Re: [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails

[Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>]

Frankly, it’s ridiculous that Microsoft puts anti-spoofing behind upsell licensing.  DMARC is an open standard!

We have never been able to justify the cost for A5 licensing, and with the oncoming budget crunch, we won’t be able to 
any time soon.

This is why we continue to run local MTA gateways upstream of O365, which gives us the flexibility of implementing open 
standard protections against spoofing.

Jesse Thompson
UW-Madison

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Curt Kappenman 
<ckappenman () ANDERSONUNIVERSITY EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, April 2, 2020 at 10:44 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails

John,
  Thanks for the info.  Some of those items I have looked at but I will go back and look at them again to make sure I 
haven’t missed something.  Just as an FYI, most of the tools that Microsoft offers (ATP and anti-spoofing) are only 
available under the next level up license (even though Microsoft gives you access and lets you turn them on).  I was on 
with support this morning and they mentioned these functions to me so we looked and noticed they were already on but a 
back-end search shows them disabled because of license level.

Curt

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of John McCabe 
<john.mccabe01 () MANHATTAN EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, April 2, 2020 at 11:37 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails

Hi Curt,

I'm unfamiliar with Office365 so I hope I don't end up giving you a red herring.

It may be possible to use Office365's anti-spoofing protections 
(https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide)
 to deal with senders spoofing account-security-noreply () accountprotection microsoft 
com<mailto:account-security-noreply () accountprotection microsoft com>. I don't know which license covers those 
features.

If you deal with vendors that do not authenticate their email then, see the Managing legitimate senders who are sending 
unauthenticated email section 
(https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide#managing-legitimate-senders-who-are-sending-unauthenticated-email).
 It appears Microsoft does a good job of offering solutions for exceptional cases.

You'll also want to use DMARC for the 
andersonuniversity.edu<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fandersonuniversity.edu&c=E,1,wB3pm5Ji8kZK9QsZLf6N_hDdmqlVocnYV2c66uW5ZjZJqWZlC91WDE2AQQ5RMzoOR4AnqY5t0rJIfIEefPA4tanuKCjiPoMUu8llFGQurb20EvI,&typo=1>
 domain. Create a txt DNS record called 
_dmarc.andersonuniversity.edu<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fdmarc.andersonuniversity.edu&c=E,1,GsnP_z4NKUe_gYKYN6bYXjgXu5_vMKoUkQPmOiVHm_CDgC5vKKQri7HvZ5XA5C1HRNHFzduiKZbHKB0EcOGt-J8UXmkS2kaTNQqxQOAVF_BXznIOCGwj21QvJaA5&typo=1>.
 Initially, use a reporting only policy. For example,

"v=DMARC1; p=none; fo=1; rua=mailto:ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>"

but you'll likely want to use a different email address.

Good luck!

Regards,
John




On Thu, Apr 2, 2020 at 11:12 AM Curt Kappenman <ckappenman () andersonuniversity edu<mailto:ckappenman () 
andersonuniversity edu>> wrote:
Our university has started to receive emails that appear to be from Microsoft that are not.  We have been receiving 
emails from account-security-noreply () accountprotection microsoft com<mailto:account-security-noreply () 
accountprotection microsoft com> for the past few years.  These emails originate from Microsoft owned IP addresses and 
are part of the Office 365 tenant.  Recently (as of March 22, 2020) we have started receiving emails that seem to come 
from this same email address but are coming from non-Microsoft owned IP addresses.  I have yet to establish a pattern 
of IP’s but I wanted to warn everyone that uses Microsoft Office365 or exchange to be aware of this issue.

For us, Microsoft has ATP but my P1 license does not allow the service to run even though Microsoft lets you configure 
it (so you think the protection is active).

If anyone can give me some good suggestions of ways to block these emails (I have turned off all whitelists for 
Microsoft.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fMicrosoft.com&c=E,1,OJvoG3LCHUCFSwO8Dy5acxwXB_EyulJCz8Iq1Y2svRzjW7U89zFbjU-9M1ZPVnz4am0bzy97VuM8FYe2u3VT9MtJU-W_xc9_cst_2CCyD37PCH8Lq0IS&typo=1>
 email addresses and made specific blocks for the currently identified IP addresse3s of senders) I would get very 
appreciative.

Curt Kappenman
Security Compliance Officer
316 Boulevard, Anderson, SC 29621
Phone: (864) 231-2850
ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,gaUqDHHJc4u8-eK5ouljx9GnY9TJoXfZPVgFfeJACqF5vfzQR8pjMOeS6BVtANvcEwPfmgTCVjiWBIpc4NOIrkSBacs14QmeiAGSdSBdMw,,&typo=1>


--
John McCabe
Senior Information Security Manager & Data Protection Officer
Information Technology Services
[Image removed by sender. Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu<mailto:john.mccabe01 () manhattan edu>
www.manhattan.edu<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.manhattan.edu%2f&c=E,1,we_pXcs9E4aH3TFtujyH4CebqcN0t3mIsk0MTv4myeMGq-Gtrarqu9-4huNkx5EN9W_xIcn1J-9R4MFBcqE9QLa-ayitduP-L1idLUKDMw,,&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,zBmMiIS-oeP1nGpfC54cU6ZK8MaWERgnZNOYt3K-MR3ipaF5Sfd_FMltrArEhGgsZ6CknWUgk41zwuXnANUpKOaLFRUCtuqyFfNkrE0Pn4KF&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community