As I’m sure many others have encountered, within days of creating any user in O365, they start receiving spam, phishing, and solicitation emails. Some of these bad actors have shown a very clear pattern to me, so it leads me to believe a team of bad actors may have found access to our GAL and will make regular attempts to scam our employees. I’m of course, also curious how I might find that employees with minimal outside communications (external communications are with specific individuals at client companies.)
Unfortunately, I haven’t much experience with SecOPs, so I’m curious if anyone more experienced can suggest some good tools to recommend for me to do some digging into this. Tool/app platform doesn’t matter, I’ve got Windows, Mac, and Linux machines available to utilize for testing.
I know there’s a tool out there to see what emails have leaked from different domains, but I can’t seem to find the one I qas thinking of. Breach Directory or HaveIBeenPwned’s Domain Search might be the best thing for now.
You might also be able to check email logs for bouncebacks of non-existent addresses. It’s totally possible some spam farm is just guzzling through a list of possible names and the real emails addresses just happen to fit the filter.
I will say, O365 has had some of the best anti-spam detection, so it’s very odd to me that you’re seeing that much garbage. You may need to tweak some settings, but as I’ve never had the pleasure of working on that side of the fence (Windows email admin), I don’t have any tips or tricks.
Thanks for sharing! I didn’t know didigetpwned had a domain search option. I’ll have to check out the pricing. Could be a good passive tool for checking in on any compromised accounts.
O365 does have pretty good email filtering tools, but plenty does get right through them, surprisingly even the spoofs that fail domain validity checks can get through.