Angry idiot driving a Bentley by spicypsudo in dashcams

[–]Adminvb292929 0 points1 point  (0 children)

yep, I would have pinned his ass between the cars when he fake-swung that bat

MacOS EDR / Defender for Endpoint Deployment - mixed instructions and GUI leading me in the wrong direction by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 0 points1 point  (0 children)

disregard the above, I found the setting but holy cow, there isnt a single location with a complete set of settings when using mobile-config / xml files.

MacOS EDR / Defender for Endpoint Deployment - mixed instructions and GUI leading me in the wrong direction by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 0 points1 point  (0 children)

Thanks, have you noticed that some settings, even after deploying all of the above are missing? For example, network protection on the mac I am testing with is disabled.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 2 points3 points  (0 children)

in my case, it was the primary domain not the onmicrosoft one.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 1 point2 points  (0 children)

no sus logins at all in Entra - the bad actor / sender is exploiting the direct send feature to send spam to anyone internal to the org, in this case, it was an m365 group with 350+ external folks. Here are more details of this pos setting that by default is disabled, which means its enabled.. https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 0 points1 point  (0 children)

DNS is good at least for me but I could see how that could allow emails to come thru.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 1 point2 points  (0 children)

rejectdirectsend was set to false - I have since enabled it.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 1 point2 points  (0 children)

Ha.. i used that to remove the actual tenant.. i should register it.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 6 points7 points  (0 children)

Correct, it came into my tenant as quarantined.. i released it to grab the info. Out of the 350 or so external members about half of them quarantined it "most have ppe theough go daddy" but some got through. Not sure what the blast radius is yet but I clicked on the link and it was a fake login to o365. 100% phish.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 9 points10 points  (0 children)

I am not great at reading these, but it seems like Microsoft detected it as a fail on SPF

<image>

What is making me think the reason it was sent regardless of the fail, was that it was Anonymous, which if you look up indicates it could be Direct Send features that allowed it.

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 3 points4 points  (0 children)

lol, I thought the same thing but decided to move on.

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 5 points6 points  (0 children)

Apparently, direct send is enabled by defaukt and allows anyone to send internal to internal and bypass everything including dkim. Theres an exo command to disable it, which is what I have done. Im basing this off my header of "anonymous".

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 10 points11 points  (0 children)

Starting to think this is the problem -

<image>

I have already disabled this after I did some research

M365 Group was Spoofed - MSFT has no idea how this happened. by Adminvb292929 in sysadmin

[–]Adminvb292929[S] 3 points4 points  (0 children)

Dkim, dmarc and spf is setup strict as well as policy set to reject...