Hey everyone,
I'm dealing with a tricky situation where a user received an email that looks like it came from their own address, but they definitely didn't send it. The email is traced back to an IP address from far away, and we use Microsoft 365 Business Premium with MFA, plus a location-based Conditional Access policy that should prevent logins from that region. However, the sign-in logs don't show any activity from that area. I'm confused about how this email made it to their inbox.
The email came with an SVG attachment, but luckily, the user didn't click on it. In the meantime, I've set up a rule to block emails from that IP range, but I'm concerned that the sender could simply change their IP and continue sending more emails.
Does anyone have insights on how this might have happened or tips for preventing this in the future?
Thanks!
5 Answers
This kind of impersonation is more common than you’d think. If you haven’t set up DKIM and DMARC, do that ASAP! Also, make sure your SPF record is accurate and check if the email really came from your domain. O365 has features to protect against impersonation too, so enabling those would be helpful.
You might not have enough info, but it’s crucial to set up DKIM and DMARC if you haven’t. Check your SPF record too and verify if the sending domain was actually yours. Also, it’s wise to turn on the impersonation protections in O365.
Have you set up DMARC, DKIM, and SPF correctly? If these aren’t in place, someone can easily spoof an email address, and all these measures help ensure that emails from your domain, which don’t come from your authorized servers, get marked as spam or deleted by default. It sounds like getting those set up should be a priority!
Make sure to review the email headers too. They can provide a lot of information about the origin of the email and help you identify how it got through your filters.
Make sure to check for any app registrations tied to the user. Sometimes if they authorized an MFA challenge, it could allow unauthorized access through these app registrations.
Yeah, definitely look into enabling the impersonation protection features in Microsoft 365 too!