Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

Hello Microsoft ATP Team,

This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.

413 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Gaurav Anand shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    20 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • James Read commented  ·   ·  Flag as inappropriate

        The worst is when you contact premier support and the technician will tell you that is how the spam filter works and they cannot do anything about this.

      • Khaled Salameh commented  ·   ·  Flag as inappropriate

        My customers are suffering from this issue, many of them are receiving SPAM emails containing malicious links from other Office 365 Tenants! and there literally no way to stop them from coming!

      • Tony commented  ·   ·  Flag as inappropriate

        Can we get a site that we can report compromised tenants?
        I just got one, also use ATP and the link takes you to a compromised tenant which redirects to a different site to harvest credentials.

        https://herts365-my.sharepoint.com/personal/jz17aad_herts_ac_uk/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fjz17aad_herts_ac_uk%2FDocuments%2FAdobe-Contract%2Epdf&parent=%2Fpersonal%2Fjz17aad_herts_ac_uk%2FDocuments&slrid=02c58d9e-2051-6000-b458-cb69ff8129c8

        It should be a way we can report these sites and someone should be able to take immediate action

      • Anthony Castro commented  ·   ·  Flag as inappropriate

        I've had the same issues as others, post completing a migration to O365 we've noticed a huge increase in spam/phishing attacks across the board. ATP seems to catch some of it but these seems like something that should be included, not an extra feature. Never had this issue on Gmail.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Microsoft, please fix this issue. I have had to work almost 1000 user accounts to correct this issue.

      • Mike Mason commented  ·   ·  Flag as inappropriate

        Microsoft just announced a change to their anti-spoofing so that it's available to everyone instead of just E5, which is great, however I would like to know, was the question about the possibility of other O365 tenants automatically being trusted more in the spam filter also answered? All incoming email regardless of where from should be treated the same.

      • Austin Janey commented  ·   ·  Flag as inappropriate

        As an office 365 admin for multiple organizations, I would implore Microsoft to rethink how they offer protection for Office 365 tenants as a whole.

        At no point should customers be asked to pay for higher levels of security, by making customers pay for advanced threat protection you are telling attackers that not all customers are equal and some are much easier targets than others.

        This is a core problem with the security of the Microsoft cloud and if left unaddressed will become more problematic in the future especially since its relatively easy to figure out who customers are based on public DNS records and target phishing attacks at them.

        ATP as a product offering should be applied by default to anyone who has Exchange at no extra cost, I recently saw an attack to one of my users where an attacker had used an O365 hosted SharePoint site to upload and share malware, this slipped through ATP on our end. This is getting worse guys.

      • Tyler Bell commented  ·   ·  Flag as inappropriate

        Microsoft has little to no threat intelligence for phishing attacks. This is only a rampant issue for 365. It does not happen on this scale with G Suite.

      • Mike Mason commented  ·   ·  Flag as inappropriate

        This is a huge problem for us. We just migrated a couple customers to O365 and spam has increased dramatically. They all look like O365 emails. I'm afraid to even implement more things like OneDrive because they get OneDrive looking spam too. The Barracuda beforehand blocked most of it before they were on local Exchange servers, but now even with the spam filter set to VERY on our customers are getting this stuff hardcore. As someone else commented below forwarding these emails to GMail gets them flagged right away.

        Now we look terrible to the customer and I'm soured even more on Microsoft stuff.

      • Chris Hager commented  ·   ·  Flag as inappropriate

        This is HUGE. The problem worsens the more people migrate to O365. We've performed a number of these migrations but are considering switching to G Suite because this has gotten so problematic for our clients.

      • kyle commented  ·   ·  Flag as inappropriate

        had 4 users fall for a phishing attempt back in June. This is not OK.

      • TW commented  ·   ·  Flag as inappropriate

        Signifigant increase in all of my customers running O365 over past 3 weeks - as other posters have said, really hard explaining why our move to "upgraded solution of Office 365" is having many more spam email issues than old solution, and the natives are getting restless - MS needs to reslove ASAP

      • Justin commented  ·   ·  Flag as inappropriate

        This has become embarrassing for our company. We recently migrated a client that was literally still on POP and they've been getting dozens of these daily. And so I have to (try to) explain why Microsoft somehow has less control over spam and phishing than the old POP host they're coming from.

      • Matthew Henry commented  ·   ·  Flag as inappropriate

        Agreed! Using both Google and O365, I don't have problems with Google. Could MS and Google work together and share algorithms?

      • Jacob S commented  ·   ·  Flag as inappropriate

        This is constantly happening to us. Are MS phishing algorithms not capable of picking up compromised O365 accounts? It seems like a daily occurance. ATP is actually more dangerous as it tells the user that the link is safe even when it isn't. MS should also disable accounts and inform the tenant that they are compromised after human review of messages.

      Feedback and Knowledge Base