Link to home
Start Free TrialLog in
Avatar of IT Guy
IT Guy

asked on

Office 365 tenant problem or just a plain old hack

A client email address seems to be sending out emails to clients asking for bank account changes etc.

The client is on a laptop using all the AVG products plus a a/v provided by solar winds.

Two clients have gotten these emails one that was not specific and one that asked for the exact invoice
that was due.

Sent items on a computer and in owa don't show that email being sent but I have message id's when I do an office 365 search
showing that they have been sent.

Below is the message headers...

Was this done via powershell or did the account get hacked?  I only see one reference to http
and I see this Transport-CrossTenantHeadersStripped:  part which I don't understand...

Both are office365 clients

I can generally figure these things out but the client has had the password changed and is running those software suites which while
not the best,  do pick up some bad activities.  

Anyway we are trying to sniff out this in the right direction and would love to be told what I am reading wrong or where I should be looking

Thank you



Received: from BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:208:71::29)
by BL2P131MB0001.NAMP131.PROD.OUTLOOK.COM with HTTPS via
BL0PR01CA0016.PROD.EXCHANGELABS.COM; Thu, 4 Apr 2019 16:33:35 +0000
Received: from BN6P131CA0004.NAMP131.PROD.OUTLOOK.COM (2603:10b6:423:5f::18)
by BL2P131MB0002.NAMP131.PROD.OUTLOOK.COM (2603:10b6:221:22::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.2x; Thu, 4 Apr
2019 16:33:34 +0000
Received: from BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
(2a01:111:f400:7e46::208) by BN6P131CA0004.outlook.office365.com
(2603:10b6:423:5f::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.1x via Frontend
Transport; Thu, 4 Apr 2019 16:33:34 +0000
Authentication-Results: spf=fail (sender IP is 167.83.130.2x)
smtp.mailfrom=xxxx.com; xxx.com; dkim=pass (signature was
verified) header.d=xxxxxx.onmicrosoft.com;xxxx.com; dmarc=none
action=none header.from=xxxxxx.com;
Received-SPF: Fail (protection.outlook.com: domain of xxxxxx.com does
not designate 167.83.130.2x as permitted sender)
receiver=protection.outlook.com; client-ip=167.83.130.2x;
helo=USBDFE84001.xxx.com;
Received: from USBDFE84001.xxxxx.com (167.83.130.2x) by
BL2NAM02FT037.mail.protection.outlook.com (10.152.77.11) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 16:33:34 +0000
Received: by USBDFE84001.xxxx.com (Postfix, from userid 600)
                id 44ZpRK6Xs6z8Pgff; Thu,  4 Apr 2019 16:33:16 +0000 (UTC)
Received: from intmail1.xxxxx.com (mail1.xxxx.com [192.168.210.124])
                by USBDFE84001.xxx.com (Postfix) with ESMTPS id 44ZpQz1HQyz8PgjC
                for <xxxxxxx@xxxxx.com>; Thu,  4 Apr 2019 16:33:15 +0000 (UTC)
Received-SPF: None (mail1.xxxxx.com: no sender authenticity
  information available from domain of
  xxxxx@xxxxxx.com) identity=pra;
  client-ip=40.107.79.105; receiver=mail1.xxxx.com;
  envelope-from="xxxx@xxxxxx.com";
  x-sender="xxxxxxxx@xxxxxxx.com";
  x-conformance=sidf_compatible
Received-SPF: Pass (mail1.xxxxx.com: domain of
  xxxxx@xxxxxxx.com designates 40.107.79.1xx as
  permitted sender) identity=mailfrom; client-ip=40.107.79.1xx;
  receiver=mail1.xxxx.com;
  envelope-from="xxxxx@xxxxxx.com";
  x-sender="xxxxxx@xxxxx.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: Pass (mail1.xxxx.com: domain of
  postmaster@NAM03-CO1-obe.outbound.protection.outlook.com
  designates 40.107.79.1xx as permitted sender) identity=helo;
  client-ip=40.107.79.1xx; receiver=mail1.xxxxxx.com;
  envelope-from="xxxxx@xxxxx.com";
  x-sender="postmaster@NAM03-CO1-obe.outbound.protection.outlook.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Authentication-Results-Original: mail1.xxxxx.com; spf=None
smtp.pra=xxxxx@xxxxxx.com; spf=Pass
smtp.mailfrom=xxx@xxxxx.com; spf=Pass
smtp.helo=postmaster@NAM03-CO1-obe.outbound.protection.outlook.com; dkim=pass
(signature verified) header.i=@xxxxxxx.onmicrosoft.com
X-SBRS: 3.5
X-ExtLoop1: 1
IronPort-PHdr: =?us-ascii?q?9a23=3AGMm0mRAjn9c0TT6uojZVUyQJP3l1i/DPJgcQr6Ef?=
=?us-ascii?q?pfdLe6Wn8Y7lORaHt+tgilnSQZ/S9/9LiufN9avnXD5ZuMrTgDU5aJVJEiQ9p4?=
=?us-ascii?q?AOhQV6WJybBEv9N+LwZjA3E8VPTxlu+HTpaREISva7XEXbpziJ1RBXGhj7MlYq?=
=?us-ascii?q?dMLcP9aJyu+QjqW18ZCVZBhUjj2gZ780NA+xsQjaqsgRh81lN7o1zRzK5HBPfr?=
=?us-ascii?q?YPyA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+B?=
=?us-ascii?q?wMBgQsjUIFZAwQLJwqHMwIDhS2KU5Q5hVUTgRADUwwBExmEQAKECAYBBDcDDAE?=
=?us-ascii?q?DAQEBAQEBAQEUAQEBCA0JCCkjAQuGAwEBOBEBDAEmAksnBBuDGYEeTAMVAQKcU?=
=?us-ascii?q?AKKB4IfgnYBAQWEeRiCBgiMHIFAP4FXgh8BggCCZQJFPYJ2giaJAQsZhVVZkBQ?=
=?us-ascii?q?KCYFkhFWISYI9gViFCIodE5dcAgQCBAUCDQEBBYFwAoFhMxoIGxWDJ4I1g1OKU?=
=?us-ascii?q?kABMYEojBUBgR4BAQ?=
X-IPAS-Result: =?us-ascii?q?A0A9HwDN3/Jbh2lPayhMFh4BGQYGDYE+BwMBgQsjUIFZAwQ?=
=?us-ascii?q?LJwqHMwIDhS2KU5Q5hVUTgRADUwwBExmEQAKECAYBBDcDDAEDAQEBAQEBAQEUA?=
=?us-ascii?q?QEBCA0JCCkjAQuGAwEBOBEBDAEmAksnBBuDGYEeTAMVAQKcUAKKB4IfgnYBAQW?=
=?us-ascii?q?EeRiCBgiMHIFAP4FXgh8BggCCZQJFPYJ2giaJAQsZhVVZkBQKCYFkhFWISYI9g?=
=?us-ascii?q?ViFCIodE5dcAgQCBAUCDQEBBYFwAoFhMxoIGxWDJ4I1g1OKUkABMYEojBUBgR4?=
=?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.56,253,1539669600";
   d="scan'208,217";a="1220302851"
X-Agari-Original-From: xxxxx@xxxxxxx.com
X-Agari-Original-To: xxxxxx@xxxxxxx.com
X-Agari-Authentication-Results:
Received: from mail-eopbgr790105.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) ([40.107.79.1xx])
  by mail1.xxxxx.com with ESMTP/TLS/AES256-SHA256; 04 Apr 2019 09:39:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=xxxxxx.onmicrosoft.com; s=selector1-xxxxxs-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=4SjK29prRfCthyF+xT5yfhxu2Ps+prPfj0lN7OrZIvw=;
b=Lx7cMIOg4Te8ukcMTDya0Wv7aosbYjonvP0D/t6LE+LOFAIQHPY3mYdrHAfPzoMtleSAA53KysCFy40AqJS4SwJvlndXPBFTluBP5cHN66tMEYv0DYKP5LcHlLgjvVYxGQhNKxo4V+NuVIR4kLqNBmVsBs+lQQz1zDTFubhK/Ts=
Received: from CY4PR1701MB1719.namprd17.prod.outlook.com (10.171.211.1xx) by
CY4PR1701MB1893.namprd17.prod.outlook.com (10.171.212.xx) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1750.20; Thu, 4 Apr 2019 16:33:12 +0000
Received: from CY4PR1701MB1719.namprd17.prod.outlook.com
([fe80::d431:a00b:dae1:86f5]) by CY4PR1701MB1719.namprd17.prod.outlook.com
([fe80::d431:a00b:dae1:86f5%3]) with mapi id 15.20.1750.017; Thu, 4 Apr 2019
16:33:12 +0000
From: xxxxx <xxxxxx@xxxxxxxx.com>
To: "xxxxx@xxxxx.com" <xxxxx@xxxxx.com>
Subject: Bank information
Thread-Topic: Bank information
Thread-Index: AQHU6wQYCeqkidNyV0S4omI5/31uOQ==
Date: Thu, 4 Apr 2019 16:33:12 +0000
Message-ID: <CY4PR1701MB171939E31DD86D2D2C4C68F6CB500@CY4PR1701MB1719.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.71.60.xxx]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-Microsoft-Antispam-Untrusted:
BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020);SRVR:CY4PR1701MB1893;
X-MS-TrafficTypeDiagnostic: CY4PR1701MB1893:|BL2P131MB0002:
x-microsoft-antispam-prvs: <CY4PR1701MB18938CE2FEDA2B57D7204EAACB500@CY4PR1701MB1893.namprd17.prod.outlook.com>
x-forefront-prvs: 0997523C40
X-Forefront-Antispam-Report-Untrusted:
SFV:NSPM;SFS:(10019020)(366004)(39840400004)(136003)(346002)(396003)(376002)(189003)(199004)(221733001)(5660300002)(68736007)(66066001)(316002)(106356001)(25786009)(5070765005)(74316002)(2906002)(6436002)(71200400001)(3480700005)(4300700001)(7736002)(6606003)(6116002)(71190400001)(486006)(7116003)(186003)(6916009)(53936002)(54896002)(14454004)(19627405001)(99286004)(558084003)(97736004)(55016002)(2501003)(5640700003)(9686003)(55236004)(256004)(15650500001)(3846002)(86362001)(81156014)(12560500001)(8936002)(81166006)(478600001)(52536014)(105586002)(6506007)(53336002)(8676002)(476003)(2351001)(7696005)(14444005)(33656002)(102836004)(26005);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR1701MB1893;H:CY4PR1701MB1719.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: xxxxx.com does not
designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Message-Info-Original:
nvPb6augMVbq5EXERz+NQK6kYMcAsD0sRt7Z0BsJzw1jz68i243P1/blmSeLDjpTgBEuQCgdr0Vpqyyw/rA26bqq6OAh6lftCzUUd4Czb5zve1hNe3L8p8+2NCQMqwh0SBlzTaMrZKEBlqPjSZz94VwGBj85wVh9adB7qFkVkxHm/wMOeBvyeiPZu2JXRhdFebCmMKG0GENo7tWcEArTHm5mupZkeOU4z1EEbE5opXnlOh0iH2lhKUUKSiwHrfECegMiOmRZzPF40haiJZmyaALA6VNMmYdVWbvypipditc7KwPeHgmp/Ytp7k76IzJLmzz9nHE/iaXf4hTtJm+ClNwLK9ZA8mCgGjNxzgyXDBG//KI+x3hdEhWMx6TV5n12hEigmQkJt77iNQK/7IPjOIgZJQSC5LfX8y5aHnlp8Yg=
Content-Type: multipart/alternative;
                boundary="_000_CY4PR1701MB171939E31DD86D2D2C4C68F6CB500CY4PR1701MB1719_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1701MB1893
Return-Path: xxxx@xxxxxx.com
X-MS-Exchange-Organization-ExpirationStartTime: 04 Apr 2019 16:33:34.5734
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
c2931924-3e95-4bd4-0262-08d6b91b482e
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report:
CIP:167.83.130.22;IPV:CAL;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(2980300002)(1110001)(1109001)(339900001)(489007)(199004)(189003)(2351001)(33656002)(7736002)(6916009)(16586007)(3480700005)(336012)(14454004)(105606002)(55016002)(5000100001)(25786009)(102836004)(61614004)(66066001)(69596002)(52536014)(4006050)(5070765005)(6606003)(6506007)(86362001)(14444005)(97736004)(9686003)(2501003)(99286004)(81156014)(486006)(221733001)(53336002)(84326002)(81166006)(75640400001)(356004)(54896002)(126002)(476003)(1096003)(63266004)(15650500001)(4300700001)(8936002)(26005)(5660300002)(85426001)(53936002)(19627405001)(106466001)(7116003)(8636004)(26826003)(71190400001)(6116002)(7696005)(3846002)(68736007)(5640700003)(8676002)(74316002);DIR:INB;SFP:;SCL:1;SRVR:BL2P131MB0002;H:USBDFE84001.xxx.com;FPR:;SPF:Fail;LANG:en;PTR:InfoDomainNonexistent;A:1;MX:1;
X-MS-Exchange-Organization-AuthSource:
BL2NAM02FT037.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: xxxxxx.onmicrosoft.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
2e8950c8-c24e-44f0-5fea-08d6b91b3ae3
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(710020)(711020)(4605104)(4534185)(4627221)(201703031133081)(8559020)(8990200)(2017052603328)(7193020);SRVR:BL2P131MB0002;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2019 16:33:34.3792
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c2931924-3e95-4bd4-0262-08d6b91b482e
X-MS-Exchange-CrossTenant-Id: c8c6dd35-871f-4f30-85ac-6535f3982514
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c8c6dd35-871f-4f30-85ac-6535f3982514;Ip=[167.83.130.22];Helo=[USBDFE84001.xxxxx.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2P131MB0002
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5854247
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1750.010
X-Microsoft-Antispam-Mailbox-Delivery:
                ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750119)(520011016)(944506303)(944626516);
X-Microsoft-Antispam-Message-Info:
Ts2Lz9Fc0TJRFKjGevE7hr2X+xIthaXJIZ9KsVIiKXxk8Zj+l97PYI/HmFJ3PXPwLLT4ABvY+7ok80tP75U0bPaxt8yUrDKCmaW1TvXPDI0l0W9UE9zRJoH0ts5QdVOty
SOLUTION
Avatar of timgreen7077
timgreen7077

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of IT Guy
IT Guy

ASKER

Hmmm...

First thank you so much for the response, this was my first thought as well and maybe totally correct...

Here is the thing.  My client who 'Sent' the email doesn't have a record of the transaction in his sent messages in outlook
or OWA.

However, when I search using message trance of all emails sent to the recipient in office365 I see the email the recipient is sending.  I see
the bad emails with message ID's...

How does that happen if it started with a third party postfix server.  How does it reflect back into office365 servers with a real message ID.

Also what do you guys make of the Transport-CrossTenantHeadersStripped...that is also confusing..

Thanks again
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of IT Guy

ASKER

Ok...thank you...it's just quite concerning that we can not pin it down. I have a case open with MS now but that might be days and the client
is restless to know what is going on here.



Most of the emails are just blanket fishing ones...but one seemed to have actual info in it that would come from a hack..But we are dealing with humans here and I don't know if this person is explaining that correctly to me...very strange stuff
email is not a secure platform and it never was meant to be secure.  It was originally set up so that you can telnet to any email server, set a to and from address, and the mail server will deliver.  Eventually, server could be set up to block random access.  Then DKIM and SPF were invented as an overlay to prevent spoofing, but it's still not everywhere.

Email is not a secure means of communication.  You're were never supposed to trust email without additional verification.  It was invented in the 1970s and is still basically the same beast.  Nothing much has changed since then.
Avatar of IT Guy

ASKER

Thank you all for all the help. We had to dive deep and the HUMAN error part seems to be the culprit.  He was fished and it took his password.  Guy was embarrassed didn't tell us that he clicked on an email asking about his data size in his archive.  archive is HUGE so it made sense to him..

Thank you all

Chris
Chris,

Big takeaway here is get an SPF record put in place, followed by DKIM, and DMARC.  Here is a good article to start with.  https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/