SO, give me some feedback, as I'm not looking for a solution for stupid people. :)
A client of ours received an email that was spoofed. Outlook even flagged the email as "the sender of this email does not appear to be the normal sender" and there were other red flags - there was more text than usual and it was broken english and too gushy with the please and at your leisure and all of that. Despite the red flags, the girl wired the money to the now "updated banking info" and bam, it's over. Now for my questions:
We use O365 for email and when we looked at the header, there was no SPF, no DKIM, and no DMARC. Despite this, the SCL level was 1 and noted in the email header was "compauth=pass reason=116." I don't know what that reason=116 means and I can't find it on the net.
We opened a ticket with MS and got them on the phone. The tech said clearly the email should have been marked as spam and he had no reasons for why it was not marked as spam. MS asked for a detailed trace report, which we sent, but we have not heard back.
What we learned is that the sender sent from an email account hosted at godady. The spoofed email address is also hosted at godaddy. Since the offending email contained a REAL invoice number with a correctly corresponding amount, we are assuming someone is reading the spoofed email accounts email and learned that we did in fact owe the money on the corresponding invoice. Since both the spoofed email and the account used for sending is godaddy, we are assuming either both godaddy accounts have been compromised or someone at one or both of the accounts is doing this.
Anyway, my question for the experts is:
what is compauth=pass reason=116 and
Why did MS allow this email thru when it blocks others like this? What I mean is we have other emails missing SPF, DKIM, DMARC and those get flagged as spam. This one did not.