We help IT Professionals succeed at work.

Contacts Hijacked and Used for Spoof Emails to Send Malware/Ransomware

291 Views
Last Modified: 2019-02-08
My employer was hit with malware two months ago and we've contained and treated it. However, it looks like our address book got hijacked. Users are being bombarded every day by spoofed emails using names of our employees, but coming from various domains around the world. Outside customers and vendors we often communicate with are also reporting that they are getting the same type emails, multiple times daily.

I know this is a long shot, but is there anything at all we can do about this? I suppose anybody can type any name in the "From" box on a message and since they have our names and contacts, they are exploiting it. We mark all external emails as [EXTERNAL] so at least people will see that the emails come from outside our domain despite the user's name, but that doesn't help for our vendors, customers, and other contacts.

We currently have Sophos installed on our servers and desktops, and run Barracuda's spam filter. Most of this stuff is getting caught and blocked, but there are so many that a few still slip through.

Any suggestions here?
Comment
Watch Question

timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I would suggest putting in a firewall rule to block port 25 from everything other than your exchange servers and spam filters. that will block desktops from sending emails via port 25 because if a desktop got infected if could be relaying via port 25 from that desktop to the outside. the only thing that needs to send out via port 25 is your exchange and spam filters, the outlook client doesn't connect via port 25 so you are fine. I actually created a GPO to block this via windows firewall but you can block via windows on all desktops or you can block via hardware firewall.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
I think your issue lies outside of your firewall.  Most likely the smtp server that is being used is not your Exchange nor is it your Outlook clients send out the email.  

The unfortunate thing about Spoofing is that you cannot control it. If you look at any of the headers you will see some other ip address or server name other than your system's.  This means they are using some other reply host and masking their address with yours as a reply-to.  

There are steps the mail admin can take like forcing a reverse lookup or challenging SPF txt or DMARC or DKIM records, but that is on their end and will not prevent someone from sending to the server making it look like you.
William FulksIT Services Analyst
CERTIFIED EXPERT

Author

Commented:
Tim, we are blocking those ports. We've got the thing contained, but I still wonder about the amount of info that went out already.

Yo_bee, yeah that's what we're afraid of. It seems to be out of our hands.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
It's the nature of the beast.
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Ok you are blocking those ports then you are good, that will at least keep your infected machines from sending email bypassing your exchange servers. I'm sure that your SPF record is also in place so there will not be much else you can do at this point, the recipient should now filter based on SPF just validate that the email is coming from an authenticated server for your email domain. Their isn't much else you can do at this point, the recipient admins filters should now come into play.
Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
A strict SPF policy on the domain should help clients better filter out the spam; the SPF record for your domain should end with:
-all

Open in new window

not one of:
~all
+all
?all

Open in new window


You can also remind clients not to click anything in the emails (eg an unsubscribe link), as it will just make the problem worse.
Simple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
All you can do is enable spf/dkim/dmarc at your end.  
The receiving parties have to have a procedure where spf/dkim/dmarc fails.. They ignore it at their risk.
William FulksIT Services Analyst
CERTIFIED EXPERT

Author

Commented:
Thanks everyone for your input.