Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request you all to look in this matter on a larger scale. We have created a case with Microsoft Support for Office 365.
ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.
Chris Hager commented
This is HUGE. The problem worsens the more people migrate to O365. We've performed a number of these migrations but are considering switching to G Suite because this has gotten so problematic for our clients.
had 4 users fall for a phishing attempt back in June. This is not OK.
Signifigant increase in all of my customers running O365 over past 3 weeks - as other posters have said, really hard explaining why our move to "upgraded solution of Office 365" is having many more spam email issues than old solution, and the natives are getting restless - MS needs to reslove ASAP
This has become embarrassing for our company. We recently migrated a client that was literally still on POP and they've been getting dozens of these daily. And so I have to (try to) explain why Microsoft somehow has less control over spam and phishing than the old POP host they're coming from.
Redditor hot-ring suggested using mail flow rules to prevent autoforward emails from being generated. https://i.imgur.com/4ymD08W.png example policy. Overall discussion can be found at https://www.reddit.com/r/sysadmin/comments/8waf8z/office_365_phishing_emails_are_because_of_a/.
Additional suggestions included requiring 2FA, and using 3rd party mail filtering services.
Kevin Hinchman commented
I agree. What's the status on a resolution for this vulnerability?
Matthew Henry commented
Agreed! Using both Google and O365, I don't have problems with Google. Could MS and Google work together and share algorithms?
Jacob S commented
This is constantly happening to us. Are MS phishing algorithms not capable of picking up compromised O365 accounts? It seems like a daily occurance. ATP is actually more dangerous as it tells the user that the link is safe even when it isn't. MS should also disable accounts and inform the tenant that they are compromised after human review of messages.
Ainul Haque commented
Completely agreed., Microsoft should come up with additional securities.
Requesting you to look into this as we had big issue.
I agree to above points, Microsoft must bring in additional security.