0

I got a lot of phishing attempts that appear to come from an actual microsoft.com e-mail address (see I need some verification about unusual login emails)

I though this was odd, since I had hoped that "popular" e-mail domains like this would be protected against this sort of thing.

A similar question was asked before How could I get a spam/phishing email from microsoft.com but closed as a duplicate to Why do phishing e-mails use faked e-mail addresses instead of the real one?

The accepted answer states:

, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).

But apparently that's not working. To make it worse: not only do I get the messages, I get them from a Microsoft e-mail server (Hotmail/outlook).

  1. Why can't Microsoft block phishing from spoofed e-mail addresses that use their very own domain name? Can they not verify whether an e-mail is actually coming from microsoft.com ?
  2. Is there anything a user can do to detect e-mail address spoofing?

UPDATE: message header added

Received: from AM9PR08MB6129.eurprd08.prod.outlook.com (2603:10a6:20b:284::8)
 by AM0PR08MB4529.eurprd08.prod.outlook.com with HTTPS; Sun, 30 Oct 2022
 02:48:48 +0000
Received: from AS9PR06CA0249.eurprd06.prod.outlook.com (2603:10a6:20b:45f::22)
 by AM9PR08MB6129.eurprd08.prod.outlook.com (2603:10a6:20b:284::8) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.18; Sun, 30 Oct
 2022 02:48:47 +0000
Received: from AM7EUR06FT067.eop-eur06.prod.protection.outlook.com
 (2603:10a6:20b:45f:cafe::db) by AS9PR06CA0249.outlook.office365.com
 (2603:10a6:20b:45f::22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.16 via Frontend
 Transport; Sun, 30 Oct 2022 02:48:47 +0000
Authentication-Results: spf=none (sender IP is 89.144.43.86)
 smtp.mailfrom=quihzero.co.uk; dkim=none (message not signed)
 header.d=none;dmarc=fail action=oreject
 header.from=microsoft.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: quihzero.co.uk does not designate
 permitted sender hosts)
Received: from quihzero.co.uk (89.144.43.86) by
 AM7EUR06FT067.mail.protection.outlook.com (10.233.254.166) with Microsoft
 SMTP Server id 15.20.5769.14 via Frontend Transport; Sun, 30 Oct 2022
 02:48:47 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:1393D9D28C27CFD772090722ACDC70192B7D53D58DBECEC0ABA09BE195031F4F;UpperCasedChecksum:1C9A33C9E651F3E56C924390CF2CF7AE1A4C0C7C3AC33D388CFD085852D5347B;SizeAsReceived:327;Count:10
From: Microsoft account team <no-reply@microsoft.com>
Subject: Microsoft account unusual sign-in activity
To: xxxx
X-Message-Flag: Flag
Importance: high
Date: Sun, 30 Oct 2022 02:48:47 +0000
Reply-To: newsletter@figoshine.com
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0
X-IncomingHeaderCount: 10
Message-ID:
 <319bf62a-9178-408a-bcdf-492af20e9a26@AM7EUR06FT067.eop-eur06.prod.protection.outlook.com>
Return-Path: bounce@quihzero.co.uk
X-MS-Exchange-Organization-ExpirationStartTime: 30 Oct 2022 02:48:47.4195
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 ad32cc46-e363-40c8-5762-08daba21449d
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM7EUR06FT067:EE_|AM9PR08MB6129:EE_
X-MS-Exchange-Organization-AuthSource:
 AM7EUR06FT067.eop-eur06.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 10/30/2022 1:44:43 AM
X-MS-Office365-Filtering-Correlation-Id: ad32cc46-e363-40c8-5762-08daba21449d
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 89.144.43.86
X-SID-PRA: NO-REPLY@MICROSOFT.COM
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-AtpMessageProperties: SA|SL
X-Microsoft-Antispam: BCL:5;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Oct 2022 02:48:47.3883
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ad32cc46-e363-40c8-5762-08daba21449d
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
 AM7EUR06FT067.eop-eur06.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR08MB6129
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6947243
X-MS-Exchange-Processed-By-BccFoldering: 15.20.5769.016
X-MS-Exchange-Organization-SCL: 6
X-Message-Info:
    6hMotsjLow8ibk1nPury0UhKZyI0kDcBH3HX+gj5xkU0oEZLZj27dS8EuEDGWvYY4wRnFrgjoiQXuXtpCFY4AtIav9urZ9o/xPpo+Zpn8Ehh21LOscMdVc+ixqln+MqPxOY0U8MLMianUJxC7jHkJnCbQdDPYYWl9RQMPskLvS6wq698TkT/9W97EsTAPl8UNW2JF9Wwoasq0U9i/q5zvA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0zO1NDTD02
X-Microsoft-Antispam-Mailbox-Delivery:
    rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000305)(90000117)(90005022)(91005020)(91035115)(5061607266)(5061608174)(9050020)(9100338)(2008001134)(2008121020)(4810004)(4910033)(9610025)(9525003)(10140023)(9320005)(9245025);RF:JunkEmail;
X-Microsoft-Antispam-Message-Info:
    =?us-ascii?Q?BSMr/fdT7aQylDzqKGtPSwe+skSGB6mtyx9dEriKY357rtTmgqrAHTUQrU1N?=
 =?us-ascii?Q?hiTCyq7olzTA+Gczf8+ZyxUqd2H2V9LXAKjXcw1nRxNULqGhPGN8Ge+91k7s?=
 =?us-ascii?Q?ViDV8JS1FiihusL+PYD+504joxNeKeRpT2TKvDPbz02WYxlCWPr8QL9H3Gqo?=
 =?us-ascii?Q?+OH4iDzt4gdsfSMOpYzBUuTfYEvietq/rbocc+0BzukeY2EHRK/L7OCCvJq+?=
 =?us-ascii?Q?r/79v3UKAOw1sttn9sttvVx5OQ85HE6mymRHiTj6sWllt16NDa4KphmxB+FC?=
 =?us-ascii?Q?ncvGam8POFv4waoSc01ehc51ck1VJ9qE3MMCR/lW2WWL05FTICjhbn8rDBeE?=
 =?us-ascii?Q?zFO86coX4mIAQ+bdDAP3d7l2RXKP8ZrrhoCRMZyojSZ05oN/K+ExEiHBk1ri?=
 =?us-ascii?Q?Nr48flr4RU6Dp+0MkvBVP/leufkFXAoVChTblS3Sbr03vs05+XxgqJ4AaMw5?=
 =?us-ascii?Q?HnSkbDQUXL0RreiWxmfbNrgjepxMIwMxpaLFxUUzaU6ELNHY2qJjn71Amx90?=
 =?us-ascii?Q?QmxCRUThaI3fLtRLT1FVIsK+qzBStFGNrfy8unyvRqSBuqk4oVWZ1mCu61yP?=
 =?us-ascii?Q?1M7hawlhQl5vx7D+ufPEro4HWiFWuL79V1Q91SxwCPAcCnV8U19VAZqVub2f?=
 =?us-ascii?Q?LoQMGbI65sHpiHfaPQ8XB0C/UPXnXCPnuOleXpd58+ICJXbpgRVzD/ra2Ve3?=
 =?us-ascii?Q?IkUC+I/ZyHQvKl5xtoGbmgabv62MyuVJKrEqw8fpzsK4YT1iQmz5mZeHZ5JJ?=
 =?us-ascii?Q?PM33vM3RI8lOCdnpkfEFWPYl0Z9La7dJrvOq3xGhmPns4Z2U69FlkaAJzM20?=
 =?us-ascii?Q?hR0swqzGjtomABNT5zNM8lFVCm6i+GErTL8wZ3mHlnU2MwBF4G/aAa1e2hhb?=
 =?us-ascii?Q?TMnsovdC483irFqMDzURbX1/qHBtWDOrcCsj9ZMbTQFi9gOZaYhkGJQYNUi8?=
 =?us-ascii?Q?0NvjLa/Ggjhr6wJ8Ub+E7Z06LN2DkNMiZZDuxGBhExU8g6VdmNlkW/t5qjqi?=
 =?us-ascii?Q?LHLliWE7wFJ6nCMh7WNiwrJQzTJYf4jhCvW7Wf2xLiFCwl/HWgi/9VhrIBtX?=
 =?us-ascii?Q?91ZJhs+w1dA0f6vBqekogzLn6ij33av70amtx0M96SaeuJKyzWG3JuRkiQ7q?=
 =?us-ascii?Q?fqWaWhlacul1YeYekBqEVtAkHGHpvs707KcWQwSQ4LcCaPDkfFXkDQq0p+cq?=
 =?us-ascii?Q?3Ov7kb4FTARGBm4OblCCxoDruhODoCASHGgeD5Aaqgn+KkbEfsqITzuWkSEB?=
 =?us-ascii?Q?mTt5e82fD1L/kPAmvLG6HeRPubPsXD36BB6Hbdm83HRExdB6k9hTQHhR4n+5?=
 =?us-ascii?Q?s4/jPcRPWdOPxv9JK6hymS66hn/nRb+6Ln/Eysi8AjHLfJz/ZeoUnh3inDI2?=
 =?us-ascii?Q?55R1MSu9Y73FLqSoVNL26qHytLQnIKq//N45B6ge0eR1ZxhUHQFfIQZcTKJy?=
 =?us-ascii?Q?73nqLLXA8K4kogrRJKlGy4d13r9KlkczDGkaDnP6icKcxqC+STVPUN/Pp6jd?=
 =?us-ascii?Q?2U9+MC0FJEObg/5ZRZ/59wmbRIW/uITWS8103yLrnKN8hOfiDJrCSz3mDwis?=
 =?us-ascii?Q?/Qiztrpcg70ZR6fIflAFRZoa4ZEQCM8PSW17sCt8MsJdc5w2ZodnOw7WN3h4?=
 =?us-ascii?Q?MrgtkSwCVc+1MzAcRNX3nYKUEhcLpeo6dlq4U2GymaL/eU9rDWWg1aNNdPUM?=
 =?us-ascii?Q?PTqyF5odF+yIknT3KcN8tl3U6ATc9zlPoHBliXvVaykH+F8DKWaIPs/5099Z?=
 =?us-ascii?Q?wxHj2mn8d4dlRix8oeFnr57LPkWopecg73Pazh6QF0CSx2yma8YAerO2muw4?=
 =?us-ascii?Q?Xl81AIS7FEl5nOae0w2wJi3ItNyzjnmx1oTyk7Ue5eDX3TH+pqQ/EOSa4OBk?=
 =?us-ascii?Q?owRcNMk3pIxuh0VtFm9/adeQA3dFKkliR4XsefAUHNnmE1MpsPkqmdwz1KHx?=
 =?us-ascii?Q?clMqzpP3fRESUW/JLRsdpwqA0+V7fbyN0Ada6ekxucB3+B/i2z6fBFIfRPWm?=
 =?us-ascii?Q?DpHACUyWGfixY6sRYjUz981gSfYLEZrCovDnmteWVFX9634KwNJc1wlf2Gvr?=
 =?us-ascii?Q?8Kenmq02yngxI7BUuHS3Pf3mZ3oIQd5CQXu45cS3U67/WkUXJ/8fceVXJ83b?=
 =?us-ascii?Q?XW3XFRHsH46dIjWVnDyVYyQwI+8f/YRR8t/KQ/D3fCXejTSIcjR+jwoFsErO?=
 =?us-ascii?Q?/zNCJse50N5kXvenyStcD0FsBDS6Jeue+5J2v8GiRBeablnGXXvT1rRLSTAH?=
 =?us-ascii?Q?tMvekEcG5XYRLXOMz6bWLHK9y3YfNc5whP0VlDlGPjtu5J8pwCNg4t+hndnp?=
 =?us-ascii?Q?Ua2sgl8Q4HQKiqXC1bLC/LSnCnTfxAAdf6nx48GFNae3mUPcw27YJiOYhA/n?=
 =?us-ascii?Q?S57gbD+qgcY7m1oEG0dm3y4yQHrhk8wY0vLBzkB8P8VQxHqXnBQF7kO4Pox/?=
 =?us-ascii?Q?ostdwdkURfcVvkSp321RvVoCQ0iR7/1iCrBlSCILzbvmWrpgUjfhf1srWZq+?=
 =?us-ascii?Q?GpRO+u8HwNBxeV0x9uSj7lMWKrzBRi421G/gldNjfDHJIVP4SqvfDa9naWVP?=
 =?us-ascii?Q?CDKyjxayYKaTbtnhaSFIbhBJ2+evzWQ+p6jnFELOe084hf2bTAOFt7pOqvD2?=
 =?us-ascii?Q?oGu6jxWLX31Tk65QzjCtzElVT61VxJ//zyCZWWM5IJluzCSnkR32z/z/bryV?=
 =?us-ascii?Q?KjT9bvSZI7CQHRP+hD2rgyeTneeqqQdKvtO4UizAjJnWTZMqKMKHn3l5mDjX?=
 =?us-ascii?Q?X8Qkl0C47bBcLHp7hqCHOJh27Ue9ebk=3D?=
Hilmar
  • 111
  • 2
  • You make a claim that microsoft.com is not properly protected without actually proving it. All we have is your interpretation of what you see and some link to another site where you've added some information - only these explicitly have the relevant information (like sender email) removed. Apart from that - microsoft.com has a reject policy for DMARC and it is using DKIM - so your claim of not having protection is wrong. – Steffen Ullrich Nov 03 '22 at 15:01
  • My claim is that I get e-mails in my MS email account with an address @microsoft.com but it's malicious and not actually from Microsoft. Are you doubting this claim? So whatever protection they have doesn't appear to be working (and hence isn't really protection, isn't it?). What data or information can I add to make this a better question ? – Hilmar Nov 03 '22 at 16:02
  • I can add the message header, if that helps – Hilmar Nov 03 '22 at 16:11
  • 1
    *" Are you doubting this claim?"* - You ask for an explanation why spoofed mails are received without providing the details which are needed to a) verify the claim and b) find an explanation for it. *"can add the message header, if that help"* - yes, this would be helpful. But please anonymize only your email (recipient), not the senders. Also include the full Received headers and any DKIM signatures. If there are Authentication-Results headers include these too. – Steffen Ullrich Nov 03 '22 at 16:50

2 Answers2

2

Why are @microsoft.com e-mail address not protected against spoofing

They are. microsoft.com is protected by SPF, DKIM and DMARC. So from the sender side this is not a problem. It is a problem on the receiver side though, which in your case is Microsoft too.

In fact, the receiver detects that the mail is spoofed as can be seen from dmarc=fail action=reject in the Authentication-Results header:

Authentication-Results: spf=none (sender IP is 89.144.43.86)
 smtp.mailfrom=quihzero.co.uk; dkim=none (message not signed)
 header.d=none;dmarc=fail action=oreject
 header.from=microsoft.com;compauth=fail reason=000

But, since the false positive rate is considered too high for this decision, i.e. because valid mails might be inadvertently rejected, Microsoft does not reject the mail but instead only marks it as Junk. This is documented in How Microsoft 365 handles inbound email that fails DMARC:

If the DMARC policy of the sending server is p=reject, Exchange Online Protection (EOP) marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can define the action to take on messages classified as spoof within the anti-phishing policy.

Microsoft 365 is configured like this because some legitimate email may fail DMARC. ...

One might well argue about this behavior of deliberately misinterpreting the DMARC policy of the sender with this argument of reliability - especially since Microsoft servers are known to simply accept mails it considers spam without delivering these to the recipient (not even in the Junk folder). Still, it explains what you see.

See also Enforcing DMARC policy (reject) on an Office 365 tenant how you might change this behavior in some cases.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
0

Microsoft is protected against exact domain spoofing by DMARC p=reject, but many receivers (including Microsoft) do not enforce that. This is because DMARC isn't implemented well by all senders.

Still, MS is in the anti-spam business and should be able to internally denote which of its own domains are indeed responsibly configured.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Adam Katz
  • 10,418
  • 2
  • 22
  • 48