I've come across a strange issue where a couple of Microsoft 365 users are getting emails from their own addresses, and they definitely didn't send these emails. The odd part is that these messages appear in their sent items folder, but they show the email address without the usual display name. After checking the message headers, it seems like the spam emails might have gone through our signature application (CodeTwo) servers, which is puzzling for what should be internal messages. I've checked the user's logins in the Entra admin center but everything appears normal. They don't have any unusual rules set up on their account either. Am I missing something important here? Should we consider these accounts compromised and change their passwords? I'm looking for pointers to dig deeper into this situation!
5 Answers
It looks like you don't have DMARC and DKIM set up properly, which can lead to issues like this. Additionally, consider disabling Direct Send, as it can allow such spoofing to happen. Check out this blog for guidance on how to enable rejection for Direct Send in Microsoft 365: [How to Enable Reject Direct Send](https://blog.admindroid.com/how-to-enable-reject-direct-send-in-microsoft-365/)
It could be worth investigating your SPF, DKIM, and DMARC settings. If it shows that there's no DMARC record found and your SPF settings indicate issues, that could be contributing to this problem.
Thanks for pointing that out! I did an MXToolbox check and I found some errors.
Is an external email filter in use? Sometimes, if you set one up but fail to secure the incoming settings in 365, spammers might figure out a way to use your direct send address to bypass the filter.
We don’t use any external filters like Proofpoint or Mimecast. Thanks for the suggestion!
There's a possibility that CodeTwo got compromised. The concerns around DKIM/DMARC/SPF won't necessarily make a message appear in the sent items like this. Spoofing an address shouldn't result in that either. If CodeTwo is compromised, it could be pushing emails incorrectly through your system.
It's definitely worth turning off Direct Send! That seems to be the cause here. Once you do that, you should see fewer of these issues.
Right, definitely check out how to disable Direct Send!
Thank you for the tip!