Is this a DKIM/DMARC issue?

[thecomputerguy]

I have a client on O365, there is no configuration for DKIM/DMARC only the standard SPF record Microsoft requires to get the account setup.

Occasionally they will get an email that to them (and to me for that matter) looks like it was sent to themselves, from them self when it clearly is not.

Example:

From: john@contoso.com
To: john@contoso.com
Subject: Please remit payment!

The account is not compromised, there are no unauthorized logins in Azure and the account is setup with MFA.

When I look at the headers I see things like

Received: from SJ0PR14MB5909.namprd14.prod.outlook.com (2603:10b6:a03:44d::21)
by SJ0PR14MB4394.namprd14.prod.outlook.com with HTTPS; Tue, 13 Sep 2022
14:01:20 +0000
Received: from DM6PR01CA0003.prod.exchangelabs.com (2603:10b6:5:296::8) by
SJ0PR14MB5909.namprd14.prod.outlook.com (2603:10b6:a03:44d::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.14; Tue, 13 Sep
2022 14:01:19 +0000
Received: from DM6NAM11FT089.eop-nam11.prod.protection.outlook.com
(2603:10b6:5:296:cafe::33) by DM6PR01CA0003.outlook.office365.com
(2603:10b6:5:296::8) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.12 via Frontend
Transport; Tue, 13 Sep 2022 14:01:19 +0000

Authentication-Results: spf=fail (sender IP is 140.227.179.114)
smtp.mailfrom=contoso.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none

Received-SPF: Fail (protection.outlook.com: domain of contoso.com does
not designate 140.227.179.114 as permitted sender)
receiver=protection.outlook.com; client-ip=140.227.179.114;
helo=mail.akita-hos.or.jp;

Received: from mail.akita-hos.or.jp (140.227.179.114) by
DM6NAM11FT089.mail.protection.outlook.com (10.13.173.82) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5612.13 via Frontend Transport; Tue, 13 Sep 2022 14:01:18 +0000
Received: from [127.0.0.1] (ip93.ip-51-81-216.us [51.81.216.93])
by mail.akita-hos.or.jp (Postfix) with ESMTPSA id BC9D855B7D5

I'm going to go ahead and move forward with getting DKIM/DMARC setup in hopes that stuff like this stops am I on the right track? Should I enroll all of their email accounts in Microsoft Defender for Office 365 (Plan 1)?

 

[YeOldeStonecat]

So that's a classic example of spoofing....and the current EOP settings that 365 tenant has is not set strong enough to "junk" the email since it failed the basic SPF test. Default EOP settings are...just "OK"...however you can (should) crank them up another notch.

Also..it's not being encouraged to junk the email since it has no DKIM to look at....nor a DMARC record telling it what to junk failures.

So...yeah, get DKIM set up and adjust that DMARC record...and have it junk what fails. It should not accept spoofed email coming from " mail.akita-hos.or.jp (140.227.179.114)"

For any of our clients, my minimum 365 license is Biz Premium, which includes Defender plan 1 (previously known as Advanced Threat Protection)...it's a good extra beefy malware/spam/phishing/impersonation/web link protection service.

 

[thecomputerguy]

So that's a classic example of spoofing....and the current EOP settings that 365 tenant has is not set strong enough to "junk" the email since it failed the basic SPF test. Default EOP settings are...just "OK"...however you can (should) crank them up another notch.

Also..it's not being encouraged to junk the email since it has no DKIM to look at....nor a DMARC record telling it what to junk failures.

So...yeah, get DKIM set up and adjust that DMARC record...and have it junk what fails. It should not accept spoofed email coming from " mail.akita-hos.or.jp (140.227.179.114)"

For any of our clients, my minimum 365 license is Biz Premium, which includes Defender plan 1 (previously known as Advanced Threat Protection)...it's a good extra beefy malware/spam/phishing/impersonation/web link protection service.

Yikes ... so for this particular client under

security.microsoft.com > Policies & rules > Threat policies > Preset security policies

"Standard Protection" and "Strict Protection" were both disabled. Is that default?

I went ahead and enabled Strict for all users, and I will go ahead with DKIM & DMARC

 

[SAFCasper]

Received-SPF: Fail (protection.outlook.com: domain of contoso.com does
not designate 140.227.179.114 as permitted sender)

The message failed SPF here. It would have been junked/quarantined if you enabled this setting in your anti-spam policy

SPF record: hard fail

Also make sure your SPF record actually has a hard fail -all and not a soft fail ~all