Avatar of William Fulks
William Fulks
Flag for United States of America asked on

Contacts Hijacked and Used for Spoof Emails to Send Malware/Ransomware

My employer was hit with malware two months ago and we've contained and treated it. However, it looks like our address book got hijacked. Users are being bombarded every day by spoofed emails using names of our employees, but coming from various domains around the world. Outside customers and vendors we often communicate with are also reporting that they are getting the same type emails, multiple times daily.

I know this is a long shot, but is there anything at all we can do about this? I suppose anybody can type any name in the "From" box on a message and since they have our names and contacts, they are exploiting it. We mark all external emails as [EXTERNAL] so at least people will see that the emails come from outside our domain despite the user's name, but that doesn't help for our vendors, customers, and other contacts.

We currently have Sophos installed on our servers and desktops, and run Barracuda's spam filter. Most of this stuff is getting caught and blocked, but there are so many that a few still slip through.

Any suggestions here?

Avatar of undefined
Last Comment
William Fulks

8/22/2022 - Mon

I would suggest putting in a firewall rule to block port 25 from everything other than your exchange servers and spam filters. that will block desktops from sending emails via port 25 because if a desktop got infected if could be relaying via port 25 from that desktop to the outside. the only thing that needs to send out via port 25 is your exchange and spam filters, the outlook client doesn't connect via port 25 so you are fine. I actually created a GPO to block this via windows firewall but you can block via windows on all desktops or you can block via hardware firewall.

I think your issue lies outside of your firewall.  Most likely the smtp server that is being used is not your Exchange nor is it your Outlook clients send out the email.  

The unfortunate thing about Spoofing is that you cannot control it. If you look at any of the headers you will see some other ip address or server name other than your system's.  This means they are using some other reply host and masking their address with yours as a reply-to.  

There are steps the mail admin can take like forcing a reverse lookup or challenging SPF txt or DMARC or DKIM records, but that is on their end and will not prevent someone from sending to the server making it look like you.
William Fulks

Tim, we are blocking those ports. We've got the thing contained, but I still wonder about the amount of info that went out already.

Yo_bee, yeah that's what we're afraid of. It seems to be out of our hands.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

It's the nature of the beast.

Ok you are blocking those ports then you are good, that will at least keep your infected machines from sending email bypassing your exchange servers. I'm sure that your SPF record is also in place so there will not be much else you can do at this point, the recipient should now filter based on SPF just validate that the email is coming from an authenticated server for your email domain. Their isn't much else you can do at this point, the recipient admins filters should now come into play.
Terry Woods

A strict SPF policy on the domain should help clients better filter out the spam; the SPF record for your domain should end with:

Open in new window

not one of:

Open in new window

You can also remind clients not to click anything in the emails (eg an unsubscribe link), as it will just make the problem worse.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
David Johnson, CD

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
David Johnson, CD

All you can do is enable spf/dkim/dmarc at your end.  
The receiving parties have to have a procedure where spf/dkim/dmarc fails.. They ignore it at their risk.
William Fulks

Thanks everyone for your input.