Microsoft experienced a DMARC failure; Data breach notifications landed in spam folders

by | Jul 18, 2024 | DMARC

Microsoft experienced a DMARC failure; Data breach notifications landed in spam folders

by DuoCircle

 

Recently, Microsoft users received data breach notification emails, which, however, were marked as spam by Microsoft’s own security tools.

The primary reasons triggering suspicion were that the emails asked for critical account information, included a link that was not explicitly linked with Microsoft, and had an inaccurate deployment of DMARC. It came forward that Microsoft, one of the world’s largest IT companies, fell short in following critical elements and best practices of email authentication. The company is otherwise renowned for its transparency and sincerity towards cybersecurity.

 

SPF and DKIM were missing in Microsoft emails

Kevin Beaumont, a cybersecurity specialist, took his LinkedIn account to raise this issue, and his post has more than 400 shares

In his post, Beaumont advised checking email logs, including those from Exchange Online, for messages from mbsupport@microsoft.com. He noted that Microsoft experienced a breach by Russia, affecting customer data but did not follow the standard Microsoft 365 customer data breach process.

Notifications were emailed directly to tenant admins instead of being posted in the portal. These emails might end up in spam folders and tenant admin accounts. He mentioned that organizations were not informed through account managers. Beaumont has emphasized the importance of reviewing all emails since June, as the data breach has been widespread.

 

email security

 

Thanos Vrachnos, a cybersecurity consultant, commented on the original post, sharing that many of his clients have received the email Kevin mentioned. His clients perceived the email as phishing attempts since no SPF and DKIM were used according to the email headers.

He also emphasized the fact that the URL mentioned was hosted by a simple, dummy-like Azure PowerApp with a simple DV SSL certificate issued by another trusted CA.

On Mastodon, Beaumont mentioned that over 500 organizations had flagged the emails as phishing attempts and sent them to sandboxes.

 

Fixing DMARC

DMARC is based on SPF and DKIM

SPF detects and blocks spoofed emails by verifying the sender’s IP address against a list of authorized IPs published in your domain’s DNS records.

DKIM uses cryptographic signatures to verify that an email was sent from an authorized mail server, ensuring the message’s integrity and authenticity.

DMARC is built on SPF and DKIM, allowing domain owners to specify how unauthorized emails should be handled and providing reports on email authentication failures. DMARC policies define how email servers should handle messages that fail SPF or DKIM checks. There are three types of DMARC policies:

  • None: Take no action; just monitor and report authentication failures.
  • Quarantine: Mark the email as suspicious and place it in the spam/junk folder.
  • Reject: Block the email entirely, preventing it from reaching the recipient’s inbox.

 

Microsoft Security

 

DMARC reporting provides domain owners with detailed feedback on email authentication results. There are two types of reports:

  • Aggregate reports: Summarize the overall authentication results, showing which emails passed or failed SPF and DKIM checks.
  • Forensic reports: Provide detailed information on individual email failures, helping identify potential security issues and sources of email spoofing.

These reports help you monitor, analyze, and improve your email authentication practices.

Pin It on Pinterest

Share This