I'm dealing with a couple of suspicious emails in my quarantine that I can't quite figure out. These emails appear to be sent from [email protected] to the same address, [email protected]. When I dug into it using Defender, I noticed the sender IP is listed as 0.0.0.0, and it indicates that the directionality is intra-organizational. Checking the headers, I see they're received from AS4PR09CA0010.eurprd09.prod.outlook.com, but interestingly, the authentication results show a SPF failure with an IP of 141.95.113.169. I'm stuck trying to ascertain if these emails originated from outside my company or if they could be an internal issue, especially since the logs seem to conflict. Does anyone have insights on this?
4 Answers
It sounds like you might be dealing with what's commonly referred to as the 'direct send' issue within Exchange 365. It's tricky because sometimes disabling direct send can lead to other issues, so there's no perfect fix. Microsoft really doesn't make this easy for us!
An easy workaround is to set up an inbound connector for known good sender IP addresses. You could also consider using SMTP relay instead of direct send for added security.
One potential fix could be to create a top rule in your Exchange. We allow emails from our domain to our domain only if they come from our specific IP. But be warned; Microsoft has told us this is how it’s designed to work, even if it feels a bit buggy.
This may simply be a case of email spoofing. Spoofers can exploit how SMTP handles 'from' addresses, so the SPF failure is a big indicator that something's off. Be sure to check your SPF, DKIM, and DMARC settings!
Absolutely! We set up a transport rule that holds any incoming emails from our domain with a failed SPF for approval, or it blocks them entirely.
You could also try using the message header analyzer available in the console. Spoofed emails might show up as having a sender IP of 0.0.0.0 and as intra-org.
Direct send means emails are sent directly to Microsoft 365 without going through an inbound connector. Once I grasped how it works, it was easier to identify legit issues and solve them before disabling direct send.