Office 365 NDR for strange email address.
-
@Dashrender Screenshot in OP is the log from the trace on the user's account trying to send to [email protected], its failing but it is trying to.
here is an example of the header, where you can see its trying to email that address.
Doesn't seem to be any rule on the mailbox but the default ones:
-
How about the message you think might be triggering this?
Does a scan of his email show this address in anything in his account?
-
@Dashrender No, incoming email is regular email no traces of this [email protected] address on incoming mail.
-
This post is deleted! -
You can also check the audit logs in O365 to confirm successful logins not from him.
-
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
-
@Romo said in Office 365 NDR for strange email address.:
Does anyone have an idea of what other things to check to avoid this happening?
Have him log into OWA and look for auto replies or rules set up.
-
There could also be rules set up in O365.
-
I'm pretty sure there is an NDR Backscatter setting in spam rules
-
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Not sure what is causing it yet really, I cant seem to find any autoreply or rule enabled.
-
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
-
@Dashrender said in Office 365 NDR for strange email address.:
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
To me, it looks like a spam email is being sent in, and from what OP said, the user may have something set up that is auto-replying to the spam email, which has a reply address consisting of a non-existent domain, which is causing the NDR.
-
@Obsolesce said in Office 365 NDR for strange email address.:
@Dashrender said in Office 365 NDR for strange email address.:
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
To me, it looks like a spam email is being sent in, and from what OP said, the user may have something set up that is auto-replying to the spam email, which has a reply address consisting of a non-existent domain, which is causing the NDR.
Right - but I inquired earlier if they had found an actual email with the invalid email address in it? and the answer was - no, they found no email with the bad email address in it.
-
@Obsolesce Found the client side rules that were set to forward to that address, thanks
-
@Romo said in Office 365 NDR for strange email address.:
@Obsolesce Found the client side rules that were set to forward to that address, thanks
What client? something on mobile?
-
@Dashrender said in Office 365 NDR for strange email address.:
@Romo said in Office 365 NDR for strange email address.:
@Obsolesce Found the client side rules that were set to forward to that address, thanks
What client? something on mobile?
Rules were set on OWA, targetting specific keywords on emails that was why not all emails where trying to get forwarded. Account was indeed compromised.
-
Azure AD > Monitoring > Sign-ins: to track unauthorized access to accounts. There's no telling what all they did, so it may be best to back up the data and recreate the account... and of course enable 2FA/MFA on ALL accounts.
-
@Obsolesce said in Office 365 NDR for strange email address.:
Azure AD > Monitoring > Sign-ins: to track unauthorized access to accounts. There's no telling what all they did, so it may be best to back up the data and recreate the account... and of course enable 2FA/MFA on ALL accounts.
This is a good idea. You can also set alerts to be notified if forwarding rules are created like the ones you discovered.
-
@Romo Can you please tell me if this was resolved?
-
@anamanp said in Office 365 NDR for strange email address.:
@Romo Can you please tell me if this was resolved?
Yes, his reply with the solution was three above your post.
Rules set on OWA to keyword autoforward. The account was compromised.