On 3/18/2024 10:13 PM, Jimmy wrote:
>
> It's possible that certain email accounts utilizing email services
> with easily guessable passwords were compromised, leading to abuse of
> the ".onmicrosoft.com <http://onmicrosoft.com>" subdomain for sending
> spam via email.
Well, there's (1) standard BEC, (2) stolen Exchange Administrator
credentials, and (3) creation of new Microsoft 365 hosts. While
.onmicrosoft.com encompasses the entire Microsoft 365 world, including
GoDaddy 365 resale, it is worse than that. In Microsoft's case, the
Azure Administration keys were pilfered as well. Probably most of us
here have all seen the residual fallout from all the bogus 365 hosts.
In a couple of cases, Exchange Administration credentials (where you
setup DKIM/SMTP and the initial <COMPANY>.onmicrosoft.com hostname) were
changed such that they can no longer log in. They still have the
Account and Mailbox Administrator permissions so they can still
add/delete Accounts and Mailboxes.
Microsoft asserts that no billing information was compromised and to be
fair, I've seen no evidence of compromise. Zero cred, IMHO.
Typical Microsoft: System Down, Billing Up
>
> I've observed an increase in the blocking of IPs belonging to
> Microsoft Corporation by the SpamCop blacklist since November 2023,
> with a notable spike in activity during February and March 2024.
Yes, you are correct. I see there is a spat between Microsoft and
SpamHaus also. Poor, poor Microsoft.
Thanks,
-- Jared Hall