I've noticed a surge in phishing emails lately that utilize tracking URLs from Mailchimp's Mandrillapp.com. These emails are coming from various domains and seem to bypass Microsoft Defender filters. For instance, the URLs often look something like this (modified for safety): https://mandrillapp.com/track/click/5135493.../maliciousdomain.com?p=random.
I can't block mandrillapp.com URLs entirely because they're frequently used in legitimate emails. I've tried blocking certain IDs like mandrillapp.com/track/click/5135493*, but the attackers just change it up. Occasionally, Microsoft does manage to take them down, but many of these phishing attempts are slipping through.
I'm looking for any suggestions on how to handle this better. We're currently using E5 licenses for 150 users and I've confirmed that our DMARC, DKIM, and SPF records follow the best practices. Yet it feels like we go through cycles where the security seems okay for a few months, then we're swamped with issues. Any advice would be appreciated!
4 Answers
I’ve been dealing with a similar problem. One thing I’ve found effective is creating transport rules that flag emails containing those mandrillapp.com URLs for manual review instead of auto-blocking them. This allows us to evaluate potentially harmful messages without losing out on legitimate correspondence. Furthermore, employing tools like Abnormal AI is beneficial, as it can identify behavioral patterns that Microsoft Defender misses.
Such a frustrating situation! You’re right about DMARC; it's working as it's supposed to since the phishing emails are using legitimate Mandrill infrastructure. This makes SPF and DKIM checks pass perfectly. The key here is enhancing your URL reputation scanning. Until Microsoft improves their URL intelligence, it’s like playing whack-a-mole. A temporary solution could be adding a warning banner to any external emails that contain those tracking URLs, which helps your users remain cautious.
This is a widespread issue. Attackers often create new Mailchimp/Mandrill accounts and leverage their infrastructure because the emails pass authentication checks, so Defender trusts them by default. A couple of actions that could help you are reporting these accounts to Mailchimp at [email protected]. They tend to act on these cases quickly. You can also set up mail rules to flag or block URLs with mandrillapp.com/track/click if the volume of phishing attempts justifies it. Additionally, ensure your own domain has DMARC set to p=reject to prevent spoofing.
I've seen a lot of this too! One strategy I've been using is to block sender domains and other URLs included in those phishing emails using Tenant Allow/Block Lists. First, I check the Security portal to see if we've received any legitimate emails from those sender domains or other URLs in the emails. If I find none, I block those domains for 90 days to keep the emails from reaching the inbox. I know it might hurt some innocent domains, but if we haven't interacted with them, it's a necessary action. If I have time, I report the phishing URLs to Microsoft and others as well.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures