New method of spoofing?
Posted: 12 Apr 2019 18:40
My VP of Sales has been getting a bunch of emails that look pretty convincingly like they're coming from his account. It's a poorly-spelled bitcoin extortion attempt.
Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB
But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com
For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>
So I guess my immediate question is "What can I do in the short term to stop these?"
TIA
Info from quarantine on EFA, which seems like a message sent to himself:
Message Headers: Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: jdoe@domain.com <jdoe@domain.com>
To: jdoe@domain.com <jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
From: jdoe@domain.com [Add to Whitelist | Add to Blacklist]
To: jdoe@domain.com
Subject: Important: Your system was compromised!
Size: 16.51kB
But here's the header from the message in the user's Outlook (sent via on-prem Exchange 2013):
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4 via Mailbox Transport; Thu, 11 Apr 2019 06:28:21 -0700
Received: from exch13.domain.local (10.5.4.64) by
exch13.domain.local (10.5.4.64) with Microsoft SMTP Server (TLS) id
15.0.1320.4; Thu, 11 Apr 2019 06:27:59 -0700
Received: from efa.domain.com (10.5.4.57) by exch13.domain.local
(10.5.4.64) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend
Transport; Thu, 11 Apr 2019 06:27:59 -0700
X-Spam-Status: No
X-domain-MailScanner-EFA-Watermark: 1555594092.25085@2iOHl+CfjNEJTOoWuENANA
X-domain-MailScanner-EFA-From: jdoe@domain.com
X-domain-MailScanner-EFA: Found to be clean
X-domain-MailScanner-EFA-ID: 54A3C2005F.AAC67
X-domain-MailScanner-EFA-Information: Please contact admin@domain.com for more information
Received: from relay1.live.com (unknown [10.5.4.244])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.domain.com (Postfix) with ESMTPS id 54A3C2005F
for <jdoe@domain.com>; Thu, 11 Apr 2019 06:28:07 -0700 (PDT)
Subject: Important: Your system was compromised!
From: "jdoe@" <domain.com jdoe@domain.com>
To: "jdoe@" <domain.com jdoe@domain.com>
Date: Thu, 11 Apr 2019 08:27:33 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="===============7383535216796029040=="
Message-ID: <3ef4c2c64d234b7d837ae9abbfb05e1f@exch13.domain.local>
Return-Path: jdoe@domain.com
For a legitimate internal message the From: header is: "John Doe" <jdoe@domain.com>
For this spoofed message the From: header is: "jdoe@" <domain.com jdoe@domain.com>
So I guess my immediate question is "What can I do in the short term to stop these?"
TIA