Where email authentication is potentially great – protecting against spoofing from domains with weak authentication

So, in the past couple of posts, I’ve talked about how email authentication is not that great against phishing attacks that use random parameters in the sender, but is well-designed to work against springboard spear-phishing attacks. There’s another scenario where it is simultaneously well-positioned to protect against spear-phishing, yet not in a good position to…

0

A security story that is kind of disturbing

I’ve got a story for you. As a security person, it’s a little disturbing. I was driving in the car with my wife yesterday who works in the health care industry (she’s not a doctor). She was telling me that earlier that day, she was trying to email a file to some other organization and…

1

Where email authentication is not so great at stopping phishing – random IT phishing scams

On this blog, I’ve written a lot about email authentication and preached its virtues. If you are a domain owner, you should definitely set up SPF, DKIM, and DMARC records both so that emails to you can be identified between authentic and not, and so that other email receivers (e.g., Gmail, Hotmail/Outlook.com, Comcast, etc.) can…

1

Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks

Introduction It has now been about 8 months since we released our antispoofing protection in Office 365, a feature that defends against Business Email Compromise, where the From and To domains are the same. You can read more about that feature at http://aka.ms/AntispoofingInOffice365. To summarize, it defends against others spoofing your domain in the From:…

2

Hotmail/Outlook.com evaluates DKIM a little differently than Office 365

If you’re a user in Hotmail, Outlook.com, or any other of Microsoft’s consumer email services, you may notice that it evaluates DKIM a little differently than you might expect (you would only notice this mostly as someone who is trying to troubleshoot delivery, as an average user you probably wouldn’t notice it at all unless…

9

Messages going to Junk even though they aren’t spam? Check to see if you have Safe-Lists-Only enabled

Recently, I’ve been seeing a spike in customer escalations saying that messages that aren’t marked as spam are nevertheless getting sent to the Junk Mail folder. This is despite the message headers indicating that the message is non-spam, that is, the X-Forefront-Antispam-Report header says “SFV:NSPM” (Spam Filter Verdict: Non-spam) and “SCL:1”. The most common reason…

5

How we moved microsoft.com to a p=quarantine DMARC record

In case you hadn’t noticed, Microsoft recently published a DMARC record that says p=quarantine: _dmarc.microsoft.com. 3600 IN TXT “v=DMARC1; p=quarantine; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1” This means that any sender transmitting email either into Microsoft’s corp mail servers or to any other domain that receives email, and the message is spoofed (it doesn’t pass SPF or…

4

Sending mail with invalid From: addresses to Office 365

One of the changes to go into Office 365 in the past year is an antispam rule that rejects on messages with an invalid From: address. When this occurs, the message is rejected with: 550 5.7.512 Access denied, message must be RFC 5322 section 3.6.2 compliant and include a valid From address If you look…

13

The outbound IP and HELO format for Office 365

Regularly, Office 365 is asked by other email receivers about the way our mail servers and IP addresses are set up, and the need to conform to a particular standard. That standard (which is more of a convention implemented by some receivers, not all of them) is that the IPs have Forward-Confirmed Reverse DNS, and these also…

0

Exchange Online increases its URL filtering

One of the ways in which Exchange Online detects spam, malware, and phishing is through URL filtering. We use a variety of sources, you can find them here: https://technet.microsoft.com/en-us/library/dn458545(v=exchg.150).aspx We use URL reputation lists in the following way (including but not limited to): At time-of-scan, if a message contains a URL that is on one of…

3

Phishing, magic, Stuxnet, and how they all work together

Part 1 – There’s more to me than just fighting spam If all you know of me is through this blog, then you’ll know I’ve been involved in the fight against spam, malware, and phishing for over a decade. On the other hand, those of you who know me in person or have checked out…

2

Hooking up additional spam filters in front of or behind Office 365

Note: This blog post reflects my own recommendations. Over here in Exchange Online Protection (EOP), people sometimes ask me why we don’t recommend hooking up multiple layers of filtering in front of solution. That is, instead of doing one of these: Internet -> EOP -> hosted mailbox Internet -> EOP -> on-prem mail server ……

2

Why we believe strange things

This post doesn’t have anything to do with cyber security. It’s one of those “It’s my blog and I can write what interests me” posts. A couple of years ago I read Robert Cialdini’s book Influence: The psychology of persuasion. It’s considered one of the classics on how to persuade other people to your point of…

3

Why does my email from Facebook, that I forward from my outlook.com account, get rejected?

Why is my (your) email bouncing when I (you) forward it? Recently, many people have been asking me why their email from Facebook, that they forward from their outlook.com or Hotmail account to another account, bounces after they forward it? That is: Facebook -> outlook.com (forward) -> Hotmail/Yahoo/Gmail -> bounces back Why does this happen?…

32