Everyone should be aware and watch out for these very believable spoofs coming from email address removed for privacy reasons.

If you have Threat Explorer (Defender Portal > Email & Collaboration > Explorer) or Advanced Hunting (EmailEvents table) available, you can find these messages by looking for these criteria:

– Sender From Address: email address removed for privacy reasons

– Sender MailFrom Domain: Not equal to Microsoft.com

If you’re getting these, you’ll notice the MailFrom domain is any ever-changing long list of rogue tenants (e.g., <rogueTenant123>.onmicrosoft.com).  The MailFrom address will be starting with bounces, like this “bounces+srs=<12345567890abcxyz>@<rogueTenant123>.onmicrosoft.com”, letting us see that these bad actors are using an on-premises Exchange server, SMTP receive Connector and then a Send Connector up and out via EXO/EOP.

These things pass SPF, DKIM, and DMARC and so only get detected via General/Advanced filter and/or Fingerprint Matching (which only means loose match, there’s no specific fingerprint/ID involved).

The subject seems to always be “Your Microsoft order on September 23, 2024”, and will be for the current date.

Some people have raised this on Reddit, for example: email address removed for privacy reasons – Suspicious email : r/DefenderATP (reddit.com)

I’ve been working with MS Support to try and get this addressed.  We’re seeing a lot of these, and so far it’s be many many different rogue tenants, so it seems like the bad actors are working overtime and successfully standing up tenant after tenant to get these things out successfully.

​Everyone should be aware and watch out for these very believable spoofs coming from email address removed for privacy reasons.If you have Threat Explorer (Defender Portal > Email & Collaboration > Explorer) or Advanced Hunting (EmailEvents table) available, you can find these messages by looking for these criteria:- Sender From Address: email address removed for privacy reasons- Sender MailFrom Domain: Not equal to Microsoft.com If you’re getting these, you’ll notice the MailFrom domain is any ever-changing long list of rogue tenants (e.g., <rogueTenant123>.onmicrosoft.com).  The MailFrom address will be starting with bounces, like this “bounces+srs=<12345567890abcxyz>@<rogueTenant123>.onmicrosoft.com”, letting us see that these bad actors are using an on-premises Exchange server, SMTP receive Connector and then a Send Connector up and out via EXO/EOP. These things pass SPF, DKIM, and DMARC and so only get detected via General/Advanced filter and/or Fingerprint Matching (which only means loose match, there’s no specific fingerprint/ID involved). The subject seems to always be “Your Microsoft order on September 23, 2024”, and will be for the current date. Some people have raised this on Reddit, for example: email address removed for privacy reasons – Suspicious email : r/DefenderATP (reddit.com) I’ve been working with MS Support to try and get this addressed.  We’re seeing a lot of these, and so far it’s be many many different rogue tenants, so it seems like the bad actors are working overtime and successfully standing up tenant after tenant to get these things out successfully.  Read More

​