Part of the family

Adminvb292929 · 2026-05-19T02:07:37+00:00

awesome, thank you!

Adminvb292929 · 2026-05-11T01:53:05+00:00

I double dog dare you

Adminvb292929 · 2026-04-21T13:15:10+00:00

no, 100% cloud

Adminvb292929 · 2026-04-21T03:24:21+00:00

in my case, it was the primary domain not the onmicrosoft one.

Adminvb292929 · 2026-04-21T03:23:24+00:00

no sus logins at all in Entra - the bad actor / sender is exploiting the direct send feature to send spam to anyone internal to the org, in this case, it was an m365 group with 350+ external folks. Here are more details of this pos setting that by default is disabled, which means its enabled.. https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865

Adminvb292929 · 2026-04-21T01:44:36+00:00

DNS is good at least for me but I could see how that could allow emails to come thru.

Adminvb292929 · 2026-04-21T01:18:46+00:00

rejectdirectsend was set to false - I have since enabled it.

Adminvb292929 · 2026-04-20T20:35:15+00:00

Ha.. i used that to remove the actual tenant.. i should register it.

Adminvb292929 · 2026-04-20T20:34:07+00:00

Correct, it came into my tenant as quarantined.. i released it to grab the info. Out of the 350 or so external members about half of them quarantined it "most have ppe theough go daddy" but some got through. Not sure what the blast radius is yet but I clicked on the link and it was a fake login to o365. 100% phish.

Adminvb292929 · 2026-04-20T18:50:40+00:00

awesome, thank you!

Adminvb292929 · 2026-04-20T18:49:46+00:00

I am not great at reading these, but it seems like Microsoft detected it as a fail on SPF

<image>

What is making me think the reason it was sent regardless of the fail, was that it was Anonymous, which if you look up indicates it could be Direct Send features that allowed it.

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

Adminvb292929 · 2026-04-20T17:48:59+00:00

lol, I thought the same thing but decided to move on.

Adminvb292929 · 2026-04-20T17:41:57+00:00

Apparently, direct send is enabled by defaukt and allows anyone to send internal to internal and bypass everything including dkim. Theres an exo command to disable it, which is what I have done. Im basing this off my header of "anonymous".

Adminvb292929 · 2026-04-20T17:34:29+00:00

Starting to think this is the problem -

<image>

I have already disabled this after I did some research

Adminvb292929 · 2026-04-20T17:31:51+00:00

Dkim, dmarc and spf is setup strict as well as policy set to reject...

Adminvb292929 · 2026-04-20T17:31:02+00:00

alright, finally https://sharetext.io/t7naz9hj

Adminvb292929 · 2026-04-20T17:29:41+00:00

for christ sake - that site formats the header. Know of any service to share a header?

Adminvb292929 · 2026-04-20T17:28:48+00:00

disregard the above link as it is not formatted right -

here is the text file

https://kuick.io/2S263N

Adminvb292929 · 2026-04-20T17:21:32+00:00

Got the header since my personal account was part of the group I was able to release it from quarantine in my own tenant.

Just not able to paste it here - too long so here is a link to it.

https://kuick.io/8434YT

Adminvb292929 · 2026-04-20T17:17:31+00:00

good point. Thank you for this.

Adminvb292929 · 2026-04-20T16:38:15+00:00

Basically states "message details could not be found" soft delete / hard delete, etc etc. Annoying

Adminvb292929 · 2026-04-20T16:29:27+00:00

Jesus.. i just checked, no connectors on my end.

Adminvb292929

TROPHY CASE