Educause Security Discussion mailing list archives
Re: Warning about malicious spoof Microsoft emails
From: John McCabe <john.mccabe01 () MANHATTAN EDU>
Date: Thu, 2 Apr 2020 11:37:05 -0400
Hi Curt, I'm unfamiliar with Office365 so I hope I don't end up giving you a red herring. It may be possible to use Office365's anti-spoofing protections ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide) to deal with senders spoofing account-security-noreply () accountprotection microsoft com. I don't know which license covers those features. If you deal with vendors that do not authenticate their email then, see the Managing legitimate senders who are sending unauthenticated email section ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide#managing-legitimate-senders-who-are-sending-unauthenticated-email). It appears Microsoft does a good job of offering solutions for exceptional cases. You'll also want to use DMARC for the andersonuniversity.edu domain. Create a txt DNS record called _dmarc.andersonuniversity.edu. Initially, use a reporting only policy. For example, "v=DMARC1; p=none; fo=1; rua=mailto:ckappenman () andersonuniversity edu" but you'll likely want to use a different email address. Good luck! Regards, John On Thu, Apr 2, 2020 at 11:12 AM Curt Kappenman < ckappenman () andersonuniversity edu> wrote:
Our university has started to receive emails that appear to be from Microsoft that are not. We have been receiving emails from account-security-noreply () accountprotection microsoft com for the past few years. These emails originate from Microsoft owned IP addresses and are part of the Office 365 tenant. Recently (as of March 22, 2020) we have started receiving emails that seem to come from this same email address but are coming from non-Microsoft owned IP addresses. I have yet to establish a pattern of IP’s but I wanted to warn everyone that uses Microsoft Office365 or exchange to be aware of this issue. For us, Microsoft has ATP but my P1 license does not allow the service to run even though Microsoft lets you configure it (so you think the protection is active). If anyone can give me some good suggestions of ways to block these emails (I have turned off all whitelists for Microsoft.com email addresses and made specific blocks for the currently identified IP addresse3s of senders) I would get very appreciative. *Curt Kappenman* *Security Compliance Officer* 316 Boulevard, Anderson, SC 29621 Phone: (864) 231-2850 ckappenman () andersonuniversity edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- *John McCabe * *Senior Information Security Manager & Data Protection OfficerInformation Technology Services* [image: Manhattan College Logo/Shield] Riverdale, NY 10471 Phone: 718-862-6217 john.mccabe01 () manhattan edu www.manhattan.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Warning about malicious spoof Microsoft emails Curt Kappenman (Apr 02)
- Re: Warning about malicious spoof Microsoft emails John McCabe (Apr 02)
- Re: [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails Curt Kappenman (Apr 02)
- Re: [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails Jesse Thompson (Apr 03)
- Re: [BULK] Re: [SECURITY] Warning about malicious spoof Microsoft emails Curt Kappenman (Apr 02)
- Re: Warning about malicious spoof Microsoft emails Mercy Lopez (Apr 02)
- Re: Warning about malicious spoof Microsoft emails John McCabe (Apr 02)