I recently encountered a serious issue where phishing emails ended up bypassing our email security gateway. An external user got hacked and sent out phishing emails to their contacts, including 47 targeting our organization. While our email gateway flagged most of them as phishing, two emails were sent to Microsoft Bookings accounts. Since these accounts don't have email licenses by default, the emails were forwarded to the users that created the booking spaces, completely bypassing our security measures. This led to a compromised account for one of our users. I'm looking for ways to plug this security gap without having to shut down the booking function, which I can't do. Have any of you faced similar issues or found workarounds? There seems to be a lack of online resources about this situation.
4 Answers
It sounds like this might be related to misconfiguration on your email security platform. A couple of common culprits could be incorrect whitelisting or not inspecting messages from other Exchange Online tenants. Besides, the fix often varies depending on the security platform you’re using.
There's a property called "ForwardingSMTPAddress" in Bookings Calendars. If that’s not crucial for identifying owners, you could remove the users from that list with a script and run it daily. It’s not a perfect solution, but it could act as a quick fix while you work on securing your gateway.
I found a blog that discusses this issue with Microsoft Bookings. It suggests creating rules with the accounts found using PowerShell. You can check it out for potential solutions or insights.
If you're using Proofpoint, check the headers of those phishing emails. If they're missing properties that indicate they went through Proofpoint, then they were delivered directly. Adjusting your connectors might help; you want to make sure all mail routes through the connector to avoid bypass issues. In one setup I managed, emails were configured to reject anything not routed through the connector, which solved their issues.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures