Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Lockdown rule and NDR issues

            Created by Yves Lacombe, Modified on Fri, 1 Aug at 4:41 PM by Yves Lacombe

            Problem:


            Vircom has observed a recent increase in a specific type of email attack that requires your immediate attention. Proofpoint has observed and documented a specific campaign leveraging Microsoft's Direct Send feature (more info here).

            The scenario involves a user, for example, abc@domain.com, receiving an email that appears to be sent from themselves (abc@domain.com), but the sender is using a foreign IP address, typically from Japan or somewhere in Europe.

            The concerning aspect is that Microsoft 365 appears to trust these emails, however one of effective solution is to implement an inbound lockdown rule.


            During onboarding we always recommend enabling the lockdown rule described here in the next day or so after the onboarding to prevent this sort of attack.


            >>> Locking Down O365 Connections


            If you haven't already done so, it's important to do so.

            If you have, there is an update to the rule recommended due to the specifics of the current attack.



            Why the rule should be updated: 


            In spite of having the lockdown rule though, the end user also receives the NDR (because it's from me@domain.com to me@domain.com) which often includes the original email as an attachment.


            The recommendation therefore is UPDATE the lockdown rule to quarantine these messages rather than rejecting them with NDR that would have the original message delivered to the sender, which since spoofed is the recipient user.


            Solution:


            Modify the lockdown rule to quarantine the messages locally in the Microsoft quarantine instead of sending an NDR back to the (supposed) sender.

            • Go into exchange online -> mail flow -> rules
            • Locate the "Proofpoint Inbound Lockdown Rule" and edit the CONDITIONS
            • Change the "Reject the message" with "Unauthorized IP" to  "Redirect the message to" and the select "hosted quarantine"
            • This will cause these emails to go to O365 quarantine instead.




            Next, edit the rule settings


            Make sure priority is zero and you have the option "STOP PROCESSING MORE RULES" checked.


            Note if you are using a 3rd party e-signature product (exclaimer, codetwo, etc) then further considerations are required. Contact our support team at support@vircom.com to assist.




            Save everything.




            Additional recommended actions for Microsoft 365 customers 


            Here are some tips for protecting your organization: 

            • Determine if your organization is actively using Direct Send; if appropriate, enable “Reject Direct Send” via PowerShell:  Set-OrganizationConfig -RejectDirectSend $true

            • Audit mail flow rules for accepted unauthenticated relay IPs; monitor message headers for spoofing attempts that are flagged by Microsoft with compauth=fail

            • Enforce email authentication (SPF, DKIM, DMARC) with strict DMARC reject and SPF hard fail policies, where possible, by partnering with a trusted service like Red Sift OnDMARC from Vircom to ensure deliverability of legitimate email

            • Use advanced email security solutions like Proofpoint Essentials from Vircom to bolster Microsoft’s native protections 
             









            Preview
            0 of 0