We've been facing a major issue lately with phishing emails being delivered in Office 365 mailboxes. These emails seem to come from the users themselves, often including malicious links like password resets or voicemail notifications. Even users with E3 plans and advanced Defender security are experiencing these attacks. I've reached out to both Sherweb and Microsoft for support, but haven't found any solutions yet. The headers of these phishing emails show SPF and DMARC failures, but they do have a CompAuth pass with a reason of 703. It seems there's a problem with the Office 365 filters, and I'm not sure what steps I should take next to protect our users.
5 Answers
For those of you working in hybrid setups, you might be able to just disable direct send without affecting your internal communications if they're routed through your Exchange server. Just make sure to check how everything is configured to avoid any disruptions.
We've noticed a spike in these phishing attempts too, especially in the past few days. It seems like an uptick in attacks. I've analyzed the headers and they don’t seem to indicate a cross-tenant issue, which makes it even weirder. Definitely not ideal that Microsoft is allowing these in. I’ve started forwarding them for analysis but it feels like a slow process to get their feedback.
Yeah, the delay in responses from MS can be infuriating!
First off, it's crucial to disable direct send on your Office 365 tenants since this has been a common attack vector lately. Make sure you set up connectors for any legitimate services that need to use direct send, or you might open up more vulnerabilities.
Totally agree! Just remember to check your connectors, so you don’t block necessary communication.
Yep, got to keep those direct sends in check. It’s a big risk.
I was having similar issues and realized it was due to our DMARC policy being set to do nothing. I've since updated it to quarantine suspicious emails when DMARC fails, and that made a huge difference! Seems to be working well now, so you might want to check your DMARC settings.
I think the main issue might be related to that CompAuth 703 reason. It seems like Microsoft's system sometimes misclassifies these messages as legitimate, despite SPF and DKIM failures. If you haven't already, consider setting your DMARC policy to "p=reject" to prevent fraud. Also, maybe set up mail flow rules to quarantine any emails from your own domain that get flagged. It’s annoying, but it can help filter out the bad stuff!
That’s a solid strategy! I also started monitoring spoof intelligence settings in Defender to avoid letting these messages through.
Absolutely! Microsoft’s filters can be quite blind to self-spoofing. Gotta be proactive.
Right? It's so frustrating waiting for Microsoft to take action after the fact. Hoping for quicker updates!