Re: Warning about malicious spoof Microsoft emails

[John McCabe <john.mccabe01 () MANHATTAN EDU>]

Hi Curt,

I'm unfamiliar with Office365 so I hope I don't end up giving you a red
herring.

It may be possible to use Office365's anti-spoofing protections (
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide)
to deal with senders spoofing
account-security-noreply () accountprotection microsoft com. I don't know
which license covers those features.

If you deal with vendors that do not authenticate their email then, see the
Managing legitimate senders who are sending unauthenticated email section (
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide#managing-legitimate-senders-who-are-sending-unauthenticated-email).
It appears Microsoft does a good job of offering solutions for exceptional
cases.

You'll also want to use DMARC for the andersonuniversity.edu domain. Create
a txt DNS record called _dmarc.andersonuniversity.edu. Initially, use a
reporting only policy. For example,

"v=DMARC1; p=none; fo=1; rua=mailto:ckappenman () andersonuniversity edu"

but you'll likely want to use a different email address.

Good luck!

Regards,
John




On Thu, Apr 2, 2020 at 11:12 AM Curt Kappenman <
ckappenman () andersonuniversity edu> wrote:

> Our university has started to receive emails that appear to be from
> Microsoft that are not.  We have been receiving emails from
> account-security-noreply () accountprotection microsoft com for the past few
> years.  These emails originate from Microsoft owned IP addresses and are
> part of the Office 365 tenant.  Recently (as of March 22, 2020) we have
> started receiving emails that seem to come from this same email address but
> are coming from non-Microsoft owned IP addresses.  I have yet to establish
> a pattern of IP’s but I wanted to warn everyone that uses Microsoft
> Office365 or exchange to be aware of this issue.
>
>
>
> For us, Microsoft has ATP but my P1 license does not allow the service to
> run even though Microsoft lets you configure it (so you think the
> protection is active).
>
>
>
> If anyone can give me some good suggestions of ways to block these emails
> (I have turned off all whitelists for Microsoft.com email addresses and
> made specific blocks for the currently identified IP addresse3s of senders)
> I would get very appreciative.
>
>
>
> *Curt Kappenman*
>
> *Security Compliance Officer*
>
> 316 Boulevard, Anderson, SC 29621
>
> Phone: (864) 231-2850
>
> ckappenman () andersonuniversity edu
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
*John McCabe *

*Senior Information Security Manager & Data Protection OfficerInformation
Technology Services*
[image: Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu
www.manhattan.edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community