This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CEO Fraud with *.dee domain spoof

Hi,

no, this is not a typo.

We just received multiple CEO Fraud attempts with our main xyz.de domain spoofed as xyz.dee!

Xyz.dee ist not even a real tld: https://data.iana.org/TLD/tlds-alpha-by-domain.txt

How (tf) can this mail pass the UTM mail protection? The .dee is in the envelope-from!

I shorted the mailheaders from the infos about our internal mailsystems and replaced domains and mailaddresses.

Received: from gateway10.unifiedlayer.com ([74.220.218.103]:57082)
	by mail.xyz.de with esmtps  (TLS1.2) tls TLS_ECDH_anon_WITH_AES_256_CBC_SHA
	(Exim 4.94.2)
	(envelope-from <ceo.name@xyz.dee>)
	id 1nhXca-000236-3A
	for employee.name@xyz.de; Thu, 21 Apr 2022 16:17:26 +0200
Received: from cm1.websitewelcome.com (unknown [192.185.0.102])
	by gateway10.unifiedlayer.com (Postfix) with ESMTP id B38AB2009A907
	for <employee.name@xyz.de>; Thu, 21 Apr 2022 09:17:19 -0500 (CDT)
Received: from shared99.accountservergroup.com ([162.215.249.40])
	by cmsmtp with ESMTP
	id hXcVnJVd2KPTUhXcVnFkBS; Thu, 21 Apr 2022 09:17:19 -0500
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000,
	BODYTEXTP_SIZE_400_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000,
	BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_200_299 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	DATE_TZ_NA 0.000000, FRAUD_LITTLE_BODY 2.000000,
	FRAUD_WEBMAIL_R_NOT_F 0.100000, FROM_NAME_PHRASE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, KNOWN_MTA_TFX 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000,
	REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
	SMALL_BODY 0.000000, SXL_IP_TFX_WM 0.000000,
	TO_DOMAIN_IN_FROM_NOT_SAME 0.000000, WEBMAIL_REPLYTO_NOT_FROM 0.500000,
	WEBMAIL_SOURCE 0.000000, WEBMAIL_XMAILER 0.000000, __BODY_NO_MAILTO 0.000000,
	__CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000,
	__FRAUD_ANTIABUSE 0.000000, __FRAUD_WEBMAIL 0.000000,
	__FRAUD_WEBMAIL_REPLYTO 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REPLYTO 0.000000, __HAS_X_MAILER 0.000000, __HAS_X_PRIORITY 0.000000,
	__HEADER_ORDER_FROM 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MSGID_32HEX 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__PHISH_SPEAR_STRUCTURE_1 0.000000, __PHISH_SPEAR_STRUCTURE_2 0.000000,
	__RCPT_HOST_IN_FROM 0.000000, __REPLYTO_GMAIL 0.000000,
	__REPLYTO_SAMEAS_FROM_NAME 0.000000, __SANE_MSGID 0.000000,
	__TO_HOST_IN_FROM 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
	__URI_NO_MAILTO 0.000000
X-SASI-Probability: 24%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.4.21.134824
X-Authority-Reason: s=1
Received: from [66.113.226.191] (port=38411 helo=cmdesignsolutions.ca)
	by shared99.accountservergroup.com with esmtpa (Exim 4.93)
	(envelope-from <ceo.name@xyz.dee>)
	id 1nhXcV-003R7g-3t
	for employee.name@xyz.de; Thu, 21 Apr 2022 09:17:19 -0500
Date: Thu, 21 Apr 2022 10:17:18 -0400
To: <employee.name@xyz.de>
From: "CEO Name" <ceo.name@xyz.dee>
Reply-To: CEO Name <fritzzzlias@gmail.com>
Subject: Dringende Anfrage_
Message-ID: <f577c12190b954963c1529c7a3832e16@cmdesignsolutions.ca>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shared99.accountservergroup.com
X-AntiAbuse: Original Domain - xyz.de
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - xyz.dee
X-BWhitelist: no
X-Source-IP: 66.113.226.191
X-Source-L: No
X-Exim-ID: 1nhXcV-003R7g-3t
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (cmdesignsolutions.ca) [66.113.226.191]:38411
X-Source-Auth: sharon@quicksilverair.com
X-Email-Count: 73
X-Source-Cap: cm9nZXJtYXJ0eTtyb2dlcm1hcnR5O3NoYXJlZDk5LmFjY291bnRzZXJ2ZXJncm91cC5jb20=
X-Local-Domain: no
Return-Path: ceo.name@xyz.dee
X-MS-Exchange-Organization-Network-Message-Id: be6d5be2-1e77-44cb-f5d0-08da23a1aa86
X-MS-Exchange-Organization-AuthSource: Exchangeserverhostname
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3438702
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.020



This thread was automatically locked due to age.
Parents
  • Hallo Albeck,

    Your best solution with UTM is Block TLD Email Senders.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thank you for pointing me to this 7 year old thread!
    Unfortunately the proposed "solution" will both, void the warranty and not work, because basically you would need to block all "made up" tld's, which is infinite and therefore not applicable.

    Obviously here was no improvement since then.
    It is also quite interesting, that protection for this kind of thread is not part of the XG Firewall, only Central Email as pointed out.

    Again, it should be possible to implement this in SASI, as SASI does check headers and therefore could also check the sender domain...

    We will migrate to another solution for mailsecurity / antispam, already commissioned!
    Furthermore no need for a Sandstorm license anymore.

Reply
  • Hi Bob,

    thank you for pointing me to this 7 year old thread!
    Unfortunately the proposed "solution" will both, void the warranty and not work, because basically you would need to block all "made up" tld's, which is infinite and therefore not applicable.

    Obviously here was no improvement since then.
    It is also quite interesting, that protection for this kind of thread is not part of the XG Firewall, only Central Email as pointed out.

    Again, it should be possible to implement this in SASI, as SASI does check headers and therefore could also check the sender domain...

    We will migrate to another solution for mailsecurity / antispam, already commissioned!
    Furthermore no need for a Sandstorm license anymore.

Children