I recently encountered a serious issue where our email security gateway failed to catch phishing emails sent by an external user. This user was hacked and sent phishing attempts to all their contacts, including 47 to our organization. While most emails were caught by our security measures, two ended up in Microsoft Booking accounts that lack email licenses. Consequently, these emails bypassed our gateway completely and led to one of our users' accounts being compromised. I'm at a loss for how to close this security gap without shutting down the booking function, which I can't do. Has anyone experienced a similar issue or found workarounds? I haven't found much information online regarding this specific problem.
4 Answers
It sounds like you're dealing with a misconfiguration issue. Make sure you specify what email security platform you're using, so others can provide tailored advice. In many cases, problems stem from improper whitelisting or not inspecting messages from other Exchange Online tenants. Look into your configuration settings—fixes can vary significantly depending on your platform.
Consider the "ForwardingSMTPAddress" property in Bookings. If you don't need that for identifying owners, you could remove the users from it with a script and schedule it to run daily. While this is a band-aid solution, it might buy you some time while addressing your gateway issues.
You might want to check out this [link](https://www.busted.dk/blog/discovering-automatically-created-mailboxes-by-microsoft-bookings-in-your-tenant/) I found. It discusses creating rules for those automatically generated mailboxes via PowerShell. It'll help you manage them better until you find a permanent fix.
If you're using Proofpoint, check the headers on some of the messages that got through. If they lack Proofpoint properties, they were delivered directly. To prevent that, review your connector settings and ensure that emails not routed through your connector are rejected. I've seen instances where spam gets around MX records, so tighten those rules to enhance your security.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures