Building 92 at Microsoft Corporation headquarters in Redmond, Washington. (Coolcaesar, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

An email security company says its researchers observed a spear phishing campaign that exactly spoofed a Microsoft email domain to trick Office 365 users. This suggests Microsoft’s servers were not enforcing protective DMARC authentication protocols when communications were received – and perhaps still are not.

The campaign, according to a blog post published by the company Ironscales, uses a lure that suggests the recipient has important email messages that have been quarantined, and must click a link to salvage them. The phishing email reportedly alludes to a hosted email security feature that Microsoft introduced last September as a way to salvage emails that are wrongly labeled as spam, or phishes by the company’s Exchange Online Protection filtering service. 

Authored by Vice President of Research & Developer Lomy Ovadia, the blog post said that nearly 100 of Ironscales’ customers across multiple industries – including financial services, health care, insurance, manufacturing, utilities, and telecommunications – have received this phishing email, which appears to come from the sender domain address [email protected] According to the report, the emails were able to pass secure email gateways due to a lack of DMARC, otherwise known as Domain Message Authentication Reporting.

“Our research found that Microsoft servers are not currently enforcing the DMARC protocol, meaning these exact domain spoofing messages are not being rejected by gateway controls, such as Office 365 EOP and ATP,” Ovadia wrote. “Any other email service that respects and enforces DMARC would have blocked such emails. It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure.”

DMARC works by authenticating an email sender’s identity using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards. DMARC users also set a policy for whether emails that don’t pass validation should be rejected, quarantined or allowed by the email servers that receive them.

Asked to comment on Ironscales’ findings and scathing assessment, Microsoft asserted that it does leverage DMARC and other protections.

“Contrary to claims in the third-party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks. We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multifactor authentication for Office 365 and train[ed] their end users to observe caution when clicking on links from unknown senders,” said a Microsoft spokesperson.

Microsoft also said that DMARC checks actually “happened in this instance,” and that it did not observe attacker bypass of its control or detection systems. The company also noted that end users and tenants can override or disable controls, allowing email through — which implies the issue could have been on the end-user side.

In addition, the Microsoft claims it has gone beyond by “leveraging our unique cloud-base[d] spoof intelligence that enables domain spoofing protection to domains that have not enforced DMARC.” Moreover, the company said that Office 365 and Microsoft Defender for Office 365 “employs a multi-layered filtering engine that looks at multiple aspects of an email using AI to block malicious mails from reaching end users and constantly learn from latest attack vectors.”

Valimail, an email security firm that, together with Microsoft, offers a comprehensive email solution for Microsoft 365 customers, designed to stop content-based phishing attacks, defended Microsoft.

“The Ironscales report is not correct,” said Seth Blank, vice president of standards and new technologies at Valimail. “Microsoft does enforce DMARC policies on inbound mail, for domains which have it configured. However, for domains with a DMARC ‘reject’ policy (like Microsoft.com), Microsoft doesn’t reject messages entirely, as most mail receivers do: Instead, it treats messages that fail authentication as spam, and puts the messages in the recipients’ ‘Junk’ folder, or optionally in quarantine that an account admin can review, depending on the organization’s Microsoft 365 security settings. In other words, messages that fail DMARC won’t be spotted in an M365 inbox, but they can still be retrieved — for instance, when a user is in their ‘Junk’ folder.”

Ironscales has held firm. A spokesman responded to Microsoft’s comments with the following reply: “Whether or not Microsoft users have deployed the latest security controls, enabled multi-factor authentication or trained their users to be phishing aware is irrelevant as to why this email spoofing attack bypassed technical controls using specifically the Microsoft.com domain. Microsoft is on the record as having partnered with Agari for DMARC enforcement, making the protocol a default setting that doesn’t require manual configuration. Unfortunately, our research, which we stand by completely, proves that the combined Microsoft and Agari solution is not blocking spoofed emails, although they claim this is the default.”

Ironscales further countered that the phishing emails in questions landed in inboxes and not the junk folders as Vailmail stated. 

Security awareness training programs teach employees to look at an incoming email’s sender address to ensure that it is authentic. But if a phishing email perfectly mimics a company’s legitimate domain, then that is one less clue that recipients have to determine that they are being scammed.

“You have 3 quarantined messages in your quantine [sic] portal as of 12/2/2020. You can choose what happens to them,” said a sample phishing email purporting to come from Microsoft, Ironscales reported. The link included in the email supposedly leads to a portal, but actually leads to a phishing page that captures victims’ O365 login credentials, which if stolen could potentially be sold on the dark web.

In his blog post, Ovadia recommended that companies configure their defenses for DMARC, and also implemented “advanced mailbox-level email security that continuously studies every employee’s inbox to detect anomalies based on both email data and metadata extracted from previously trusted communications.”

Joseph Neumann, director of offensive security at Coalfire, told SC Media that companies like Microsoft “are prioritizing protecting incoming mail and are less focused on protecting external. Additionally, Microsoft and other CSPs [communications service providers] that provide this service also have other mitigations in place that they feel reduce the dependence on DMARC. For example, not accepting external emails from domains it controls email for. However, this doesn’t stop rogue entities from using the lack of DMARC to phish organizations’ customers and entities.”

Ray Kelly, principal security engineer at WhiteHat Security, also noted that DMARC can be “incredibly difficult” for large organizations to maintain, and that even in cases where DMARC is in place, it can sometimes result in legitimate emails getting blocked from inboxes, which is also problematic.

“Companies such Microsoft, with a vast amount of domains and constant network changes, can easily break email for an enormous amount of users when using DMARC,” said Kelly. “Many companies that utilize DMARC have their policy set to ‘none’ [which allows potentially fradulent emails to still be sent] rather than ‘reject’ in fear that it will stop legitimate emails from being delivered.”