asked on email hack
One of our users seem to have received a spoof email from another user in our organization. In the "From" field the address is one of our email accounts but it seems suspicious that its really not. What would I look for to verify the real sender in the header?
Email ServersAntiSpamSecurity
Last Comment
masnrock
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You asked, "What would I look for to verify the real sender in the header?"
This is impossible.
Email messages are just text.
I can send a message for any From: address I like... as, it's just text I type in...
This is impossible.
Email messages are just text.
I can send a message for any From: address I like... as, it's just text I type in...
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Are there directions in Office 365, the tenant I'm using, to setup DKIM or SPF records in the manner you suggested?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
This might not be as detailed as you hope, but here is an article from Microsoft for SPF:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
There are also many websites out there to help with creating an SPF record. Note: You're going to need to make sure you know all of the systems that are allowed to send emails out using an email address from your organization.
Also from Microsoft, here is documentation on DKIM:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
You're going to want the DMARC documentation too....
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
There are also many websites out there to help with creating an SPF record. Note: You're going to need to make sure you know all of the systems that are allowed to send emails out using an email address from your organization.
Also from Microsoft, here is documentation on DKIM:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
You're going to want the DMARC documentation too....
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide
It will reveal if it was generated from your own systems, or just a spoofed email from some random country.
Use a REAL email from that supposed user to compare. You'll probably see big differences (it means it's probably spoofed). If it look a bit identical, you may be in danger.
You can post the full headers here for us to decode, but if you see some identifying info, you may mark it as something else, as long as it's clear.
If you send 2 email headers to check (one real, and the one for us to investigate), and you see similar IP addresses you don't want to reveal, mark them as %IP_NR_001% (and _002, etc) on BOTH email headers (if they are equal of course).