Mailing List Archive

It's possible that certain email accounts utilizing email services with
easily guessable passwords were compromised, leading to abuse of the ".
onmicrosoft.com" subdomain for sending spam via email.

I've observed an increase in the blocking of IPs belonging to Microsoft
Corporation by the SpamCop blacklist since November 2023, with a notable
spike in activity during February and March 2024.

Jimmy


On Tue, Mar 19, 2024 at 12:10?AM Jared Hall via users <
users@spamassassin.apache.org> wrote:

> I've several customers whose accounts were used to send spam as a result
> of Microsoft's infrastructure breech.
>
> Curiously, NOBODY has received any breach notifications from Microsoft,
> despite personal information being compromised.
>
> What has anyone else experienced?
>
> Thanks,
>
> -- Jared Hall
>
>

On 3/18/2024 10:13 PM, Jimmy wrote:
>
> It's possible that certain email accounts utilizing email services
> with easily guessable passwords were compromised, leading to abuse of
> the ".onmicrosoft.com <http://onmicrosoft.com>" subdomain for sending
> spam via email.

Well, there's (1) standard BEC, (2) stolen Exchange Administrator
credentials, and (3) creation of new Microsoft 365 hosts.  While
.onmicrosoft.com encompasses the entire Microsoft 365 world, including
GoDaddy 365 resale, it is worse than that.  In Microsoft's case, the
Azure Administration keys were pilfered as well.  Probably most of us
here have all seen the residual fallout from all the bogus 365 hosts.

In a couple of cases, Exchange Administration credentials (where you
setup DKIM/SMTP and the initial <COMPANY>.onmicrosoft.com hostname) were
changed such that they can no longer log in.  They still have the
Account and Mailbox Administrator permissions so they can still
add/delete Accounts and Mailboxes.

Microsoft asserts that no billing information was compromised and to be
fair, I've seen no evidence of compromise.  Zero cred, IMHO.
Typical Microsoft:  System Down, Billing Up

>
> I've observed an increase in the blocking of IPs belonging to
> Microsoft Corporation by the SpamCop blacklist since November 2023,
> with a notable spike in activity during February and March 2024.

Yes, you are correct.  I see there is a spat between Microsoft and
SpamHaus also.  Poor, poor Microsoft.

Thanks,

-- Jared Hall

Does anyone else just block all traffic from *.onmicrosoft.com? I have
literally NEVER gotten anything from that domain which is not obvious junk.

I set up postfix to just flat out refuse anything from that domain.[1]
If I get any complaints, I may ease it up, but I was getting TONS of
spam messages from that domain and I figured it was easiest to just
block it.

--
Thomas

[1]

[root@east ~]# grep onmicrosoft /etc/postfix/sender_access
/@*.onmicrosoft\.com/ REJECT

[root@east ~]# grep sender_access /etc/postfix/main.cf
check_sender_access regexp:/etc/postfix/sender_access

On 3/18/24 21:13, Jimmy wrote:
>
> It's possible that certain email accounts utilizing email services with
> easily guessable passwords were compromised, leading to abuse of the
> .onmicrosoft.com subdomain for sending spam via email.
>
> I've observed an increase in the blocking of IPs belonging to Microsoft
> Corporation by the SpamCop blacklist since November 2023, with a notable
> spike in activity during February and March 2024.
>
> Jimmy
>
>
> On Tue, Mar 19, 2024 at 12:10?AM Jared Hall via users
> <users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>>
> wrote:
>
> I've several customers whose accounts were used to send spam as a
> result
> of Microsoft's infrastructure breech.
>
> Curiously, NOBODY has received any breach notifications from Microsoft,
> despite personal information being compromised.
>
> What has anyone else experienced?
>
> Thanks,
>
> -- Jared Hall
>

I am using spamcop and spamhaus to block. There are indeed outlook.com ip addresses that bounce.

>
> Does anyone else just block all traffic from *.onmicrosoft.com? I have
> literally NEVER gotten anything from that domain which is not obvious junk.
>
> I set up postfix to just flat out refuse anything from that domain.[1]
> If I get any complaints, I may ease it up, but I was getting TONS of
> spam messages from that domain and I figured it was easiest to just
> block it.
>

I am using this setup in my postfix main.cf. [obfuscated] is my actual
key for spamhaus.

smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject_rbl_client [obfuscated].zen.dq.spamhaus.net=127.0.0.[2..11]
reject_rhsbl_sender [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_helo [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_reverse_client
[obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_sender [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_reverse_client
[obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject

I was still getting a TON of junk from onmicrosoft.com. I blocked the
domain many months ago... Do you recommend I let that back open? I
definitely don't want to miss emails from folks who use outlook.com
(although, not gonna lie, it feels nice to raise a middle finger to
Microsoft for their terrible email practices).

--
Thomas

On 3/19/24 09:02, Marc wrote:
> I am using spamcop and spamhaus to block. There are indeed outlook.com ip addresses that bounce.
>
>>
>> Does anyone else just block all traffic from *.onmicrosoft.com? I have
>> literally NEVER gotten anything from that domain which is not obvious junk.
>>
>> I set up postfix to just flat out refuse anything from that domain.[1]
>> If I get any complaints, I may ease it up, but I was getting TONS of
>> spam messages from that domain and I figured it was easiest to just
>> block it.
>>

On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500)
Thomas Cameron <thomas.cameron@camerontech.com>
is rumored to have said:

> Does anyone else just block all traffic from *.onmicrosoft.com?

Yes. No collateral damage noticed. That includes a system that has administrative and alerting role accounts which handle email alerts from Azure and MS365.

> I have literally NEVER gotten anything from that domain which is not obvious junk.
>
> I set up postfix to just flat out refuse anything from that domain.[1] If I get any complaints, I may ease it up, but I was getting TONS of spam messages from that domain and I figured it was easiest to just block it.
>
> --
> Thomas
>
> [1]
>
> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access
> /@*.onmicrosoft\.com/ REJECT
>
> [root@east ~]# grep sender_access /etc/postfix/main.cf
> check_sender_access regexp:/etc/postfix/sender_access
>
> On 3/18/24 21:13, Jimmy wrote:
>>
>> It's possible that certain email accounts utilizing email services with easily guessable passwords were compromised, leading to abuse of the .onmicrosoft.com subdomain for sending spam via email.
>>
>> I've observed an increase in the blocking of IPs belonging to Microsoft Corporation by the SpamCop blacklist since November 2023, with a notable spike in activity during February and March 2024.
>>
>> Jimmy
>>
>>
>> On Tue, Mar 19, 2024 at 12:10?AM Jared Hall via users <users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>> wrote:
>>
>> I've several customers whose accounts were used to send spam as a
>> result
>> of Microsoft's infrastructure breech.
>>
>> Curiously, NOBODY has received any breach notifications from Microsoft,
>> despite personal information being compromised.
>>
>> What has anyone else experienced?
>>
>> Thanks,
>>
>> -- Jared Hall
>>


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Am 2024-03-19 14:51, schrieb Thomas Cameron:
> Does anyone else just block all traffic from *.onmicrosoft.com? I have
> literally NEVER gotten anything from that domain which is not obvious
> junk.
>

We block and have a whitelist with 49 entries at the moment.

Michael

On 3/19/24 09:52, Michael Storz wrote:
> Am 2024-03-19 14:51, schrieb Thomas Cameron:
>> Does anyone else just block all traffic from *.onmicrosoft.com? I have
>> literally NEVER gotten anything from that domain which is not obvious
>> junk.
>>
>
> We block and have a whitelist with 49 entries at the moment.
>
> Michael

Thanks, sir.

I will whitelist anyone who complains, but like I said... I've literally
never gotten email from that domain which was not spam.

--
Thomas

Il 19 marzo 2024 15:33:10 CET, Bill Cole <sausers-20150205@billmail.scconsult.com> ha scritto:
>On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500)
>Thomas Cameron <thomas.cameron@camerontech.com>
>is rumored to have said:
>
>> Does anyone else just block all traffic from *.onmicrosoft.com?
>
>Yes. No collateral damage noticed. That includes a system that has administrative and alerting role accounts which handle email alerts from Azure and MS365.
>
Disposition-Notifications are sent by onmicrosoft.domain.tld domain afaik.
Giovanni


>> I have literally NEVER gotten anything from that domain which is not obvious junk.
>>
>> I set up postfix to just flat out refuse anything from that domain.[1] If I get any complaints, I may ease it up, but I was getting TONS of spam messages from that domain and I figured it was easiest to just block it.
>>
>> --
>> Thomas
>>
>> [1]
>>
>> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access
>> /@*.onmicrosoft\.com/ REJECT
>>
>> [root@east ~]# grep sender_access /etc/postfix/main.cf
>> check_sender_access regexp:/etc/postfix/sender_access
>>
>> On 3/18/24 21:13, Jimmy wrote:
>>>
>>> It's possible that certain email accounts utilizing email services with easily guessable passwords were compromised, leading to abuse of the .onmicrosoft.com subdomain for sending spam via email.
>>>
>>> I've observed an increase in the blocking of IPs belonging to Microsoft Corporation by the SpamCop blacklist since November 2023, with a notable spike in activity during February and March 2024.
>>>
>>> Jimmy
>>>
>>>
>>> On Tue, Mar 19, 2024 at 12:10?AM Jared Hall via users <users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>> wrote:
>>>
>>> I've several customers whose accounts were used to send spam as a
>>> result
>>> of Microsoft's infrastructure breech.
>>>
>>> Curiously, NOBODY has received any breach notifications from Microsoft,
>>> despite personal information being compromised.
>>>
>>> What has anyone else experienced?
>>>
>>> Thanks,
>>>
>>> -- Jared Hall
>>>
>
>