Office 365 tenant problem or just a plain old hack

IT Guy
IT Guy used Ask the Experts™
A client email address seems to be sending out emails to clients asking for bank account changes etc.

The client is on a laptop using all the AVG products plus a a/v provided by solar winds.

Two clients have gotten these emails one that was not specific and one that asked for the exact invoice
that was due.

Sent items on a computer and in owa don't show that email being sent but I have message id's when I do an office 365 search
showing that they have been sent.

Below is the message headers...

Was this done via powershell or did the account get hacked?  I only see one reference to http
and I see this Transport-CrossTenantHeadersStripped:  part which I don't understand...

Both are office365 clients

I can generally figure these things out but the client has had the password changed and is running those software suites which while
not the best,  do pick up some bad activities.  

Anyway we are trying to sniff out this in the right direction and would love to be told what I am reading wrong or where I should be looking

Thank you

Received: from BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:208:71::29)
by BL2P131MB0001.NAMP131.PROD.OUTLOOK.COM with HTTPS via
BL0PR01CA0016.PROD.EXCHANGELABS.COM; Thu, 4 Apr 2019 16:33:35 +0000
Received: from BN6P131CA0004.NAMP131.PROD.OUTLOOK.COM (2603:10b6:423:5f::18)
by BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:221:22::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.2x; Thu, 4 Apr
2019 16:33:34 +0000
Received: from
(2a01:111:f400:7e46::208) by
(2603:10b6:423:5f::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.1x via Frontend
Transport; Thu, 4 Apr 2019 16:33:34 +0000
Authentication-Results: spf=fail (sender IP is;; dkim=pass (signature was
verified);; dmarc=none
Received-SPF: Fail ( domain of does
not designate as permitted sender); client-ip=;;
Received: from ( by ( with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 16:33:34 +0000
Received: by (Postfix, from userid 600)
                id 44ZpRK6Xs6z8Pgff; Thu,  4 Apr 2019 16:33:16 +0000 (UTC)
Received: from ( [])
                by (Postfix) with ESMTPS id 44ZpQz1HQyz8PgjC
                for <>; Thu,  4 Apr 2019 16:33:15 +0000 (UTC)
Received-SPF: None ( no sender authenticity
  information available from domain of identity=pra;
Received-SPF: Pass ( domain of designates as
  permitted sender) identity=mailfrom; client-ip=;;
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: Pass ( domain of
  designates as permitted sender) identity=helo;
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Authentication-Results-Original:; spf=None; spf=Pass; spf=Pass; dkim=pass
(signature verified)
X-SBRS: 3.5
X-ExtLoop1: 1
IronPort-PHdr: =?us-ascii?q?9a23=3AGMm0mRAjn9c0TT6uojZVUyQJP3l1i/DPJgcQr6Ef?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+B?=
X-IPAS-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+BwMBgQsjUIFZAwQ?=
X-IronPort-AV: E=Sophos;i="5.56,253,1539669600";
Received: from (HELO ([])
  by with ESMTP/TLS/AES256-SHA256; 04 Apr 2019 09:39:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-xxxxxs-com;
Received: from ( by (10.171.212.xx) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1750.20; Thu, 4 Apr 2019 16:33:12 +0000
Received: from
([fe80::d431:a00b:dae1:86f5]) by
([fe80::d431:a00b:dae1:86f5%3]) with mapi id 15.20.1750.017; Thu, 4 Apr 2019
16:33:12 +0000
From: xxxxx <>
To: "" <>
Subject: Bank information
Thread-Topic: Bank information
Thread-Index: AQHU6wQYCeqkidNyV0S4omI5/31uOQ==
Date: Thu, 4 Apr 2019 16:33:12 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-MS-TrafficTypeDiagnostic: CY4PR1701MB1893:|BL2P131MB0002:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0997523C40
received-spf: None ( does not
designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
Content-Type: multipart/alternative;
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1701MB1893
X-MS-Exchange-Organization-ExpirationStartTime: 04 Apr 2019 16:33:34.5734
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Office365-Filtering-HT: Tenant
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2019 16:33:34.3792
X-MS-Exchange-CrossTenant-Network-Message-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-MS-Exchange-CrossTenant-Id: c8c6dd35-871f-4f30-85ac-6535f3982514
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c8c6dd35-871f-4f30-85ac-6535f3982514;Ip=[];Helo=[]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2P131MB0002
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5854247
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1750.010
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018
By looking at the headers you provided, it shows that the email didn't originate from an O365 mailbox or server, but from a 3rd party Postfix sever.  That shows me already that it was a phishing and spam attempt.  It doesn't seem that the account is hacked but the email address is being used in phishing attempts. This is common when dealing with email, the recipient needs to be sure they have the proper security in place to combat this as much as possible but it can't be stopped 100%. In regards to your client using O365 just make sure that the spf record is in place to inform recipient servers about valid email and none valid emails.  Other than that this was an outside phishing attempt, and not security concern for you.



First thank you so much for the response, this was my first thought as well and maybe totally correct...

Here is the thing.  My client who 'Sent' the email doesn't have a record of the transaction in his sent messages in outlook
or OWA.

However, when I search using message trance of all emails sent to the recipient in office365 I see the email the recipient is sending.  I see
the bad emails with message ID's...

How does that happen if it started with a third party postfix server.  How does it reflect back into office365 servers with a real message ID.

Also what do you guys make of the Transport-CrossTenantHeadersStripped...that is also confusing..

Thanks again
Exchange Engineer
Distinguished Expert 2018
The sender could have easily sent the email from a 3rd party Postfix or even Powershell using the email address and MX record for O365 (, so by doing that the email would still hit O365 first and then relay out to the recipient. Not sure what to tell you about the X-MS-Exchange-Transport-CrossTenantHeadersStripped, which could be just another indicator that this was not originated in O365. You may have contact O365 support and inquire about that, but the email still show sent if the email still hit O365 to send to recipient which isn't uncommon.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Ok...thank's just quite concerning that we can not pin it down. I have a case open with MS now but that might be days and the client
is restless to know what is going on here.

Most of the emails are just blanket fishing ones...but one seemed to have actual info in it that would come from a hack..But we are dealing with humans here and I don't know if this person is explaining that correctly to me...very strange stuff
email is not a secure platform and it never was meant to be secure.  It was originally set up so that you can telnet to any email server, set a to and from address, and the mail server will deliver.  Eventually, server could be set up to block random access.  Then DKIM and SPF were invented as an overlay to prevent spoofing, but it's still not everywhere.

Email is not a secure means of communication.  You're were never supposed to trust email without additional verification.  It was invented in the 1970s and is still basically the same beast.  Nothing much has changed since then.


Thank you all for all the help. We had to dive deep and the HUMAN error part seems to be the culprit.  He was fished and it took his password.  Guy was embarrassed didn't tell us that he clicked on an email asking about his data size in his archive.  archive is HUGE so it made sense to him..

Thank you all


Big takeaway here is get an SPF record put in place, followed by DKIM, and DMARC.  Here is a good article to start with.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial