Contacts Hijacked and Used for Spoof Emails to Send Malware/Ransomware

My employer was hit with malware two months ago and we've contained and treated it. However, it looks like our address book got hijacked. Users are being bombarded every day by spoofed emails using names of our employees, but coming from various domains around the world. Outside customers and vendors we often communicate with are also reporting that they are getting the same type emails, multiple times daily.

I know this is a long shot, but is there anything at all we can do about this? I suppose anybody can type any name in the "From" box on a message and since they have our names and contacts, they are exploiting it. We mark all external emails as [EXTERNAL] so at least people will see that the emails come from outside our domain despite the user's name, but that doesn't help for our vendors, customers, and other contacts.

We currently have Sophos installed on our servers and desktops, and run Barracuda's spam filter. Most of this stuff is getting caught and blocked, but there are so many that a few still slip through.

Any suggestions here?
LVL 18
William FulksSystems Analyst & WebmasterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
I would suggest putting in a firewall rule to block port 25 from everything other than your exchange servers and spam filters. that will block desktops from sending emails via port 25 because if a desktop got infected if could be relaying via port 25 from that desktop to the outside. the only thing that needs to send out via port 25 is your exchange and spam filters, the outlook client doesn't connect via port 25 so you are fine. I actually created a GPO to block this via windows firewall but you can block via windows on all desktops or you can block via hardware firewall.
yo_beeDirector of Information TechnologyCommented:
I think your issue lies outside of your firewall.  Most likely the smtp server that is being used is not your Exchange nor is it your Outlook clients send out the email.  

The unfortunate thing about Spoofing is that you cannot control it. If you look at any of the headers you will see some other ip address or server name other than your system's.  This means they are using some other reply host and masking their address with yours as a reply-to.  

There are steps the mail admin can take like forcing a reverse lookup or challenging SPF txt or DMARC or DKIM records, but that is on their end and will not prevent someone from sending to the server making it look like you.
William FulksSystems Analyst & WebmasterAuthor Commented:
Tim, we are blocking those ports. We've got the thing contained, but I still wonder about the amount of info that went out already.

Yo_bee, yeah that's what we're afraid of. It seems to be out of our hands.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

yo_beeDirector of Information TechnologyCommented:
It's the nature of the beast.
timgreen7077Exchange EngineerCommented:
Ok you are blocking those ports then you are good, that will at least keep your infected machines from sending email bypassing your exchange servers. I'm sure that your SPF record is also in place so there will not be much else you can do at this point, the recipient should now filter based on SPF just validate that the email is coming from an authenticated server for your email domain. Their isn't much else you can do at this point, the recipient admins filters should now come into play.
Terry WoodsIT GuruCommented:
A strict SPF policy on the domain should help clients better filter out the spam; the SPF record for your domain should end with:

Open in new window

not one of:

Open in new window

You can also remind clients not to click anything in the emails (eg an unsubscribe link), as it will just make the problem worse.
David Johnson, CD, MVPRetiredCommented:
You've lost control of your contacts list and probably your users list. email is easy to spoof so it is NOW up to the recipients spam filter to act on these emails.  There is nothing you can do at your end. They will eventually move on.  This is one of the reasons email has been enhanced with spf and dkim records.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPRetiredCommented:
All you can do is enable spf/dkim/dmarc at your end.  
The receiving parties have to have a procedure where spf/dkim/dmarc fails.. They ignore it at their risk.
William FulksSystems Analyst & WebmasterAuthor Commented:
Thanks everyone for your input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.