I've noticed that when users within our domain are being spoofed—say, receiving emails that appear to be from their own address—filters seem to activate automatically. When I first joined, there were a couple of users who had filters like 'if matches (@mydomain.org), then read it and delete it' already in place after the spoofed emails were sent. I was curious about how this happens. Could it be that someone compromised their accounts and set up those filters, or is there something else happening? It might not be an issue now, but I'd love to understand the mechanism behind it.
2 Answers
If users had email filters that they didn't create, it's likely that their accounts were compromised. An attacker could set up filters to hide replies to their fraudulent emails. It's important to check for any unusual activity in their account settings.
It sounds like your organization might not have SPF and DMARC records set up for your domain. These records can help prevent spoofing by specifying which servers are allowed to send emails on behalf of your domain. If those weren't in place before, that might explain the spoofing. It's worth looking into these protocols to better secure your domain!
True, SPF and DMARC are helpful, but they aren't foolproof. Sometimes, emails that shouldn't be delivered still make it through the cracks, especially with big providers like Microsoft and Google.
Great point! Besides changing passwords and enabling 2FA, what else is necessary when an account is compromised? I've heard it can involve session hijacking or malicious extensions. Any best practices for securing accounts after such an event?