I'm dealing with an incident where an M365 group in our tenant, which has all the necessary security features to guard against spoofing, phishing, and similar threats, sent out an email containing a phishing link pretending to be a DocuSign notice. This group includes over 300 external members. The Exchange trace indicates that the email originated from an IP in Great Britain, which isn't associated with Microsoft. We had direct send disabled in Exchange Online, and there were no signs of unusual activity in the logs. Has anyone else faced a similar issue?
**Update:** I discovered that direct send was indeed the issue. The message analyzer indicated that the sender was marked as "Anonymous", and the direct send rejection setting was incorrectly configured to false. I ran the necessary commands to fix it. Additionally, to see if this is happening in your environment, I recommend checking the security center under email & collaboration for any phishing detections that could relate to your domain. This issue should definitely be highlighted more prominently in the security portal.
5 Answers
You're definitely not alone. We're experiencing a similar surge of spam emails that appear to be sent from the users themselves. Since allowing external emails, we’re noticing these phishing attempts slipping through the cracks too. Have you thought about tightening up permissions on those external group members yet?
Yeah, it’s a frustrating issue. Allowing external senders to your distribution groups without strict controls can lead to this. It's best to create a transport rule that blocks or quarantines emails sent from the group to itself to mitigate this risk. Have you considered implementing something like that?
Just wanted to add that if you have a large group, it’s crucial to check if any external members have been compromised. Sometimes, those accounts might be the source of the spoofing, allowing someone to send emails seemingly from within your organization.
I faced this recently and had to implement stricter DMARC rules and disable some allowances for direct send. The result was immediate, with a noticeable drop in those self-sent spam emails. It's essential to actively monitor and adjust these settings routinely as threats evolve.
It sounds like a classic direct send problem. If direct send isn't properly restricted, it can allow spoofed messages to bypass your DMARC and SPF protections. Make sure to set the right transport rules, and always double-check your DMARC settings to ensure they’re valid. The headers of the email may give you more clues too; have you accessed those yet?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures