Warning about malicious spoof Microsoft emails

[Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>]

Our university has started to receive emails that appear to be from Microsoft that are not.  We have been receiving 
emails from account-security-noreply () accountprotection microsoft com<mailto:account-security-noreply () 
accountprotection microsoft com> for the past few years.  These emails originate from Microsoft owned IP addresses and 
are part of the Office 365 tenant.  Recently (as of March 22, 2020) we have started receiving emails that seem to come 
from this same email address but are coming from non-Microsoft owned IP addresses.  I have yet to establish a pattern 
of IP’s but I wanted to warn everyone that uses Microsoft Office365 or exchange to be aware of this issue.

For us, Microsoft has ATP but my P1 license does not allow the service to run even though Microsoft lets you configure 
it (so you think the protection is active).

If anyone can give me some good suggestions of ways to block these emails (I have turned off all whitelists for 
Microsoft.com email addresses and made specific blocks for the currently identified IP addresse3s of senders) I would 
get very appreciative.

Curt Kappenman
Security Compliance Officer
316 Boulevard, Anderson, SC 29621
Phone: (864) 231-2850
ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community