I've got a bit of a security nightmare here. An external user was hacked and ended up sending out phishing emails to all of their contacts, including 47 to my organization. Our email security gateway caught and marked most of these as phishing, but two emails went to Microsoft Booking accounts. Since these accounts don't have email licenses by default, their emails get forwarded to the user who created the booking space, effectively bypassing our entire email protection system. This led to a complete account takeover of one of our users. I've been wracking my brain trying to figure out how to fix this without shutting down the booking function entirely, which I can't afford to do. Has anyone faced something similar or have any workarounds? There's no useful information I've found on this topic.
4 Answers
I found this [blog post](https://www.busted.dk/blog/discovering-automatically-created-mailboxes-by-microsoft-bookings-in-your-tenant/) that discusses automatically created mailboxes by Microsoft Bookings. You can create rules with the accounts you identify using PowerShell; that might help you manage things better.
If you’re using Proofpoint, check the headers of those messages to see if they indicate they went through Proofpoint at all. If the headers are missing, those messages bypassed entirely. It's critical to review your connectors to ensure that any mail not routed through them is rejected. One setup I know involves configuring the Proofpoint connector to accept from all domains, which blocks any mail not processed through it. Just a heads up that the specific setting might need to be adjusted via PowerShell instead of the web interface.
There's a property in Bookings called "ForwardingSMTPAddress." If you don't necessarily need that for ownership purposes, you might consider removing the users from the forwarding list with a script and running it regularly. While fixing your gateway would be ideal, this could offer a quick temporary solution.
It sounds like this might be related to misconfiguration within your email security settings. Make sure to check your whitelisting rules, and consider blocking messages from other Exchange Online tenants to route everything through your gateway. Each platform has its own quirks, so you'll need to tailor solutions to the security system you’re using. What email security platform do you have? That could give us more clues for troubleshooting.
Totally agree with you—it sounds like a setup issue. Understanding your specific platform could really help us pinpoint the problem.
Yeah, the configuration details are essential. I hope you can sort this out without shutting anything down!
Thanks for this link! It’s a good starting point for figuring things out.