Another day another bit of crap. This time an office 365 tenant has been sent what appears to be a simple phishing email but upon further inspection seems far more worrying.
First worrying sign – the message had been sent to nearly the entire organisation over a few hours. This isn’t too unusual. Lots of places gather and then spam as many contacts as they can find within an organisation..
However in this instance the phishing was also sent to:
-A system address only used by an intranet system to deliver notifications to staff members
-A personal email account on a personal domain of one of the directors hosted on the company Office 365 system.
-Two internal only mailing list addresses on their .onmicrosoft domain.
Now their setup is slightly unusual. They are also using the cloud service “Exclaimer” to add signatures to their messages. Other than within Office 365 (which I’m fairly sure is securely setup and has not been accessed) the only other place all of the above addresses will have been processed will have been at Exclaimer!
Query 1:
Has Exclaimer been breached or the Exclaimer administration account for the tenant been hacked?
Ok.. so on to the next suspicious thing. The message trace shows the message as coming from “40.107.3.49”, “40.107.0.55”, “40.107.6.41” and so on. All of these IPs are Office 365 themselves. Normally in most phishing situations you would see the IP of the sending scammer, e.g. some hacked company mail server in *pick a random country here*.
In this instance all of the phishing seems to have been generated and delivered from another user within the Office 365 ecosystem. However in this instance Office 365 has attributed an IP to the delivery of the message into their system on their other tenants side:
“88.99.21.183” (rdns of “static.183.21.99.88.clients.your-server.de”) with a SMTP EHLO of “dossiermpa.com” and a return path of “davidbrown.com”
Query 2:
Why is Microsoft allowing, and delivering to the inbox, messages from another Office 365 tenant allowing them to use the “from” domain invoice.office365.com!
The phishing site was hosted at “hxxps://upditeies-limitednow.me/azvkypykip/Titan_gel_MA_Grey/”
The IP it is hosted on (“95.216.174.190” rdns of “static.190.174.216.95.clients.your-server.de”) is associated with tens of other suspicious domains.
upditeies-limitednow.me honore-riviere.com help-somerdagenais.net confirm-marphisadurand.info www.confirm-alexisflamand.info confirm-alexisflamand.info www.limited-alexisflamand.net www.confirm-nadinelamarre.info www.help-nadinelamarre.org account-nadinelamarre.online servise-nadinelamarre.com account-alexisflamand.online www.limited-nadinelamarre.net www.help-alexisflamand.org limited-alexisflamand.net www.account-alexisflamand.online help-alexisflamand.org help-nadinelamarre.org www.servise-alexisflamand.com servise-alexisflamand.com www.account-nadinelamarre.online www.servise-nadinelamarre.com limited-nadinelamarre.net servise-marphisadurand.com www.confirm-marphisadurand.info www.servise-marphisadurand.com www.upditeies-limitednow.com www.upditeies-limitednow.net www.limited-marphisadurand.net upditeies-limitednow.com upditeies-limitednow.net limited-marphisadurand.net www.upditeies-limitednow.org upditeies-limitednow.org www.upditeies-limitednow.me paul-collet.org servise-somerdagenais.info paul-collet.com honore-riviere.org confirm-somerdagenais.com olivierloiseau.org olivierloiseau.com limited-somerdagenais.org www.account-marphisadurand.online account-marphisadurand.online internertweb-updates.info web-emailae-update0verfiy.com help-aubrettegoudreau.org paul-collet.fr honore-riviere.fr www.paul-collet.org www.paul-collet.online paul-collet.online honore-riviere.online www.honore-riviere.fr www.paul-collet.fr www.honore-riviere.online www.honore-riviere.org www.paul-collet.com www.honore-riviere.com help-marphisadurand.org www.help-marphisadurand.org emailae-update0verfiy-shop.com emailae-update0verfiy.com confirm-ancelinajodion.info confirm-tristanlampron.com internertweb-updates.net help-tristanlampron.net limited-ancelinajodion.net internertweb-updates.com limited-tristanlampron.org servise-aubrettegoudreau.com servise-ancelinajodion.com servise-tristanlampron.info help-ancelinajodion.org www.confirm-aubrettegoudreau.info www.limited-aubrettegoudreau.info www.confirm-somerdagenais.com www.help-somerdagenais.net www.limited-tristanlampron.org www.olivierloiseau.org www.help-ancelinajodion.org limited-aubrettegoudreau.info confirm-aubrettegoudreau.info account-somerdagenais.online account-tristanlampron.online olivierloiseau.fr www.account-aubrettegoudreau.online www.servise-aubrettegoudreau.com www.help-aubrettegoudreau.org www.confirm-ancelinajodion.info www.internertweb-updates.info www.servise-tristanlampron.info www.olivierloiseau.com www.servise-ancelinajodion.com www.confirm-tristanlampron.com www.emailae-update0verfiy.com www.web-emailae-update0verfiy.com www.internertweb-updates.com www.emailae-update0verfiy-shop.com www.limited-ancelinajodion.net www.help-tristanlampron.net www.internertweb-updates.net www.account-tristanlampron.online www.account-ancelinajodion.online limited-frontinogareau.org servise-frontinogareau.info help-frontinogareau.net static.190.174.216.95.clients.your-server.de www.servise-frontinogareau.info confirm-frontinogareau.com account-frontinogareau.online www.account-frontinogareau.online www.limited-somerdagenais.org www.limited-frontinogareau.org www.help-frontinogareau.net www.account-somerdagenais.online www.confirm-frontinogareau.com www.olivierloiseau.fr
And for those interested.. here is the message (headers trimmed and redacted for easy reading and privacy):
Authentication-Results: spf=pass (sender IP is 40.107.4.55) smtp.mailfrom=davidbrown.com; MYCLIENT.com; dkim=pass (signature was verified) header.d=davidbrown.com;MYCLIENT.com; dmarc=none action=none header.from=; Received-SPF: Pass (protection.outlook.com: domain of davidbrown.com designates 40.107.4.55 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.4.55; helo=EUR03-DB5-obe.outbound.protection.outlook.com; Received: from EUR03-DB5-obe.outbound.protection.outlook.com (40.107.4.55) by HE1EUR02FT064.mail.protection.outlook.com (10.152.11.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1273.13 via Frontend Transport; Tue, 23 Oct 2018 16:11:54 +0000 Received: from HE1PR1001CA0019.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:3:f7::29) by DB6PR10MB0725.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:15::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1250.22; Tue, 23 Oct 2018 16:11:52 +0000 Received: from VE1EUR02FT035.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::203) by HE1PR1001CA0019.outlook.office365.com (2603:10a6:3:f7::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1250.29 via Frontend Transport; Tue, 23 Oct 2018 16:11:52 +0000 Authentication-Results-Original: spf=fail (sender IP is 88.99.21.183) smtp.mailfrom=davidbrown.com; MYCLIENT.com; dkim=none (message not signed) header.d=none;MYCLIENT.com; dmarc=none action=none header.from=; Received-SPF: Fail (protection.outlook.com: domain of davidbrown.com does not designate 88.99.21.183 as permitted sender) receiver=protection.outlook.com; client-ip=88.99.21.183; helo=dossiermpa.com; Received: from dossiermpa.com (88.99.21.183) by VE1EUR02FT035.mail.protection.outlook.com (10.152.12.86) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.20.1273.13 via Frontend Transport; Tue, 23 Oct 2018 16:11:52 +0000 Subject: Re: Your Office 365 Business Essentials Invoice is ready Sender: Microsoft Business Team MicrosoftBusinessTeam329e71ec88ae4615bbc36ab6ce41109e@invoice.office365.com To: Abbey@MYCLIENT.com Reply-To: reply@dalsim.com Date: Tue, 23 Oct 2018 16:11:40 +0000 Drop-Meta: 62|25 Message-ID: faed6018-ca2b-46b0-b4f4-b072cd2f48ac@VE1EUR02FT035.eop-EUR02.prod.protection.outlook.com Return-Path: iUKColEkMeZo7vH5OaN7@davidbrown.com X-MS-PublicTrafficType: Email SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR10MB0725 X-MS-Exchange-Organization-ExpirationStartTime: 23 Oct 2018 16:11:54.8292 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 94937107-7be9-4dc9-897a-08d639024023 X-EOPTenantAttributedMessage: 2aecf525-26af-4ef0-ba9e-81f8e867124e:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-MS-Exchange-Transport-CrossTenantHeadersStripped: HE1EUR02FT064.eop-EUR02.prod.protection.outlook.com X-MS-Exchange-Transport-CrossTenantHeadersPromoted: HE1EUR02FT064.eop-EUR02.prod.protection.outlook.com X-MS-Exchange-Organization-AuthSource: HE1EUR02FT064.eop-EUR02.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Oct 2018 16:11:54.3448 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 94937107-7be9-4dc9-897a-08d639024023 X-MS-Exchange-CrossTenant-Id: 2aecf525-26af-4ef0-ba9e-81f8e867124e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=703881f1-4a8d-40cc-a227-61817e51328a;Ip=[88.99.21.183];Helo=[dossiermpa.com] X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB1213 X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.7045931 X-MS-Exchange-Processed-By-BccFoldering: 15.20.1228.033
They’ve also previously used:
hxxp://flqqoorfb.com/4413/
hxxps://cciey.co.uk/45852/
hxxp://ehdrhba.online/4785/
https://sadssdas.eu/delivery/index.php
hxxp://sowodededfzo.net/delivery/index.php (A very short lived, 8 days live, domain back in July 2018)
A long list but these are also associated domains from past phishing campaigns:
www.fhjsafha-france.fr awsedmexico.com fdrfvr.com srfhrd.info esfrafrtryg-france.fr dxvqwmexico.com www.bhfutase.online www.fawhyuua.online www.esfrafrtryg.online www.fhjsafha.online www.byhiwaga.online www.fawhyuua.com www.ehdrhba.com www.bhfutase-shop.com www.fhjsafha-shop.com www.byhiwaga-shop.com www.bhfutase.com www.byhiwaga-france.com www.bhfutase-france.com www.ehdrhba-france.com www.bhysgadtya.com www.fawhyuua-france.com www.bhysgadtya-france.com www.bhysgadtya-shop.com www.ehdrhba-shop.com www.fawhyuua-shop.com www.fhjsafha.com www.fhjsafha-france.com www.byhiwaga.com www.cfwefaa-shop.com www.esfrafrtryg.com www.esfrafrtryg-france.com www.dftrwswa.com www.ftsdeaw.com www.esfrafrtryg-shop.com www.ftsdeaw-france.com www.ftsdeaw-shop.com www.cfwefaa.com www.cfwefaa-france.com ehdrhba.club ftsdeaw.club qweremexico.com qwtfsa.com srfhrdmexico.net dxfhnyd.net vuhiaywoytgh.com fdbdx.net aefwtmexico.com ygpogh.net srfhrd.com srfhrdmexico.com hgbremexico.net poiujg.com esfrafrtryg.online azxds.com azxdsmexico.com tvrferfmexico.com tvrferf.com rfqewe.com rfqewemexico.com rfsefq.com fawhyuua.online fdbdx.com fdrfvrmexico.com fdserqa.com dxvqw.com pxzxsdmexico.com hgbre.com hgbremexico.com ygpogh.com ygpoghmexico.com www.dxvqw.net www.refweq.com www.refweqmexico.com tvrferf.info www.dxfhnyd.com www.rfqewemexico.com www.azxds.com www.rfsefqmexico.com www.azxdsmexico.com www.qwtfsa.com www.ygpoghmexico.com www.dexwsmexico.net www.aefwt.com www.qweremexico.com ehdrhba.online www.fdbdx.com www.fdbdxmexico.com www.tvrferf.com bhfutase-france.fr www.poiujgmexico.com fhjsafha-france.fr www.dxvqw.com www.dxvqwmexico.com www.fdrfvr.com ehdrhba.co aefwt.net aefwtmexico.net www.hgbre.net awsed.net poiujg.net pxzxsd.com pxzxsdmexico.net qfddty.net qfddtymexico.net qfddty.com qfddtymexico.com qwere.net qwtfsa.net refweq.net dexws.com rfqewe.net rfsefq.net rwfqwmexico.net www.dexws.com www.pxzxsd.com www.dexwsmexico.com www.qwere.net www.pxzxsd.net www.qwtfsa.net www.pxzxsdmexico.net www.awsed.net www.ehdrhba.online bhysgadtya.club esfrafrtryg-online.fr fhjsafha.online esfrafrtryg.club www.cfwefaa.org fdserqa.net refweq.com rwfqwmexico.com ehdrhba-france.fr hiopp.com www.fhjsafha.eu awefamexico.com bhysgadtya.co fhjsafha-online.fr bhfutase.co byhiwaga.co dxvqw.net poiujgmexico.com cfwefaa.co cfwefaa.club ftsdeaw-shop.fr fhjsafha.net rfsefqmexico.com dexwsmexico.net qwtfsamexico.com fdserqamexico.com aefwt.com cfwefaa-shop.fr bhfutase.club bhysgadtya.com byhiwaga-france.fr ftsdeaw.com byhiwaga.net bhfutase.net bhysgadtya.net byhiwaga.club dftrwswa.org ehdrhba.net fawhyuua.net fawhyuua.club fhjsafha.club dexws.net dexwsmexico.com bhfutase-france.com cfwefaa-france.com byhiwaga-shop.com cfwefaa-shop.com byhiwaga.com bhfutase.com bhysgadtya-shop.com byhiwaga-france.com bhfutase-shop.com byhiwaga.org bhysgadtya-france.com cfwefaa.com fdbdxmexico.com fawhyuua.com fawhyuua-france.com ftsdeaw-france.com ehdrhba.com esfrafrtryg.com fhjsafha-shop.com fhjsafha.org esfrafrtryg-shop.com fawhyuua-shop.com ehdrhba-france.com ftsdeaw-shop.com fhjsafha.com esfrafrtryg-france.com fhjsafha-france.com ehdrhba-shop.com fawhyuua.org ehdrhba.org cfwefaa.org esfrafrtryg.org dftrwswa.com bhysgadtya.org pxzxsd.net ftsdeaw-france.fr esfrafrtryg.global ftsdeaw-online.fr ftsdeaw.co fawhyuua.co refweqmexico.com hgbre.net esfrafrtryg.net fdrfvr.net dxfhnyd.com fhjsafha.eu fawhyuua.eu bhysgadtya.eu byhiwaga.eu cfwefaa.eu bhfutase.eu esfrafrtryg.eu ehdrhba.euzhatr.online www.ciuruz.online www.emilt.app www.ciuruz.app www.ciuruz.com www.theciuruz.com www.myciuruz.com www.theemilt.com www.myemilt.com www.favkox.co.uk www.emilt.info www.favkoxservices.co.uk www.myfavkox.co.uk www.thefavkox.co.uk myzhatr.com icayanryit.org theemilt.org ciuruz.online hanog.me emilt.co.uk cieuy.uk cciey.com myemilt.co.uk cciey.online thefavkox.co.uk www.icayanryit.app ciuruz.app myzhatr.co.uk emilt.org zhatrservices.co.uk zhatr.uk cciey.net cieuy.net emilt.app myemilt.com emiltservices.co.uk myemilt.org myzhatr.org zhatr.org cciey.co cieuy.org cciey.co.uk emilt.club theemilt.co.uk cciey.org emilt.net ciuruz.co cciey.club cciey.uk cciey.app emilt.info theemilt.com ciuruz.club myfavkox.org cieuy.online favkox.club thefavkox.org www.ciuruzservices.co.uk www.ciuruz.co.uk www.ciuruz.uk icayanryit.club theciuruz.co.uk favkoxservices.co.uk favkox.uk myfavkox.co.uk theciuruz.org ciuruz.org hanog.co hanog.app favkox.co favkox.org www.favkox.uk hanog.club icayanryit.co www.hanog.uk myciuruz.org icayanryit.net icayanryit.com myfavkox.com favkox.com thefavkox.com ciuruz.co.uk theciuruz.com ciuruz.com favkox.net myciuruz.com www.hanog.net ciuruz.uk icayanryit.co.uk ciuruzservices.co.uk hanog.uk hanog.net www.myciuruz.co.uk www.icayanryit.co.uk myciuruz.co.uk efced.info qqspoopiuy.net bdgdghmexico.net byiuauhwkilamexico.net cansjkhamexico.com bdgdghmexico.com dfvdmexico.net byiuauhwkila.info cansjkha.net bdgdgh.net dfvdtg.net efced.com dfvdmexico.com dnauio.com dfgtwsrmexico.com dfvdtgmexico.com dfvdtg.com byiuauhwkila.com cansjkha.com dnauiomexico.com cjikaswas.com byiuauhwkilamexico.com bdgdgh.com gkqqooed.com kgqqoosrgded.com flqqoorfb.com bdgdgh.info hjqqoorrf.com samefinalo.tk verifypozut.com sowodededfzoweb.com sowodededfzqw.com sowodededfz.com sowodededfzuweb.com sowodededfzu.net sowodededfzo.org sowodededfzoonline.org sowodededfzonline.org sowodededfzlk.org sowodededfzo.net sowodededfzshop.com sowodededfzweb.com sowodededfzoshop.com sowodededfz.org sowodededfzqw.org sowodededfz.net sowodededfzqw.net sowodededfzlkonline.org sowodededfzqwonline.org sowodededfzlkshop.com sowodededfzrweb.com sowodededfzronline.org sowodededfzr.com sowodededfzr.org sowodededfzr.net sowodededfzoonline.com sowodededfzqw.club sowodededfzlk.com sowodededfzo.club sowodededfzlk.net sowodededfzuonline.org aktatreriweb.com aktzraeri.net aktatrerionline.org loraepptonline.org aktatreri.net altoareutnonline.org etalreto.org aktatreri.org aktasaerionline.org aktaeri.net aktaeytarionline.com loraepptweb.com mlaotareshop.com mlaotareonline.org sowodededfzlk.club loraeppt.com www.aktasaerionline.org sowodededfzu.club aktatrerishop.com altoareutn.net aktaeytari.org aktasaeri.net loraeppt.net aktaeytarionline.org aktzraeri.org aktaerionline.org aktaeri.org aktaeytari.net etalreto.net etalretoonline.org etalretoshop.com aktzraeri.club mlaotare.net mlaotare.org aktaeytarishop.com aktasaeriweb.com aktaeri.com aktasaerionline.com loraepptonline.com aktzraeriweb.com mlaotareonline.com aktatreri.com aktaerishop.com aktasaerishop.com sowodededfzonline.com aktzraerishop.com sowodededfzqwonline.com sowodededfzushop.com aktaeriweb.com altoareutnweb.com sowodededfzuonline.com sowodededfzqwshop.com sowodededfzlkweb.com sowodededfzu.com sowodededfzqwweb.com sowodededfzlkonline.com sowodededfzo.com sowodededfzrshop.com sowodededfzronline.com etalretoweb.com mlaotare.com www.etalretoonline.org etalreto.club www.aktaeytari.net www.aktaeri.net www.aktzraeri.net www.altoareutn.net www.aktasaeri.net www.aktatreri.net sowodededfzr.club www.sowodededfzu.net www.sowodededfzr.net www.sowodededfzqw.net www.sowodededfzo.net www.verifypozut.com www.sowodededfzlk.net www.sowodededfz.net www.etalreto.net www.mlaotare.net www.loraeppt.net www.sowodededfzu.club www.sowodededfz.club www.sowodededfzqw.club www.sowodededfzo.club www.sowodededfzr.club www.sowodededfzlk.club sowodededfz.club myownhome.es mamananass.eu mamananass.club hhagebnske.eu yhnwegax.eu www.sowodededfzqwweb.com www.sowodededfzushop.com www.sowodededfzoweb.com www.sowodededfzqwshop.com www.sowodededfzqwonline.com www.sowodededfzrweb.com www.sowodededfzshop.com www.sowodededfzuonline.com www.sowodededfzoonline.com www.sowodededfzo.com www.sowodededfzqw.com www.sowodededfzu.com www.sowodededfzonline.com www.sowodededfzr.com www.sowodededfzuweb.com www.sowodededfzweb.com www.sowodededfzlkweb.com www.sowodededfzrshop.com www.sowodededfzlkonline.com www.sowodededfzlkshop.com www.sowodededfzlk.com www.sowodededfzoshop.com www.sowodededfz.com www.sowodededfzronline.com www.loraeppt.com www.aktaeytarishop.com www.aktasaeriweb.com www.loraepptonline.com www.etalretoweb.com www.aktzraerishop.com www.aktasaerishop.com www.aktaeriweb.com www.aktaerishop.com www.aktatrerishop.com www.mlaotare.com www.aktaeytarionline.com www.aktatreriweb.com www.aktatreri.com www.mlaotareonline.com www.aktzraeriweb.com www.etalretoshop.com www.loraepptweb.com www.aktasaerionline.com www.mlaotareshop.com www.altoareutnweb.com www.aktaeri.com www.etalreto.club www.aktzraeri.club www.aktatreri.club www.aktaeri.club www.aktaeytari.club aktatreri.club aktaeytari.club aktaeri.club zajjahend.org mamananass.es zajjahend.net zajjahend.eu yhnwegax.net mmhhsneha.com zajjahend.es quennshe.eu mmhhsneha.eu mamananass.org mamananass.net mmhhsneha.es quennshe.club yhnwegax.club yhnwegax.co quennshe.com hhagebnske.club yhnwegax.org qjensmekk.store mmhhsneha.co hhagebnske.org mmhhsneha.org zajjahend.com yhnwegax.com yhnwegax.website zajjahend.store mmhhsneha.net hhagebnske.com zajjahend.club hhagebnske.es www.yhnwegax.org zajjahend.co hhagebnske.co hhagebnske.net quennshe.co quennshe.store quennshe.net mmhhsneha.store yhnwegax.store mamananass.store www.mamananass.store www.mamananass.es www.mamananass.eu www.mamananass.net mamananass.com mamananass.co www.mmhhsneha.club www.mmhhsneha.net www.mmhhsneha.co www.mmhhsneha.es www.mmhhsneha.eu www.mmhhsneha.org www.mmhhsneha.com www.myownhome.es mmhhsneha.club
thecomputerperson 