So we’ve been a bit of an indirect target of spammers recently… my company has gotten a lot of complaints from customers that they are getting a lot of spam from our sales people. Normally (considering the nature of sales) I’d just smack the sales staff and move on… but this isn’t us!
Some spammer has been sending emails… to OUR customers… using OUR email addresses. doing a quick message trace and sure enough, these emails appear to be coming from our account. At first I thought it was a hacked account or two so I had everyone change their passwords and set 2fa… but the next day, a batch more emails went out. I ran an audit on the affected accounts and there were no failed logins and no attempts to reset passwords (we disabled password reset because of this).
Normally, I’d say this was just normal spoofing… but these emails are passing THROUGH our exchange online account, the message header even shows our dkim and dmarc. As far as I can tell, Microsoft honestly thinks they are coming from US!
I’ve added the x-originating-ip to the block list under threat-management. hopefully that will help, but it wont take long for the spammers to update their IP and if that happens while I’m off the clock… well our customers get another massive load of spammy spam… I’d add our IP’s to the allow list and block all others, but most of our sales staff are working from home with dynamic IPs so that’s not really possible right now. How do I fight this?