Mailing List Archive: MS-relayed spam

MS-relayed spam

Jan 1, 2024, 1:28 PM

Post #1 of 8 (231 views)

Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE

I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though...

Thanks,

Charles

Full headers inline:

Return-Path: <MAILER-DAEMON>
Delivered-To: MYEMAIL@MYDOMAIN.COM
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for <MYEMAIL@MYDOMAIN.COM>; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[.ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for <MYEMAIL@MYDOMAIN.COM>;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for <MYEMAIL@MYDOMAIN.COM>; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4BDAB4AB9E89D.1704136789437@acquiretm.com>
In-Reply-To: <952HtCJGcsDXt5hYdIx5kfocgsAN34o2GPHcYVpB6@egw.x1r862t.onmicrosoft.com>
Content-Type: text/html; charset="UTF-8"
CC: MYEMAIL@MYDOMAIN.COM
To: MYEMAIL@MYDOMAIN.COM
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Storage Notice <info_QwzrlPCPwPQ@x1r862t.onmicrosoft.com>
Message-ID:
<0e3b3785-6682-4c22-b6d7-87286c342cd7@CY4PEPF0000EE34.namprd05.prod.outlook.com>
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE34:EE_|CO6PR20MB3698:EE_
X-MS-Office365-Filtering-Correlation-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:

iCzQWJ07Pkvdn8gTGxmT6VSZBHnP6M4JvFEye6phLeBazoMicRP+n8Frj4I9QfVf8WmFZWPRNg978JVG7BDaqn4bxfC0shO0mBk5itJtr3ZRYKiFIMx+NVO8t79WCu7UZJdf5LjDih1sTt+noqH2CGSPWsRE96PG8UNfGoWJzkMS0AuY1CjhHfjpwbklk+QzQ985nESwb7Ozb1+o/yfzzFtq41ta6WcUp5s8ksM2nqTUwdf972ZCOgy6ctn0sJ9r3illogeg+K31zzwq2Xqd0Vvg6H2kJfjDZX6zLUHzmVvjYpX6RX65FU0EigndAzHHhGwPpJrPf4pUCCtB7NP80Rz0Ab4sKj48wAaiZHnJVEwEvbBw+sRP4FO3eIj6WnKBQ24yedrXW6i2nsoH5sWkO1OYq9tNi+1OCMgdVO7ZdJdkmCpZxc5yC0IK8aXOGUEGBhXTCJY/UWwnnfkYh4a6p4p12+lKfAmlhkMrFLR1GxXlukfPi6rLJGiwHUawX6hE4mS4BqHQJllk3wTRVrRK0sTgqJvVf/4wT/7pbAelOBBjANVObgm5V5PtBNuM+EMPSpqOJz/pAK+8mxjdlbZRLQ==
X-Forefront-Antispam-Report:
CIP:193.176.158.140;CTRY:FR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.acquiretm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(136003)(346002)(376002)(396003)(39860400002)(230922051799003)(61400799012)(1690799017)(451199024)(7200799017)(64100799003)(82310400011)(46966006)(8400799017)(3082699003)(40480700001)(336012)(42882007)(26005)(41320700001)(31696002)(81166007)(558084003)(166002)(82740400003)(17440700003)(35950700001)(34020700004)(47076005)(4326008)(67280400001)(19625305002)(5660300002)(9686003)(8936002)(8676002)(70206006)(70586007)(786003)(78352004)(316002)(6916009)(42186006)(2906002)(41300700001)(498600001)(84603001)(42472002)(38122002);DIR:OUT;SFP:1501;
X-OriginatorOrg: x1r862t.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jan 2024 19:23:21.7479
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0
X-MS-Exchange-CrossTenant-Id: aae3bce2-b5e6-4c64-9336-2909094ee8c9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=aae3bce2-b5e6-4c64-9336-2909094ee8c9;Ip=[193.176.158.140];Helo=[mail.acquiretm.com]
X-MS-Exchange-CrossTenant-AuthSource:
CY4PEPF0000EE34.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR20MB3698