Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.
Netanel Adar commented
The response from Microsoft Premier Support Tier 3:
“I clarified with our Spam team that users are welcome to create trial accounts in order to test the service. As for the type of mail they send, if it's malicious, the expectation is that Exchange Online's filtering will detect it (whether it be our Malware filtering or Spam filtering). If it's not, as you're seeing in some cases, submitting those samples to Microsoft is the most effective way to allow our rules to start flagging them going forward.” -1/13/2020
“There are no plans that can prevent users from creating accounts as they do. Our Spam filtering is what is used and strengthened in the event accounts like this are created and they try to send out spam. While the numbers aren't public, if it's apparent spam is being delivered from an account in our service, it doesn't take long for them to get banned and the account investigated and shut down in the event that this is what's taking place.” -1/17/2020
Netanel Adar commented
"ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe."
THAT IS NOT TRUE. We turned up all the settings on EOP and ATP to the most strict and the majority of phishing emails we are getting are from other O365 tenants
Still an issue in 2020 - this is a joke
There must be more that can be done here. Scammers are getting through just by spoofing O365 domains from different O365 tenants. SPF passes, and even though there's no DKIM signature the phishing just glides in like it's legit. This isn't a customer problem. Our EOP policies are tight, our secure score is nearly maxed out, and we report hundreds of these every day, but they still come through. The problem is with the trust bonus Microsoft gives itself.
Stuart Hargreaves commented
Try www.spambrella.com which works very well with O365
Which is why we are abandoning O365 for spam filtering and commencing the implementation of a non Microsoft spam filtering solution.
As of today ( 17 Sep 2019) I have seen 23 (very obvious) phishing emails from other O365 tenants which Microsoft have allowed through.
I do diligently report EVERY SINGLE instance, but never see any change or get a response from Microsoft.
I'm extremely disappointed in the inability of Microsoft to take this situation seriously. My 'home grown' transport rules are far more effective than what Microsoft can offer in identifying spam!
Sorry Microsoft, but I've been waiting 18 months for you to wake up, but you're asleep at the wheel, while your customers are deluged with criminals knocking on their doors.
Wesley Kirkland commented
MS - Why would ATP not consider your internal tenant and other tenants. You're saying because they use an MS service you're safe and no bad actors can ever get through.
Maqsood Pasha commented
Phishing attacks using Office 365 compromised Accounts/Tenant exceed threshold.
Hello Microsoft Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment and our tenant is getting exceed threshold due to that we are unable to send emails to any external domain. We have raised the issue with MS tech support 4 weeks back and issue has not been fixed permanently. This is impacting our business regularly especially during the weekends and MS product support team is not supporting during weekend. As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however it’s not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
Bonjour svp j’ai besoin qu’on m’aide un fou à pris mon nom tous sur moi mes face book mes compte mail paypall tous pour des chose mémé mon propre gsm je peux plus rentrer il est très dangereux mon nom c’est amassante ndiayesvp je ne sais plus quoi faire et mon téléphone 0032465976482
Paul Siwek commented
Any Response from this @Microsoft ? it's been 2 months since your last update, in which you didnt even specify what other information you required !!
Paul Siwek commented
We too have had issues in the last month whereby students and staff accounts have been sending out spam, we only noticed because they would eventually come and say there account had been blocked for sending to much spam.
We sent out an email forcing all users affected by the Edmodo Hack to change their passwords, and I put a rule in place to only allow outbound message if the origin was a domain within our tenant, so far that seems to be working, apart from some of those that have ignored our emails to change their password.
Khaled Salameh commented
@James Read Exactly! Had the same issue, their support asked me to add one of Office 365 IP Addresses to the IP Block-list claiming that it would solve the problem! They're not taking quick actions on such critical issue!
James Read commented
The worst is when you contact premier support and the technician will tell you that is how the spam filter works and they cannot do anything about this.
Khaled Salameh commented
My customers are suffering from this issue, many of them are receiving SPAM emails containing malicious links from other Office 365 Tenants! and there literally no way to stop them from coming!
Can we get a site that we can report compromised tenants?
I just got one, also use ATP and the link takes you to a compromised tenant which redirects to a different site to harvest credentials.
It should be a way we can report these sites and someone should be able to take immediate action
Anthony Castro commented
I've had the same issues as others, post completing a migration to O365 we've noticed a huge increase in spam/phishing attacks across the board. ATP seems to catch some of it but these seems like something that should be included, not an extra feature. Never had this issue on Gmail.
Microsoft, please fix this issue. I have had to work almost 1000 user accounts to correct this issue.
Mike Mason commented
Microsoft just announced a change to their anti-spoofing so that it's available to everyone instead of just E5, which is great, however I would like to know, was the question about the possibility of other O365 tenants automatically being trusted more in the spam filter also answered? All incoming email regardless of where from should be treated the same.
Austin Janey commented
As an office 365 admin for multiple organizations, I would implore Microsoft to rethink how they offer protection for Office 365 tenants as a whole.
At no point should customers be asked to pay for higher levels of security, by making customers pay for advanced threat protection you are telling attackers that not all customers are equal and some are much easier targets than others.
This is a core problem with the security of the Microsoft cloud and if left unaddressed will become more problematic in the future especially since its relatively easy to figure out who customers are based on public DNS records and target phishing attacks at them.
ATP as a product offering should be applied by default to anyone who has Exchange at no extra cost, I recently saw an attack to one of my users where an attacker had used an O365 hosted SharePoint site to upload and share malware, this slipped through ATP on our end. This is getting worse guys.
Tyler Bell commented
Microsoft has little to no threat intelligence for phishing attacks. This is only a rampant issue for 365. It does not happen on this scale with G Suite.
Mike Mason commented
This is a huge problem for us. We just migrated a couple customers to O365 and spam has increased dramatically. They all look like O365 emails. I'm afraid to even implement more things like OneDrive because they get OneDrive looking spam too. The Barracuda beforehand blocked most of it before they were on local Exchange servers, but now even with the spam filter set to VERY on our customers are getting this stuff hardcore. As someone else commented below forwarding these emails to GMail gets them flagged right away.
Now we look terrible to the customer and I'm soured even more on Microsoft stuff.