails with your internal domain. Check out this article on it if you want to learn more: https://www.varonis.com/blog/direct-send-exploit.
You can also set up a rule in your exchange to accept emails sent from your domain only if they come from your own IP. Just a heads-up, Microsoft once told us this 'bug' is working as intended when we reported it. Classic, right?!
To investigate more, use the message header analyzer from the console. Spoofs can show up with an IP of 0.0.0.0 and tagged as intra-org, which can help you further clarify whether it’s a spoof or what.
Absolutely! Setting up a transport rule to hold or block emails that come from your domain but have an SPF failure is a smart move.