New method of spoofing?

General eFa discussion
Post Reply
2Old4This
Posts: 9
Joined: 15 May 2015 21:11

New method of spoofing?

Post by 2Old4This » 12 Apr 2019 18:40

My VP of Sales has been getting a bunch of emails that look pretty convincingly like they're coming from his account. It's a poorly-spelled bitcoin extortion attempt.

Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB


But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com



For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>

So I guess my immediate question is "What can I do in the short term to stop these?"

TIA

henk
Posts: 360
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: New method of spoofing?

Post by henk » 12 Apr 2019 23:09


JamesBotch
Posts: 1
Joined: 19 Apr 2019 10:06

Re: New method of spoofing?

Post by JamesBotch » 11 May 2019 13:09

I have been getting a few of these emails recently. Thanks for the solution.

Post Reply