Direct send disabled but client receives spam from themself.

[thecomputerguy]

Anywhere else to check?

Entra logs, rules, etc. all look normal indicating the account is not compromised. Yet still the client received one of those direct send spam emails from themself to themself.



The only quirky about this tenant is it's a Godaddy managed Tenant.

 

[YeOldeStonecat]

Without having full access to everything...not much to see since duhdaddy unfortunately cripples the tenant and hides most of the admin pages.
You can get to https://portal.azure.com/ ....and backstep into Azure (Entra) to see some stuff.
I'm about to defederate a big electric contractor company tomorrow from dudaddy....new client I picked up....they had a user compromised...not to mention poor setup for security (typical for a godaddy tenant). Separate accounts and licenses for archives..LMFAO. And godaddy doesn't even complete all the proper DNS record creation (no DMARC or DKIM for example)...and they're the registrar/DNS host. //shrug

As for toggling direct send....AFAIK can only do it via powershell.

 

[thecomputerguy]

Without having full access to everything...not much to see since duhdaddy unfortunately cripples the tenant and hides most of the admin pages.
You can get to https://portal.azure.com/ ....and backstep into Azure (Entra) to see some stuff.
I'm about to defederate a big electric contractor company tomorrow from dudaddy....new client I picked up....they had a user compromised...not to mention poor setup for security (typical for a godaddy tenant). Separate accounts and licenses for archives..LMFAO. And godaddy doesn't even complete all the proper DNS record creation (no DMARC or DKIM for example)...and they're the registrar/DNS host. //shrug

As for toggling direct send....AFAIK can only do it via powershell.

Yeah did all that. I know you can login to the GA email and wiggle yourself into some of the backend like Security/Entra but I see nothing in there indicating a compromise.... Direct Send is already disabled ... no idea how this is happening.

 

[timeshifter]

You're so blindfolded when working with GoDaddy tenants. Very frustrating.

On a regular tenant you could look at Exchange Admin Center and do a message trace. Don't know if you can do that with GoDaddy.

You may have already done this but I'd examine the full message source / headers and make 100% sure it's actually coming from himself. And when I say "I'd examine" that means I'm feeding all the headers to Claude and asking it to interpret it for me.

 

[thecomputerguy]

You're so blindfolded when working with GoDaddy tenants. Very frustrating.

On a regular tenant you could look at Exchange Admin Center and do a message trace. Don't know if you can do that with GoDaddy.

You may have already done this but I'd examine the full message source / headers and make 100% sure it's actually coming from himself. And when I say "I'd examine" that means I'm feeding all the headers to Claude and asking it to interpret it for me.

Headers analyzed by ChatGPT show SPF, DMARC, DKIM Fail - Still Delivered.

In Security I see that they don't have Standard Protection turned on and as such also have no threat policies setup.

Will do so now.

 

[phaZed]

Check their physical PC - had one of these the other day.
Some months ago, the User had clicked on a malicious "Paperless Post" invitation email's "Accept Invitation" button, which downloaded ISL SuperOps (https://superops.com/rmm/remote-access) - which looks like a "legitimate" India-based MSP service provider.
ISL SuperOps seems to be "known" by AVs, so it's largely given a pass unless your security solution blocks legit RATs.
Searching back through the user's browser history - the first thing the bad actors did was try to purchase American Airlines gift cards as well as Sephora Gift Cards. This went on for months for various retailers and services without the user noticing.

I believe they were trying to match up the user's PC with recent corporate breaches as the user didn't have any of these accounts (and is almost 80yo, and not that much into computers other than receiving emails).

So, after a few months of random tries at various retailers and services that all seemingly failed, the client's email started sending "Paperless Post" emails to all of her contacts, leading to the same ISL infection vector.

They were using the PC via Remote Desktop and directly accessing the email via their browser, as if they were the user.

 

[timeshifter]

Headers analyzed by ChatGPT show SPF, DMARC, DKIM Fail - Still Delivered.

So it's not really from themself, it sounds like.

 

[Sky-Knight]

Yep... because Godaddy means you're autotrusting secureserver.net, anyone in the Godaddy ecosystem can spoof you to your face and you can't tell it apart.