Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 19 subscribers
  • Views 3101 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Emails from 365 tenants or outlook.com ignoring MX records - bypassing VIP protection checks.

Ian Hellier

Hey Folks,

I've setup the email advanced on a test domain in my organisation for the sole purpose to see how the VIP protection works (and other items, but they're not in question here).

So it's all setup and seems fine, I get the impersonation banner etc. but only if I send my test account an email from my gmail.

Gmail > 365 test account > marked as impersonation

outlook.com > 365 test account > not marked (seems to take a single hop and lands in mailbox).

other 365 tenant > 365 test account > not marked, similar to above.

Bearing in mind I am not sending to my actual account, my test account is named differently as I know impersonation protection doesn't work to yourself, based on the presumption you would know you're not scamming yourself.

My concern is if this doesn't protect against outlook.com and other 365 tenants impersonating then it's only partially effective as anyone can create outlook.com accounts.

Anyone else had/seen/fixed/cried themselves to sleep over this?

Cheers

Ian



Added tags
[edited by: Raphael Alganes at 6:36 AM (GMT -7) on 7 Jun 2023]
  • 0

    Impersonation protection checks for the VIP name.

    If your VIP user is Lucar Toni, it will protect another user in your setup from Email caused by "Lucar.Toni@outlook.com". It will not block Lucar.Toni@outlook.com to lucar.toni in your setup, as this is likely the same person and commonly used to send yourself emails. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That's not what I'm on about as I'm not impersonating myself to myself, I'm going "Ian hellier <randomemail@gmail.com>" to "lord twig <lordtwig@mydomain.com>" which flags as impersonating the VIP name (Ian hellier) however when I send from "Ian hellier <random@outlook.com>" it does not flag. Doesn't flag from 365 or outlook.com but does from gmail and presumably other places too.

  • 0 in reply to Ian Hellier

    Interesting. It did last time i checked the feature. I would recommend to check the with the support, if they can extract the logs of this attempt. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The email headers literally only show a single hop, similar to what you would see on the old school in house mailboxes as if Microsoft is simply moving the email from one mailbox to another and it's not actually going through any smtp methods between accounts.

  • 0 in reply to Ian Hellier

    If there is a shortcut, Central Email cannot protect against VIP. I am not a outlook365 expert and cannot find any information about this shortcut. I would expect to have the option to disable this direct connection between O365 and outlook.com but i cannot answer this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thing is I'm not sure it's always done this, we used the service ages ago and didn't experience this so at the back of my head I'm concerned it might be a silent change on 365/outlook side. I just can't verify it.

  • +1 in reply to Ian Hellier

    So actually this does work, for some reason all the Microsoft services took 2 days to recognise the MX change and now does what it's supposed to. At least I know now to be patient when setting this up and testing.

Unfiltered HTML