Identifying source of spam/malware emails apparently from Office 365 user
I would say that yes, it looks like someone has your Outlook.com credentials as the email has not been spoofed but actually originated from Microsft.
We had something similar 2 days ago where a user got a bogus link in an fake email to a document that was purported to be in OneDrive. On clicking the link they were taken to a fake site asking for their credentials. Once typed in, their Outlook.com account was used to send emails to any email address that could be harvested - and so the cycle continues...
In terms of helping prevent a re-occurrence, 2FA and education are your options :-)
Related videos on Youtube
timanderson
Updated on September 18, 2022Comments
-
timanderson almost 2 years
An office 365 user discovered that around 100 emails were sent apparently from him; they have some kind of malicious PDF attachment. The message headers show "Received: from XXX.XXX.PROD.OUTLOOK.COM" as the initial source of the emails. The sent emails show up in an Exchange Online message trace, to both internal and external recipients. However they do not appear in the user's Sent Items folder.
Does this prove that someone has successfully hacked his account (logged in as him) or could there be another explanation?
I need to understand what determines whether an email ends up in Sent items and whether an outgoing email could be in the Message Trace without someone logging in as that user.
We have changed his password and checked his PC for malware. Is there anything else that can be done to prevent a recurrence?
Update: Sample email header only slightly redacted:
Received: from MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.235.24) by MMXP123MB1376.GBRP123.PROD.OUTLOOK.COM with HTTPS via MMXP123CA0017.GBRP123.PROD.OUTLOOK.COM; Fri, 16 Mar 2018 09:33:43 +0000 Authentication-Results: [somedomain].co.uk; dkim=none (message not signed) header.d=none;[somedomain].co.uk; dmarc=none action=none header.from=[somedomain].co.uk; Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM (10.166.217.148) by MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.217.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Fri, 16 Mar 2018 09:33:40 +0000 Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM ([fe80::bd23:2882:93cc:c179]) by MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM ([fe80::bd23:2882:93cc:c179%14]) with mapi id 15.20.0588.016; Fri, 16 Mar 2018 09:33:39 +0000 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary From: somename lastname <somename.lastname@[somedomain].co.uk> Subject: Important New Document Thread-Topic: Important New Document Thread-Index: AQHTvQgYiGQw1JKKkUqd6+Gw0vjPcg== Date: Fri, 16 Mar 2018 09:33:39 +0000 Message-ID: <MM1P123MB10344D41BCA2D78978E4E07AB2D70@MM1P123MB2034.GBRP123.PROD.OUTLOOK.COM> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: <MM1P123MB10344D41BCA8D78958E4E08AB2D70@MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM> MIME-Version: 1.0 X-MS-Exchange-Organization-MessageDirectionality: Originating X-MS-Exchange-Organization-AuthSource: MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 04 X-Originating-IP: [104.238.169.26] X-MS-Exchange-Organization-Network-Message-Id: c73bdaf1-0213-4d24-0323-08d58b210068 X-MS-PublicTrafficType: Email X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1034;35:kkBmPP7Ug2FbZQv6FmW4qdaBWuYCBMr2zepmSHBV2rdHXXwDyIzi9ducjSfxpVuRt/dOsLsDrz0OZ4mNI1aHqA== To: Undisclosed recipients:; Return-Path: somename.lastname@[somedomain].co.uk X-MS-Office365-Filtering-Correlation-Id: c73bdaf1-0213-4e24-0323-08d58b210068 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603328)(7153060)(49563074)(7193020);SRVR:MM1P123MB1050; X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;3:MKs5dzQ/5p8jCk129hgZqVFyrVdW4oqo956FU19Gz6o66Unzd8gOmuAe96KHit/deI2AGcyk5YsW4TdOBUpvDRDE/biwpipBNWqCew73rz2QTq0UigEkF/tpEDsZrjfYFy7ttCS5WOCCF9ucTE/csak2HFuOhClND6vgOYTkIv2vO71EuwXEV1VEVSjJY2xa8vQVgujXpV8fXjuHfMsSf15b4jEKrR4DNrfBLKBBzlhAhV9sRhrwgNpkJw6jXzwu;25:lsCL0Xn0ALPbUZX7lN0wSHe3M03QBMrYjezvAOzvmeVZuw2GxtDyDocNxIOdKS6Dq8SPBMS4VpO0QyROPaBKDZN+KMl5W+kJp8zB3MbkK/XWXu+WSCopjtRqHhSnmlMDg3sM+wrZH/KajOUG6tpX9sV3oJvgUxe+QKrNFkQIPiR9CtzbOHfVIP3qlIwPalPZKvePtxAqi8VTqEd2zEhYgkFgb42rGQiojV+u886t63cDuk48gONDh50zTKCNZBsx+WMp50Mvf1DTMQvrhGlI19jFPQXBn+OWFspUbYl4RU/ffNzeScDtd5MQlQHRrVMWVtRyPMSSpFNunAF0v3FPpQ==;31:6/IkDDU1nB+3jDDavYeG/5F/SVFU6klrmyNZybg+jl6aWOby3KSnbGW0flAnSdoMgMXLQmIwBWPSst2OvZxkUr/krEl9bUWQ6yAd29ApyLevAn3Bz1MFWY0rBCMYUWKLDqywMdme2t2jdzRgsL3ptcLOHTf+uyHkPxdwXgMMdpskEiXjSiEdZ44zQ+6sfG7mE4L6kne1szkFD7oOpEpq634v1uMG18OPIH7wZnl7cG4= X-MS-TrafficTypeDiagnostic: MM1P123MB1050: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415395)(9101524173)(2401047)(8121501046)(10201501046)(3002001)(3231221)(944501281)(52105095)(93006095)(93001095)(201708071742011);SRVR:MM1P123MB1050;BCL:0;PCL:0;RULEID:;SRVR:MM1P123MB1050; X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;4:YiLYVcHiqdwQ2TvyHy73ZHflE4/t75LwbybbMbaUqb5+lDNcIt67qn8n1nguaN2DoJe5+A4SuUkRsXlU/B5beqY3VYKgjgDT4gX88aVRThxarwKGVWq3QSibHpRJ5SfEqHCEd+VjsAKpsyUaRhoMlb1khU4g5ZUScRse0NSr5JzGCykJXq2owW26lTVRVR996gR+lNNqbnRjHznKB0B7wJ1j6VaiyN+/KkdVIuGOOoqg6YhOAqtmlst+5p+RLn6pJheu/X2FTt1tvXGuonj28g==;23:/+BLEjWIxDShX9ISFYWuiCw/K2j0u5PyWxPnIa83Phz8tNUSbo/DIC5s9WX7w0t4TwSPlSpfmYySC88zZfTY6w62AzLhU7Qu3b+dgCcFrEsK7sbd9du+eGzfc+Koh5Q6cUKPZs6STtr/AM2+n3ud1g==;6:uMHoPglLFm5KjX+egFCC8o1xTqoOy2wC5PCQ2Hwsg8JbPHD4b+0d+nvdJrfqVhYKDZ4fb+sYjAM++qegs0RcdatAJOf16FxmVi6KWBi4tY2MKsDQzCcwrFQp2SsrNnUoXZ9MoXQBg5alkozBSoLqSA9IVj8uLA6fl1NqV126Pa0v/fR6eUgiCthevxvI7zCWhG8LaMQ9NTNT/LYW/T1QXliUEkRz+9fc8RO2TKd0qeyxHYmRVhdRZDCeF9wdkTrng/Kw/uMerN/pADH+YNaaIYhUbexjNmSMkqQk0LKqXl2iLmZ0Nok5Yt0V/pi/8LFGj2hOLW0wKysIe0QYWVKAWx1be7CjXAJRoh3CA+WbvKKw77GlzndPrzWiXwq3jFjLTlyiHEGog8KgrLMM156esg== X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:MM1P123MB1050;H:MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en; X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;5:wHYf7tAv11+nrCsudTXtynwYAPuhi1pzk3yOAme0fA8z6IocnoWhR177EFgZq1Xc0IJFtlepjfGvPRfSpV6khoOmvfBnc888+li7MWPy9MmcytBamFFNTBRRQubNXlVX4iod/sx0/B0P5S/XM3QUj8ePQqDFpImOihsJ9H0aO74=;24:4kyptGwsYWd1ZT+26o+I0CBQlBrcQ8h+zew6YTmtUXA9N/geEmMrI4MKVi9fA7d4rubwuZP41qSgyOUJnF7mhhK5bcdtC6r3plfk/yBW1Ik=;7:z3M30YeKmiLr5ZIQZyr7CdYHNyz9BMehyMHzopBPtKiUgRfCDgrBQPZRKv/F5OXywocBBjEqDwMRSM9JiOJ+VYZtyB+JXs21UBGgcGOlA7hQ3Hvf962KPM8Bk2NYMrtQJFZX38C4Yz9AiV0tYwYI5VMCP/fgO1m4535y8l6thoUJ7n2XhdO98SlILO4oS72KwO2/o9cPjmOFzjSWZ0+2QF/KiB6r/VQiD7MeOTjWlNfr/EsEoXT1OigLdhScT85y SpamDiagnosticOutput: 1:0 X-MS-Exchange-Organization-Recipient-P2-Type: Bcc X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2018 09:33:39.6510 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: ca1b5da9-6835-4de9-bcdb-725dd3465770 X-MS-Exchange-CrossTenant-Network-Message-Id: c73bdaf1-0213-4d34-0323-08d58b210068 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM1P123MB1050 X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.6173868 X-MS-Exchange-Processed-By-BccFoldering: 15.20.0588.000 X-Microsoft-Exchange-Diagnostics: 1;MMXP123MB1376;9:JeTvLnsi4tWvcXHjg15P88aBMJDwS5f1cmKeerPeym9XHWffsOWF02ezQoaUszKtnPAzrUeVeD1JXwn0D73LmoKOzSSmOhvKV/qDnW7i4NSMg8izAEZ4nGrtqIuwb60w X-Microsoft-Antispam-Message-Info: 42YAk622i4b1TInn5/SNrkWM2WM/YRVLnepCJZPatr5a5tFQGXQ3bBOu5zjNrTOPitdlDLRMFGvxptU1TeCxJmkbXqXmpQStW85oIvB3YDQ7Oc0aqR1D7gCfxwPH/xF0yoP7oY2MZgR0mt28ZTFlumzOIZiUFROq74AN5faDHvCZSzcwQQ74n53d9tPCPXpwj2joudqcI+DdOuB9OhvzRk6B3JMtIlWvZmtptF2VYAGAJ12n66xEMxrasY70Q44taDysFoV957KHwN6HBd4LGc9PmUBh+qyAfbZPvIVfbVYU1JKmveiMgVRF0k3FmUyiAp25+/SZ3W6eFs9LKsx+EQ== X-Microsoft-Exchange-Diagnostics: 1;MMXP123MB1376;27:hDScNnAaL4YD31DCET01EwH48PoQxhTLLMf4TVCiQ52Pi5zX0Euf7jis8bhP6CvWSsVDul58ojaseWCRFR0M6KH3OXgc