IT Guy
asked on
Office 365 tenant problem or just a plain old hack
A client email address seems to be sending out emails to clients asking for bank account changes etc.
The client is on a laptop using all the AVG products plus a a/v provided by solar winds.
Two clients have gotten these emails one that was not specific and one that asked for the exact invoice
that was due.
Sent items on a computer and in owa don't show that email being sent but I have message id's when I do an office 365 search
showing that they have been sent.
Below is the message headers...
Was this done via powershell or did the account get hacked? I only see one reference to http
and I see this Transport-CrossTenantHeade rsStripped : part which I don't understand...
Both are office365 clients
I can generally figure these things out but the client has had the password changed and is running those software suites which while
not the best, do pick up some bad activities.
Anyway we are trying to sniff out this in the right direction and would love to be told what I am reading wrong or where I should be looking
Thank you
Received: from BL2P131MB0002.NAMP131.PROD .OUTLOOK.C OM (2603:10b6:208:71::29)
by BL2P131MB0001.NAMP131.PROD .OUTLOOK.C OM with HTTPS via
BL0PR01CA0016.PROD.EXCHANG ELABS.COM; Thu, 4 Apr 2019 16:33:35 +0000
Received: from BN6P131CA0004.NAMP131.PROD .OUTLOOK.C OM (2603:10b6:423:5f::18)
by BL2P131MB0002.NAMP131.PROD .OUTLOOK.C OM (2603:10b6:221:22::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) id 15.20.1750.2x; Thu, 4 Apr
2019 16:33:34 +0000
Received: from BL2NAM02FT037.eop-nam02.pr od.protect ion.outloo k.com
(2a01:111:f400:7e46::208) by BN6P131CA0004.outlook.offi ce365.com
(2603:10b6:423:5f::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA384) id 15.20.1750.1x via Frontend
Transport; Thu, 4 Apr 2019 16:33:34 +0000
Authentication-Results: spf=fail (sender IP is 167.83.130.2x)
smtp.mailfrom=xxxx.com; xxx.com; dkim=pass (signature was
verified) header.d=xxxxxx.onmicrosof t.com;xxxx .com; dmarc=none
action=none header.from=xxxxxx.com;
Received-SPF: Fail (protection.outlook.com: domain of xxxxxx.com does
not designate 167.83.130.2x as permitted sender)
receiver=protection.outloo k.com; client-ip=167.83.130.2x;
helo=USBDFE84001.xxx.com;
Received: from USBDFE84001.xxxxx.com (167.83.130.2x) by
BL2NAM02FT037.mail.protect ion.outloo k.com (10.152.77.11) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA384) id
15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 16:33:34 +0000
Received: by USBDFE84001.xxxx.com (Postfix, from userid 600)
id 44ZpRK6Xs6z8Pgff; Thu, 4 Apr 2019 16:33:16 +0000 (UTC)
Received: from intmail1.xxxxx.com (mail1.xxxx.com [192.168.210.124])
by USBDFE84001.xxx.com (Postfix) with ESMTPS id 44ZpQz1HQyz8PgjC
for <xxxxxxx@xxxxx.com>; Thu, 4 Apr 2019 16:33:15 +0000 (UTC)
Received-SPF: None (mail1.xxxxx.com: no sender authenticity
information available from domain of
xxxxx@xxxxxx.com) identity=pra;
client-ip=40.107.79.105; receiver=mail1.xxxx.com;
envelope-from="xxxx@xxxxxx .com";
x-sender="xxxxxxxx@xxxxxxx .com";
x-conformance=sidf_compati ble
Received-SPF: Pass (mail1.xxxxx.com: domain of
xxxxx@xxxxxxx.com designates 40.107.79.1xx as
permitted sender) identity=mailfrom; client-ip=40.107.79.1xx;
receiver=mail1.xxxx.com;
envelope-from="xxxxx@xxxxx x.com";
x-sender="xxxxxx@xxxxx.com ";
x-conformance=sidf_compati ble; x-record-type="v=spf1"
Received-SPF: Pass (mail1.xxxx.com: domain of
postmaster@NAM03-CO1-obe.o utbound.pr otection.o utlook.com
designates 40.107.79.1xx as permitted sender) identity=helo;
client-ip=40.107.79.1xx; receiver=mail1.xxxxxx.com;
envelope-from="xxxxx@xxxxx .com";
x-sender="postmaster@NAM03 -CO1-obe.o utbound.pr otection.o utlook.com ";
x-conformance=sidf_compati ble; x-record-type="v=spf1"
Authentication-Results-Ori ginal: mail1.xxxxx.com; spf=None
smtp.pra=xxxxx@xxxxxx.com; spf=Pass
smtp.mailfrom=xxx@xxxxx.co m; spf=Pass
smtp.helo=postmaster@NAM03 -CO1-obe.o utbound.pr otection.o utlook.com ; dkim=pass
(signature verified) header.i=@xxxxxxx.onmicros oft.com
X-SBRS: 3.5
X-ExtLoop1: 1
IronPort-PHdr: =?us-ascii?q?9a23=3AGMm0mR Ajn9c0TT6u ojZVUyQJP3 l1i/DPJgcQ r6Ef?=
=?us-ascii?q?pfdLe6Wn8Y7lO RaHt+tgiln SQZ/S9/9Li ufN9avnXD5 ZuMrTgDU5a JVJEiQ9p4? =
=?us-ascii?q?AOhQV6WJybBEv 9N+LwZjA3E 8VPTxlu+HT paREISva7X EXbpziJ1RB XGhj7MlYq? =
=?us-ascii?q?dMLcP9aJyu+Qj qW18ZCVZBh Ujj2gZ780N A+xsQjaqsg Rh81lN7o1z RzK5HBPfr? =
=?us-ascii?q?YPyA=3D=3D?=
X-IronPort-Anti-Spam-Filte red: true
X-IronPort-Anti-Spam-Resul t: =?us-ascii?q?A0A9HwDN3/Jbh 2lPayhMFh4 BGQYGDYE+B ?=
=?us-ascii?q?wMBgQsjUIFZAw QLJwqHMwID hS2KU5Q5hV UTgRADUwwB ExmEQAKECA YBBDcDDAE? =
=?us-ascii?q?DAQEBAQEBAQEU AQEBCA0JCC kjAQuGAwEB OBEBDAEmAk snBBuDGYEe TAMVAQKcU? =
=?us-ascii?q?AKKB4IfgnYBAQ WEeRiCBgiM HIFAP4FXgh 8BggCCZQJF PYJ2giaJAQ sZhVVZkBQ? =
=?us-ascii?q?KCYFkhFWISYI9 gViFCIodE5 dcAgQCBAUC DQEBBYFwAo FhMxoIGxWD J4I1g1OKU? =
=?us-ascii?q?kABMYEojBUBgR 4BAQ?=
X-IPAS-Result: =?us-ascii?q?A0A9HwDN3/Jbh 2lPayhMFh4 BGQYGDYE+B wMBgQsjUIF ZAwQ?=
=?us-ascii?q?LJwqHMwIDhS2K U5Q5hVUTgR ADUwwBExmE QAKECAYBBD cDDAEDAQEB AQEBAQEUA? =
=?us-ascii?q?QEBCA0JCCkjAQ uGAwEBOBEB DAEmAksnBB uDGYEeTAMV AQKcUAKKB4 IfgnYBAQW? =
=?us-ascii?q?EeRiCBgiMHIFA P4FXgh8Bgg CCZQJFPYJ2 giaJAQsZhV VZkBQKCYFk hFWISYI9g? =
=?us-ascii?q?ViFCIodE5dcAg QCBAUCDQEB BYFwAoFhMx oIGxWDJ4I1 g1OKUkABMY EojBUBgR4? =
=?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.56,253,15396 69600";
d="scan'208,217";a="122030 2851"
X-Agari-Original-From: xxxxx@xxxxxxx.com
X-Agari-Original-To: xxxxxx@xxxxxxx.com
X-Agari-Authentication-Res ults:
Received: from mail-eopbgr790105.outbound .protectio n.outlook. com (HELO NAM03-CO1-obe.outbound.pro tection.ou tlook.com) ([40.107.79.1xx])
by mail1.xxxxx.com with ESMTP/TLS/AES256-SHA256; 04 Apr 2019 09:39:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=xxxxxx.onmicrosoft.com; s=selector1-xxxxxs-com;
h=From:Date:Subject:Messag e-ID:Conte nt-Type:MI ME-Version :X-MS-Exch ange-Sende rADCheck;
bh=4SjK29prRfCthyF+xT5yfhx u2Ps+prPfj 0lN7OrZIvw =;
b=Lx7cMIOg4Te8ukcMTDya0Wv7 aosbYjonvP 0D/t6LE+LO FAIQHPY3mY drHAfPzoMt leSAA53Kys CFy40AqJS4 SwJvlndXPB FTluBP5cHN 66tMEYv0DY KP5LcHlLgj vVYxGQhNKx o4V+NuVIR4 kLqNBmVsBs +lQQz1zDTF ubhK/Ts=
Received: from CY4PR1701MB1719.namprd17.p rod.outloo k.com (10.171.211.1xx) by
CY4PR1701MB1893.namprd17.p rod.outloo k.com (10.171.212.xx) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) id
15.20.1750.20; Thu, 4 Apr 2019 16:33:12 +0000
Received: from CY4PR1701MB1719.namprd17.p rod.outloo k.com
([fe80::d431:a00b:dae1:86f 5]) by CY4PR1701MB1719.namprd17.p rod.outloo k.com
([fe80::d431:a00b:dae1:86f 5%3]) with mapi id 15.20.1750.017; Thu, 4 Apr 2019
16:33:12 +0000
From: xxxxx <xxxxxx@xxxxxxxx.com>
To: "xxxxx@xxxxx.com" <xxxxx@xxxxx.com>
Subject: Bank information
Thread-Topic: Bank information
Thread-Index: AQHU6wQYCeqkidNyV0S4omI5/3 1uOQ==
Date: Thu, 4 Apr 2019 16:33:12 +0000
Message-ID: <CY4PR1701MB171939E31DD86D 2D2C4C68F6 CB500@CY4P R1701MB171 9.namprd17 .prod.outl ook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.71.60.xxx]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-C orrelation -Id: c2931924-3e95-4bd4-0262-08 d6b91b482e
X-Microsoft-Antispam-Untru sted:
BCL:0;PCL:0;RULEID:(239011 8)(7020095 )(4652040) (8989299)( 4534185)(7 168020)(46 27221)(201 7030311330 81)(201702 281549075) (8990200)( 5600139)(7 11020)(460 5104)(2017 052603328) (7193020); SRVR:CY4PR 1701MB1893 ;
X-MS-TrafficTypeDiagnostic : CY4PR1701MB1893:|BL2P131MB 0002:
x-microsoft-antispam-prvs: <CY4PR1701MB18938CE2FEDA2B 57D7204EAA CB500@CY4P R1701MB189 3.namprd17 .prod.outl ook.com>
x-forefront-prvs: 0997523C40
X-Forefront-Antispam-Repor t-Untruste d:
SFV:NSPM;SFS:(10019020)(36 6004)(3984 0400004)(1 36003)(346 002)(39600 3)(376002) (189003)(1 99004)(221 733001)(56 60300002)( 68736007)( 66066001)( 316002)(10 6356001)(2 5786009)(5 070765005) (74316002) (2906002)( 6436002)(7 1200400001 )(34807000 05)(430070 0001)(7736 002)(66060 03)(611600 2)(7119040 0001)(4860 06)(711600 3)(186003) (6916009)( 53936002)( 54896002)( 14454004)( 1962740500 1)(9928600 4)(5580840 03)(977360 04)(550160 02)(250100 3)(5640700 003)(96860 03)(552360 04)(256004 )(15650500 001)(38460 02)(863620 01)(811560 14)(125605 00001)(893 6002)(8116 6006)(4786 00001)(525 36014)(105 586002)(65 06007)(533 36002)(867 6002)(4760 03)(235100 1)(7696005 )(14444005 )(33656002 )(10283600 4)(26005); DIR:OUT;SF P:1102;SCL :1;SRVR:CY 4PR1701MB1 893;H:CY4P R1701MB171 9.namprd17 .prod.outl ook.com;FP R:;SPF:Non e;LANG:en; PTR:InfoNo Records;MX :1;A:1;
received-spf: None (protection.outlook.com: xxxxx.com does not
designate permitted sender hosts)
x-ms-exchange-senderadchec k: 1
X-Microsoft-Antispam-Messa ge-Info-Or iginal:
nvPb6augMVbq5EXERz+NQK6kYM cAsD0sRt7Z 0BsJzw1jz6 8i243P1/bl mSeLDjpTgB EuQCgdr0Vp qyyw/rA26b qq6OAh6lft CzUUd4Czb5 zve1hNe3L8 p8+2NCQMqw h0SBlzTaMr ZKEBlqPjSZ z94VwGBj85 wVh9adB7qF kVkxHm/wMO eBvyeiPZu2 JXRhdFebCm MKG0GENo7t WcEArTHm5m upZkeOU4z1 EEbE5opXnl Oh0iH2lhKU UKSiwHrfEC egMiOmRZzP F40haiJZmy aALA6VNMmY dVWbvypipd itc7KwPeHg mp/Ytp7k76 IzJLmzz9nH E/iaXf4hTt Jm+ClNwLK9 ZA8mCgGjNx zgyXDBG//K I+x3hdEhWM x6TV5n12hE igmQkJt77i NQK/7IPjOI gZJQSC5LfX 8y5aHnlp8Y g=
Content-Type: multipart/alternative;
boundary="_000_CY4PR1701MB 171939E31D D86D2D2C4C 68F6CB500C Y4PR1701MB 1719_"
MIME-Version: 1.0
X-MS-Exchange-Transport-Cr ossTenantH eadersStam ped: CY4PR1701MB1893
Return-Path: xxxx@xxxxxx.com
X-MS-Exchange-Organization -Expiratio nStartTime : 04 Apr 2019 16:33:34.5734
(UTC)
X-MS-Exchange-Organization -Expiratio nStartTime Reason: OriginalSubmit
X-MS-Exchange-Organization -Expiratio nInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization -Expiratio nIntervalR eason: OriginalSubmit
X-MS-Exchange-Organization -Network-M essage-Id:
c2931924-3e95-4bd4-0262-08 d6b91b482e
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization -MessageDi rectionali ty: Originating
X-MS-Exchange-Transport-Cr ossTenantH eadersStri pped:
BL2NAM02FT037.eop-nam02.pr od.protect ion.outloo k.com
X-MS-Office365-Filtering-H T: Tenant
X-Forefront-Antispam-Repor t:
CIP:167.83.130.22;IPV:CAL; CTRY:US;EF V:NLI;SFV: NSPM;SFS:( 2980300002 )(1110001) (1109001)( 339900001) (489007)(1 99004)(189 003)(23510 01)(336560 02)(773600 2)(6916009 )(16586007 )(34807000 05)(336012 )(14454004 )(10560600 2)(5501600 2)(5000100 001)(25786 009)(10283 6004)(6161 4004)(6606 6001)(6959 6002)(5253 6014)(4006 050)(50707 65005)(660 6003)(6506 007)(86362 001)(14444 005)(97736 004)(96860 03)(250100 3)(9928600 4)(8115601 4)(486006) (221733001 )(53336002 )(84326002 )(81166006 )(75640400 001)(35600 4)(5489600 2)(126002) (476003)(1 096003)(63 266004)(15 650500001) (430070000 1)(8936002 )(26005)(5 660300002) (85426001) (53936002) (196274050 01)(106466 001)(71160 03)(863600 4)(2682600 3)(7119040 0001)(6116 002)(76960 05)(384600 2)(6873600 7)(5640700 003)(86760 02)(743160 02);DIR:IN B;SFP:;SCL :1;SRVR:BL 2P131MB000 2;H:USBDFE 84001.xxx. com;FPR:;S PF:Fail;LA NG:en;PTR: InfoDomain Nonexisten t;A:1;MX:1 ;
X-MS-Exchange-Organization -AuthSourc e:
BL2NAM02FT037.eop-nam02.pr od.protect ion.outloo k.com
X-MS-Exchange-Organization -AuthAs: Anonymous
X-OriginatorOrg: xxxxxx.onmicrosoft.com
X-MS-Office365-Filtering-C orrelation -Id-Prvs:
2e8950c8-c24e-44f0-5fea-08 d6b91b3ae3
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(239011 8)(7020095 )(4652040) (8989299)( 5600139)(7 10020)(711 020)(46051 04)(453418 5)(4627221 )(20170303 1133081)(8 559020)(89 90200)(201 7052603328 )(7193020) ;SRVR:BL2P 131MB0002;
X-MS-Exchange-Organization -SCL: 1
X-MS-Exchange-CrossTenant- OriginalAr rivalTime: 04 Apr 2019 16:33:34.3792
(UTC)
X-MS-Exchange-CrossTenant- Network-Me ssage-Id: c2931924-3e95-4bd4-0262-08 d6b91b482e
X-MS-Exchange-CrossTenant- Id: c8c6dd35-871f-4f30-85ac-65 35f3982514
X-MS-Exchange-CrossTenant- OriginalAt tributedTe nantConnec tingIp: TenantId=c8c6dd35-871f-4f3 0-85ac-653 5f3982514; Ip=[167.83 .130.22];H elo=[USBDF E84001.xxx xx.com]
X-MS-Exchange-CrossTenant- FromEntity Header: HybridOnPrem
X-MS-Exchange-Transport-Cr ossTenantH eadersStam ped: BL2P131MB0002
X-MS-Exchange-Transport-En dToEndLate ncy: 00:00:01.5854247
X-MS-Exchange-Processed-By -BccFolder ing: 15.20.1750.010
X-Microsoft-Antispam-Mailb ox-Deliver y:
ucf:0;jmr:0;ex:0;auth:0;de st:I;ENG:( 2016051401 6)(750119) (520011016 )(94450630 3)(9446265 16);
X-Microsoft-Antispam-Messa ge-Info:
Ts2Lz9Fc0TJRFKjGevE7hr2X+x IthaXJIZ9K sVIiKXxk8Z j+l97PYI/H mFJ3PXPwLL T4ABvY+7ok 80tP75U0bP axt8yUrDKC maW1TvXPDI 0l0W9UE9zR JoH0ts5QdV Oty
The client is on a laptop using all the AVG products plus a a/v provided by solar winds.
Two clients have gotten these emails one that was not specific and one that asked for the exact invoice
that was due.
Sent items on a computer and in owa don't show that email being sent but I have message id's when I do an office 365 search
showing that they have been sent.
Below is the message headers...
Was this done via powershell or did the account get hacked? I only see one reference to http
and I see this Transport-CrossTenantHeade
Both are office365 clients
I can generally figure these things out but the client has had the password changed and is running those software suites which while
not the best, do pick up some bad activities.
Anyway we are trying to sniff out this in the right direction and would love to be told what I am reading wrong or where I should be looking
Thank you
Received: from BL2P131MB0002.NAMP131.PROD
by BL2P131MB0001.NAMP131.PROD
BL0PR01CA0016.PROD.EXCHANG
Received: from BN6P131CA0004.NAMP131.PROD
by BL2P131MB0002.NAMP131.PROD
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_
2019 16:33:34 +0000
Received: from BL2NAM02FT037.eop-nam02.pr
(2a01:111:f400:7e46::208) by BN6P131CA0004.outlook.offi
(2603:10b6:423:5f::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_
Transport; Thu, 4 Apr 2019 16:33:34 +0000
Authentication-Results: spf=fail (sender IP is 167.83.130.2x)
smtp.mailfrom=xxxx.com; xxx.com; dkim=pass (signature was
verified) header.d=xxxxxx.onmicrosof
action=none header.from=xxxxxx.com;
Received-SPF: Fail (protection.outlook.com: domain of xxxxxx.com does
not designate 167.83.130.2x as permitted sender)
receiver=protection.outloo
helo=USBDFE84001.xxx.com;
Received: from USBDFE84001.xxxxx.com (167.83.130.2x) by
BL2NAM02FT037.mail.protect
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 16:33:34 +0000
Received: by USBDFE84001.xxxx.com (Postfix, from userid 600)
id 44ZpRK6Xs6z8Pgff; Thu, 4 Apr 2019 16:33:16 +0000 (UTC)
Received: from intmail1.xxxxx.com (mail1.xxxx.com [192.168.210.124])
by USBDFE84001.xxx.com (Postfix) with ESMTPS id 44ZpQz1HQyz8PgjC
for <xxxxxxx@xxxxx.com>; Thu, 4 Apr 2019 16:33:15 +0000 (UTC)
Received-SPF: None (mail1.xxxxx.com: no sender authenticity
information available from domain of
xxxxx@xxxxxx.com) identity=pra;
client-ip=40.107.79.105; receiver=mail1.xxxx.com;
envelope-from="xxxx@xxxxxx
x-sender="xxxxxxxx@xxxxxxx
x-conformance=sidf_compati
Received-SPF: Pass (mail1.xxxxx.com: domain of
xxxxx@xxxxxxx.com designates 40.107.79.1xx as
permitted sender) identity=mailfrom; client-ip=40.107.79.1xx;
receiver=mail1.xxxx.com;
envelope-from="xxxxx@xxxxx
x-sender="xxxxxx@xxxxx.com
x-conformance=sidf_compati
Received-SPF: Pass (mail1.xxxx.com: domain of
postmaster@NAM03-CO1-obe.o
designates 40.107.79.1xx as permitted sender) identity=helo;
client-ip=40.107.79.1xx; receiver=mail1.xxxxxx.com;
envelope-from="xxxxx@xxxxx
x-sender="postmaster@NAM03
x-conformance=sidf_compati
Authentication-Results-Ori
smtp.pra=xxxxx@xxxxxx.com;
smtp.mailfrom=xxx@xxxxx.co
smtp.helo=postmaster@NAM03
(signature verified) header.i=@xxxxxxx.onmicros
X-SBRS: 3.5
X-ExtLoop1: 1
IronPort-PHdr: =?us-ascii?q?9a23=3AGMm0mR
=?us-ascii?q?pfdLe6Wn8Y7lO
=?us-ascii?q?AOhQV6WJybBEv
=?us-ascii?q?dMLcP9aJyu+Qj
=?us-ascii?q?YPyA=3D=3D?=
X-IronPort-Anti-Spam-Filte
X-IronPort-Anti-Spam-Resul
=?us-ascii?q?wMBgQsjUIFZAw
=?us-ascii?q?DAQEBAQEBAQEU
=?us-ascii?q?AKKB4IfgnYBAQ
=?us-ascii?q?KCYFkhFWISYI9
=?us-ascii?q?kABMYEojBUBgR
X-IPAS-Result: =?us-ascii?q?A0A9HwDN3/Jbh
=?us-ascii?q?LJwqHMwIDhS2K
=?us-ascii?q?QEBCA0JCCkjAQ
=?us-ascii?q?EeRiCBgiMHIFA
=?us-ascii?q?ViFCIodE5dcAg
=?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.56,253,15396
d="scan'208,217";a="122030
X-Agari-Original-From: xxxxx@xxxxxxx.com
X-Agari-Original-To: xxxxxx@xxxxxxx.com
X-Agari-Authentication-Res
Received: from mail-eopbgr790105.outbound
by mail1.xxxxx.com with ESMTP/TLS/AES256-SHA256; 04 Apr 2019 09:39:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=xxxxxx.onmicrosoft.com; s=selector1-xxxxxs-com;
h=From:Date:Subject:Messag
bh=4SjK29prRfCthyF+xT5yfhx
b=Lx7cMIOg4Te8ukcMTDya0Wv7
Received: from CY4PR1701MB1719.namprd17.p
CY4PR1701MB1893.namprd17.p
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.1750.20; Thu, 4 Apr 2019 16:33:12 +0000
Received: from CY4PR1701MB1719.namprd17.p
([fe80::d431:a00b:dae1:86f
([fe80::d431:a00b:dae1:86f
16:33:12 +0000
From: xxxxx <xxxxxx@xxxxxxxx.com>
To: "xxxxx@xxxxx.com" <xxxxx@xxxxx.com>
Subject: Bank information
Thread-Topic: Bank information
Thread-Index: AQHU6wQYCeqkidNyV0S4omI5/3
Date: Thu, 4 Apr 2019 16:33:12 +0000
Message-ID: <CY4PR1701MB171939E31DD86D
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.71.60.xxx]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-C
X-Microsoft-Antispam-Untru
BCL:0;PCL:0;RULEID:(239011
X-MS-TrafficTypeDiagnostic
x-microsoft-antispam-prvs:
x-forefront-prvs: 0997523C40
X-Forefront-Antispam-Repor
SFV:NSPM;SFS:(10019020)(36
received-spf: None (protection.outlook.com: xxxxx.com does not
designate permitted sender hosts)
x-ms-exchange-senderadchec
X-Microsoft-Antispam-Messa
nvPb6augMVbq5EXERz+NQK6kYM
Content-Type: multipart/alternative;
boundary="_000_CY4PR1701MB
MIME-Version: 1.0
X-MS-Exchange-Transport-Cr
Return-Path: xxxx@xxxxxx.com
X-MS-Exchange-Organization
(UTC)
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Exchange-Organization
c2931924-3e95-4bd4-0262-08
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization
X-MS-Exchange-Transport-Cr
BL2NAM02FT037.eop-nam02.pr
X-MS-Office365-Filtering-H
X-Forefront-Antispam-Repor
CIP:167.83.130.22;IPV:CAL;
X-MS-Exchange-Organization
BL2NAM02FT037.eop-nam02.pr
X-MS-Exchange-Organization
X-OriginatorOrg: xxxxxx.onmicrosoft.com
X-MS-Office365-Filtering-C
2e8950c8-c24e-44f0-5fea-08
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(239011
X-MS-Exchange-Organization
X-MS-Exchange-CrossTenant-
(UTC)
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-Transport-Cr
X-MS-Exchange-Transport-En
X-MS-Exchange-Processed-By
X-Microsoft-Antispam-Mailb
ucf:0;jmr:0;ex:0;auth:0;de
X-Microsoft-Antispam-Messa
Ts2Lz9Fc0TJRFKjGevE7hr2X+x
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok...thank you...it's just quite concerning that we can not pin it down. I have a case open with MS now but that might be days and the client
is restless to know what is going on here.
Most of the emails are just blanket fishing ones...but one seemed to have actual info in it that would come from a hack..But we are dealing with humans here and I don't know if this person is explaining that correctly to me...very strange stuff
is restless to know what is going on here.
Most of the emails are just blanket fishing ones...but one seemed to have actual info in it that would come from a hack..But we are dealing with humans here and I don't know if this person is explaining that correctly to me...very strange stuff
email is not a secure platform and it never was meant to be secure. It was originally set up so that you can telnet to any email server, set a to and from address, and the mail server will deliver. Eventually, server could be set up to block random access. Then DKIM and SPF were invented as an overlay to prevent spoofing, but it's still not everywhere.
Email is not a secure means of communication. You're were never supposed to trust email without additional verification. It was invented in the 1970s and is still basically the same beast. Nothing much has changed since then.
Email is not a secure means of communication. You're were never supposed to trust email without additional verification. It was invented in the 1970s and is still basically the same beast. Nothing much has changed since then.
ASKER
Thank you all for all the help. We had to dive deep and the HUMAN error part seems to be the culprit. He was fished and it took his password. Guy was embarrassed didn't tell us that he clicked on an email asking about his data size in his archive. archive is HUGE so it made sense to him..
Thank you all
Chris
Thank you all
Chris
Chris,
Big takeaway here is get an SPF record put in place, followed by DKIM, and DMARC. Here is a good article to start with. https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/
Big takeaway here is get an SPF record put in place, followed by DKIM, and DMARC. Here is a good article to start with. https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/
ASKER
First thank you so much for the response, this was my first thought as well and maybe totally correct...
Here is the thing. My client who 'Sent' the email doesn't have a record of the transaction in his sent messages in outlook
or OWA.
However, when I search using message trance of all emails sent to the recipient in office365 I see the email the recipient is sending. I see
the bad emails with message ID's...
How does that happen if it started with a third party postfix server. How does it reflect back into office365 servers with a real message ID.
Also what do you guys make of the Transport-CrossTenantHeade
Thanks again