We help IT Professionals succeed at work.
Get Started
Troubleshooting Question

Email spoof cost client $68,000

crp0499
crp0499 asked
on
168 Views
Last Modified: 2021-03-11
SO, give me some feedback, as I'm not looking for a solution for stupid people.  :)

A client of ours received an email that was spoofed. Outlook even flagged the email as "the sender of this email does not appear to be the normal sender" and there were other red flags - there was more text than usual and it was broken english and too gushy with the please and at your leisure and all of that.  Despite the red flags, the girl wired the money to the now "updated banking info" and bam, it's over.  Now for my questions:

We use O365 for email and when we looked at the header, there was no SPF, no DKIM, and no DMARC.  Despite this, the SCL level was 1 and noted in the email header was "compauth=pass reason=116."  I don't know what that reason=116 means and I can't find it on the net.

We opened a ticket with MS and got them on the phone.  The tech said clearly the email should have been marked as spam and he had no reasons for why it was not marked as spam.  MS asked for a detailed trace report, which we sent, but we have not heard back.

What we learned is that the sender sent from an email account hosted at godady.  The spoofed email address is also hosted at godaddy.  Since the offending email contained a REAL invoice number with a correctly corresponding amount, we are assuming someone is reading the spoofed email accounts email and learned that we did in fact owe the money on the corresponding invoice.  Since both the spoofed email and the account used for sending is godaddy, we are assuming either both godaddy accounts have been compromised or someone at one or both of the accounts is doing this.

Anyway, my question for the experts is:

what is compauth=pass reason=116   and

Why did MS allow this email thru when it blocks others like this? What I mean is we have other emails missing SPF, DKIM, DMARC and those get flagged as spam.  This one did not.

Thoughts?
Comment
Watch Question
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 6 Answers and 21 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE