Office 365 tenant problem or just a plain old hack

A client email address seems to be sending out emails to clients asking for bank account changes etc.

The client is on a laptop using all the AVG products plus a a/v provided by solar winds.

Two clients have gotten these emails one that was not specific and one that asked for the exact invoice
that was due.

Sent items on a computer and in owa don't show that email being sent but I have message id's when I do an office 365 search
showing that they have been sent.

Below is the message headers...

Was this done via powershell or did the account get hacked?  I only see one reference to http
and I see this Transport-CrossTenantHeadersStripped:  part which I don't understand...

Both are office365 clients

I can generally figure these things out but the client has had the password changed and is running those software suites which while
not the best,  do pick up some bad activities.  

Anyway we are trying to sniff out this in the right direction and would love to be told what I am reading wrong or where I should be looking

Thank you



Received: from BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:208:71::29)
by BL2P131MB0001.NAMP131.PROD.OUTLOOK.COM with HTTPS via
BL0PR01CA0016.PROD.EXCHANGELABS.COM; Thu, 4 Apr 2019 16:33:35 +0000
Received: from BN6P131CA0004.NAMP131.PROD.OUTLOOK.COM (2603:10b6:423:5f::18)
by BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:221:22::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.2x; Thu, 4 Apr
2019 16:33:34 +0000
Received: from BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
(2a01:111:f400:7e46::208) by BN6P131CA0004.outlook.office365.com
(2603:10b6:423:5f::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.1x via Frontend
Transport; Thu, 4 Apr 2019 16:33:34 +0000
Authentication-Results: spf=fail (sender IP is 167.83.130.2x)
smtp.mailfrom=xxxx.com; xxx.com; dkim=pass (signature was
verified) header.d=xxxxxx.onmicrosoft.com;xxxx.com; dmarc=none
action=none header.from=xxxxxx.com;
Received-SPF: Fail (protection.outlook.com: domain of xxxxxx.com does
not designate 167.83.130.2x as permitted sender)
receiver=protection.outlook.com; client-ip=167.83.130.2x;
helo=USBDFE84001.xxx.com;
Received: from USBDFE84001.xxxxx.com (167.83.130.2x) by
BL2NAM02FT037.mail.protection.outlook.com (10.152.77.11) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 16:33:34 +0000
Received: by USBDFE84001.xxxx.com (Postfix, from userid 600)
                id 44ZpRK6Xs6z8Pgff; Thu,  4 Apr 2019 16:33:16 +0000 (UTC)
Received: from intmail1.xxxxx.com (mail1.xxxx.com [192.168.210.124])
                by USBDFE84001.xxx.com (Postfix) with ESMTPS id 44ZpQz1HQyz8PgjC
                for <xxxxxxx@xxxxx.com>; Thu,  4 Apr 2019 16:33:15 +0000 (UTC)
Received-SPF: None (mail1.xxxxx.com: no sender authenticity
  information available from domain of
  xxxxx@xxxxxx.com) identity=pra;
  client-ip=40.107.79.105; receiver=mail1.xxxx.com;
  envelope-from="xxxx@xxxxxx.com";
  x-sender="xxxxxxxx@xxxxxxx.com";
  x-conformance=sidf_compatible
Received-SPF: Pass (mail1.xxxxx.com: domain of
  xxxxx@xxxxxxx.com designates 40.107.79.1xx as
  permitted sender) identity=mailfrom; client-ip=40.107.79.1xx;
  receiver=mail1.xxxx.com;
  envelope-from="xxxxx@xxxxxx.com";
  x-sender="xxxxxx@xxxxx.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: Pass (mail1.xxxx.com: domain of
  postmaster@NAM03-CO1-obe.outbound.protection.outlook.com
  designates 40.107.79.1xx as permitted sender) identity=helo;
  client-ip=40.107.79.1xx; receiver=mail1.xxxxxx.com;
  envelope-from="xxxxx@xxxxx.com";
  x-sender="postmaster@NAM03-CO1-obe.outbound.protection.outlook.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Authentication-Results-Original: mail1.xxxxx.com; spf=None
smtp.pra=xxxxx@xxxxxx.com; spf=Pass
smtp.mailfrom=xxx@xxxxx.com; spf=Pass
smtp.helo=postmaster@NAM03-CO1-obe.outbound.protection.outlook.com; dkim=pass
(signature verified) header.i=@xxxxxxx.onmicrosoft.com
X-SBRS: 3.5
X-ExtLoop1: 1
IronPort-PHdr: =?us-ascii?q?9a23=3AGMm0mRAjn9c0TT6uojZVUyQJP3l1i/DPJgcQr6Ef?=
=?us-ascii?q?pfdLe6Wn8Y7lORaHt+tgilnSQZ/S9/9LiufN9avnXD5ZuMrTgDU5aJVJEiQ9p4?=
=?us-ascii?q?AOhQV6WJybBEv9N+LwZjA3E8VPTxlu+HTpaREISva7XEXbpziJ1RBXGhj7MlYq?=
=?us-ascii?q?dMLcP9aJyu+QjqW18ZCVZBhUjj2gZ780NA+xsQjaqsgRh81lN7o1zRzK5HBPfr?=
=?us-ascii?q?YPyA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+B?=
=?us-ascii?q?wMBgQsjUIFZAwQLJwqHMwIDhS2KU5Q5hVUTgRADUwwBExmEQAKECAYBBDcDDAE?=
=?us-ascii?q?DAQEBAQEBAQEUAQEBCA0JCCkjAQuGAwEBOBEBDAEmAksnBBuDGYEeTAMVAQKcU?=
=?us-ascii?q?AKKB4IfgnYBAQWEeRiCBgiMHIFAP4FXgh8BggCCZQJFPYJ2giaJAQsZhVVZkBQ?=
=?us-ascii?q?KCYFkhFWISYI9gViFCIodE5dcAgQCBAUCDQEBBYFwAoFhMxoIGxWDJ4I1g1OKU?=
=?us-ascii?q?kABMYEojBUBgR4BAQ?=
X-IPAS-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+BwMBgQsjUIFZAwQ?=
=?us-ascii?q?LJwqHMwIDhS2KU5Q5hVUTgRADUwwBExmEQAKECAYBBDcDDAEDAQEBAQEBAQEUA?=
=?us-ascii?q?QEBCA0JCCkjAQuGAwEBOBEBDAEmAksnBBuDGYEeTAMVAQKcUAKKB4IfgnYBAQW?=
=?us-ascii?q?EeRiCBgiMHIFAP4FXgh8BggCCZQJFPYJ2giaJAQsZhVVZkBQKCYFkhFWISYI9g?=
=?us-ascii?q?ViFCIodE5dcAgQCBAUCDQEBBYFwAoFhMxoIGxWDJ4I1g1OKUkABMYEojBUBgR4?=
=?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.56,253,1539669600";
   d="scan'208,217";a="1220302851"
X-Agari-Original-From: xxxxx@xxxxxxx.com
X-Agari-Original-To: xxxxxx@xxxxxxx.com
X-Agari-Authentication-Results:
Received: from mail-eopbgr790105.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) ([40.107.79.1xx])
  by mail1.xxxxx.com with ESMTP/TLS/AES256-SHA256; 04 Apr 2019 09:39:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=xxxxxx.onmicrosoft.com; s=selector1-xxxxxs-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=4SjK29prRfCthyF+xT5yfhxu2Ps+prPfj0lN7OrZIvw=;
b=Lx7cMIOg4Te8ukcMTDya0Wv7aosbYjonvP0D/t6LE+LOFAIQHPY3mYdrHAfPzoMtleSAA53KysCFy40AqJS4SwJvlndXPBFTluBP5cHN66tMEYv0DYKP5LcHlLgjvVYxGQhNKxo4V+NuVIR4kLqNBmVsBs+lQQz1zDTFubhK/Ts=
Received: from CY4PR1701MB1719.namprd17.prod.outlook.com (10.171.211.1xx) by
CY4PR1701MB1893.namprd17.prod.outlook.com (10.171.212.xx) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1750.20; Thu, 4 Apr 2019 16:33:12 +0000
Received: from CY4PR1701MB1719.namprd17.prod.outlook.com
([fe80::d431:a00b:dae1:86f5]) by CY4PR1701MB1719.namprd17.prod.outlook.com
([fe80::d431:a00b:dae1:86f5%3]) with mapi id 15.20.1750.017; Thu, 4 Apr 2019
16:33:12 +0000
From: xxxxx <xxxxxx@xxxxxxxx.com>
To: "xxxxx@xxxxx.com" <xxxxx@xxxxx.com>
Subject: Bank information
Thread-Topic: Bank information
Thread-Index: AQHU6wQYCeqkidNyV0S4omI5/31uOQ==
Date: Thu, 4 Apr 2019 16:33:12 +0000
Message-ID: <CY4PR1701MB171939E31DD86D2D2C4C68F6CB500@CY4PR1701MB1719.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.71.60.xxx]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-Microsoft-Antispam-Untrusted:
BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020);SRVR:CY4PR1701MB1893;
X-MS-TrafficTypeDiagnostic: CY4PR1701MB1893:|BL2P131MB0002:
x-microsoft-antispam-prvs: <CY4PR1701MB18938CE2FEDA2B57D7204EAACB500@CY4PR1701MB1893.namprd17.prod.outlook.com>
x-forefront-prvs: 0997523C40
X-Forefront-Antispam-Report-Untrusted:
SFV:NSPM;SFS:(10019020)(366004)(39840400004)(136003)(346002)(396003)(376002)(189003)(199004)(221733001)(5660300002)(68736007)(66066001)(316002)(106356001)(25786009)(5070765005)(74316002)(2906002)(6436002)(71200400001)(3480700005)(4300700001)(7736002)(6606003)(6116002)(71190400001)(486006)(7116003)(186003)(6916009)(53936002)(54896002)(14454004)(19627405001)(99286004)(558084003)(97736004)(55016002)(2501003)(5640700003)(9686003)(55236004)(256004)(15650500001)(3846002)(86362001)(81156014)(12560500001)(8936002)(81166006)(478600001)(52536014)(105586002)(6506007)(53336002)(8676002)(476003)(2351001)(7696005)(14444005)(33656002)(102836004)(26005);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR1701MB1893;H:CY4PR1701MB1719.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: xxxxx.com does not
designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Message-Info-Original:
nvPb6augMVbq5EXERz+NQK6kYMcAsD0sRt7Z0BsJzw1jz68i243P1/blmSeLDjpTgBEuQCgdr0Vpqyyw/rA26bqq6OAh6lftCzUUd4Czb5zve1hNe3L8p8+2NCQMqwh0SBlzTaMrZKEBlqPjSZz94VwGBj85wVh9adB7qFkVkxHm/wMOeBvyeiPZu2JXRhdFebCmMKG0GENo7tWcEArTHm5mupZkeOU4z1EEbE5opXnlOh0iH2lhKUUKSiwHrfECegMiOmRZzPF40haiJZmyaALA6VNMmYdVWbvypipditc7KwPeHgmp/Ytp7k76IzJLmzz9nHE/iaXf4hTtJm+ClNwLK9ZA8mCgGjNxzgyXDBG//KI+x3hdEhWMx6TV5n12hEigmQkJt77iNQK/7IPjOIgZJQSC5LfX8y5aHnlp8Yg=
Content-Type: multipart/alternative;
                boundary="_000_CY4PR1701MB171939E31DD86D2D2C4C68F6CB500CY4PR1701MB1719_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1701MB1893
Return-Path: xxxx@xxxxxx.com
X-MS-Exchange-Organization-ExpirationStartTime: 04 Apr 2019 16:33:34.5734
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
c2931924-3e95-4bd4-0262-08d6b91b482e
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report:
CIP:167.83.130.22;IPV:CAL;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(2980300002)(1110001)(1109001)(339900001)(489007)(199004)(189003)(2351001)(33656002)(7736002)(6916009)(16586007)(3480700005)(336012)(14454004)(105606002)(55016002)(5000100001)(25786009)(102836004)(61614004)(66066001)(69596002)(52536014)(4006050)(5070765005)(6606003)(6506007)(86362001)(14444005)(97736004)(9686003)(2501003)(99286004)(81156014)(486006)(221733001)(53336002)(84326002)(81166006)(75640400001)(356004)(54896002)(126002)(476003)(1096003)(63266004)(15650500001)(4300700001)(8936002)(26005)(5660300002)(85426001)(53936002)(19627405001)(106466001)(7116003)(8636004)(26826003)(71190400001)(6116002)(7696005)(3846002)(68736007)(5640700003)(8676002)(74316002);DIR:INB;SFP:;SCL:1;SRVR:BL2P131MB0002;H:USBDFE84001.xxx.com;FPR:;SPF:Fail;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1;
X-MS-Exchange-Organization-AuthSource:
BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: xxxxxx.onmicrosoft.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
2e8950c8-c24e-44f0-5fea-08d6b91b3ae3
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(710020)(711020)(4605104)(4534185)(4627221)(201703031133081)(8559020)(8990200)(2017052603328)(7193020);SRVR:BL2P131MB0002;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2019 16:33:34.3792
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-MS-Exchange-CrossTenant-Id: c8c6dd35-871f-4f30-85ac-6535f3982514
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c8c6dd35-871f-4f30-85ac-6535f3982514;Ip=[167.83.130.22];Helo=[USBDFE84001.xxxxx.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2P131MB0002
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5854247
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1750.010
X-Microsoft-Antispam-Mailbox-Delivery:
                ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750119)(520011016)(944506303)(944626516);
X-Microsoft-Antispam-Message-Info:
Ts2Lz9Fc0TJRFKjGevE7hr2X+xIthaXJIZ9KsVIiKXxk8Zj+l97PYI/HmFJ3PXPwLLT4ABvY+7ok80tP75U0bPaxt8yUrDKCmaW1TvXPDI0l0W9UE9zRJoH0ts5QdVOty
IT GuyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
By looking at the headers you provided, it shows that the email didn't originate from an O365 mailbox or server, but from a 3rd party Postfix sever.  That shows me already that it was a phishing and spam attempt.  It doesn't seem that the account is hacked but the email address is being used in phishing attempts. This is common when dealing with email, the recipient needs to be sure they have the proper security in place to combat this as much as possible but it can't be stopped 100%. In regards to your client using O365 just make sure that the spf record is in place to inform recipient servers about valid email and none valid emails.  Other than that this was an outside phishing attempt, and not security concern for you.
IT GuyAuthor Commented:
Hmmm...

First thank you so much for the response, this was my first thought as well and maybe totally correct...

Here is the thing.  My client who 'Sent' the email doesn't have a record of the transaction in his sent messages in outlook
or OWA.

However, when I search using message trance of all emails sent to the recipient in office365 I see the email the recipient is sending.  I see
the bad emails with message ID's...

How does that happen if it started with a third party postfix server.  How does it reflect back into office365 servers with a real message ID.

Also what do you guys make of the Transport-CrossTenantHeadersStripped...that is also confusing..

Thanks again
timgreen7077Exchange EngineerCommented:
The sender could have easily sent the email from a 3rd party Postfix or even Powershell using the email address and MX record for O365 (domain-com.mail.protection.outlook.com), so by doing that the email would still hit O365 first and then relay out to the recipient. Not sure what to tell you about the X-MS-Exchange-Transport-CrossTenantHeadersStripped, which could be just another indicator that this was not originated in O365. You may have contact O365 support and inquire about that, but the email still show sent if the email still hit O365 to send to recipient which isn't uncommon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

IT GuyAuthor Commented:
Ok...thank you...it's just quite concerning that we can not pin it down. I have a case open with MS now but that might be days and the client
is restless to know what is going on here.



Most of the emails are just blanket fishing ones...but one seemed to have actual info in it that would come from a hack..But we are dealing with humans here and I don't know if this person is explaining that correctly to me...very strange stuff
serialbandCommented:
email is not a secure platform and it never was meant to be secure.  It was originally set up so that you can telnet to any email server, set a to and from address, and the mail server will deliver.  Eventually, server could be set up to block random access.  Then DKIM and SPF were invented as an overlay to prevent spoofing, but it's still not everywhere.

Email is not a secure means of communication.  You're were never supposed to trust email without additional verification.  It was invented in the 1970s and is still basically the same beast.  Nothing much has changed since then.
IT GuyAuthor Commented:
Thank you all for all the help. We had to dive deep and the HUMAN error part seems to be the culprit.  He was fished and it took his password.  Guy was embarrassed didn't tell us that he clicked on an email asking about his data size in his archive.  archive is HUGE so it made sense to him..

Thank you all

Chris
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.