I've been dealing with a surge of clients receiving spoofed emails, and I'm trying to navigate this tricky situation. My current approach is to explain that it could be tied to some international conflict or perhaps a new AI dark web tool—this has seemed to comfort them a bit. However, I want to ensure my troubleshooting checklist is on point. Here's what I'm doing so far: I check where the spoofed email landed (inbox is bad, quarantine is less so), verify domain authentication with SPF, DKIM, and DMARC (finding those weak spots is crucial), look into Microsoft 365 protections, and confirm if it's genuine spoofing or something more severe like account compromise. Additionally, I suggest third-party filters if needed. Am I missing anything crucial in my process? I'm feeling a bit pressured in my role as a level 2 escalation at an MSP, so any advice would really help!
4 Answers
Seems like you might be overlooking the whole Direct Send issue—it’s a common culprit! Just confirming that you’re considering it when troubleshooting will save you headaches down the line.
You should definitely check if Direct Send is enabled in your settings. It's been a common source of issues when clients receive spoofed emails from their own addresses. Disabling it can help prevent those kinds of problems. Here's a good link for more info: [direct-send exploit](https://www.varonis.com/blog/direct-send-exploit).
Cheers for the tip! I'll be looking into Direct Send myself.
Make sure to restrict the O365 Connector only to accept emails from your third-party spam filter. We faced this issue before and learned the hard way! Sets the connector up correctly with the right IP addresses from your provider; it makes such a difference. Also, switching anti-spam policies to block any email that doesn’t pass SPF can be quite effective if you're seeing a lot of spoofing.
I did this with our Barracuda setup, and it was a lifesaver!
That's a solid plan! Thanks for sharing.
Your checklist looks pretty comprehensive! Just remember to check for any unusual inbox rules and app consent grants early on. Sometimes, after a compromise, an attacker sets rules to hide their moves, leading you to misdiagnose it as simple spoofing. Clients generally appreciate the truth more than elaborate theories. Just explain that email without strong authentication is vulnerable. And consider upgrading your monitoring tools; we've moved to Suped for fewer hassles.
Great point on the inbox rules! I'll make it a habit to check those.
I had no idea about Direct Send until recently; it's a game changer! Definitely look into that.