Hey everyone, I'm curious if anyone here has run into a sneaky new spoofing method lately. We're seeing some of our users receive emails that look like they're coming from their own addresses, along with strange HTML attachments. This has been happening even after they've changed their Office 365 passwords and reset their MFA. Our SonicWall email filtering usually catches spam and phishing attempts well, but this spoofing is particularly tricky since it appears to be coming directly from the user's email. If you've experienced anything similar, I'd love to hear your thoughts on how to tackle this!
5 Answers
Yeah, this issue seems to be popping up everywhere lately. Make sure you’ve turned off Direct Send in your Exchange settings; that should help mitigate the problem.
Sounds like a classic case of Direct Send exploitation. You might want to disable that feature in your Exchange settings if you haven’t already. More info can be found here: [Direct Send Exploit](https://www.varonis.com/blog/direct-send-exploit).
Thanks for pointing that out!
I disabled Direct Send in my organization after noticing this problem spreading like wildfire just a week or two ago. Microsoft really needs to take action on this. There’s no way to check if you’re using direct send legitimately before making changes, which is frustrating.
I talked to a colleague today who’s facing similar issues. This seems to be a widespread problem!
It sounds like you’re experiencing emails coming from users' own addresses, which has been a known issue with Microsoft for a while. When you spoof an email from your own address, even if it fails DMARC checks, Exchange Online can still deliver it back to you. A new toggle was recently introduced that you should check out. Here's a link for more info: [Tech Community Blog](https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790).
Thanks for sharing this! I'll definitely disable direct send.
I set up a transport rule to delete emails if they fail DMARC, might be worth considering.
Turning off Direct Send should help; this spoofing can bypass your Security Email Gateway (SEG) because it looks like you're just emailing yourself.
Thanks for the clarification!
Appreciate the advice!