Open in app

Sign in

Write

Sign in

Troubleshooting Spoofing and Hacking in Office365

Jennifer Agustin
JJ365
Published in
7 min readNov 13, 2019

This blog will help you identify if your account has been compromised/hacked or spoofed. So, what is the difference between compromised/hacked accounts and spoofed accounts?

Hacking

Photo by Shahadat Rahman on Unsplash

Hacking — Hacked means someone has gained full access to your account, meaning they have access or know your password or credentials. There’s a lot of possible causes for this.

Possible Causes of Hacking

  • Someone has guessed your password. Most of the time, people used their birthdays, anniversary dates, and other information obtained in public sites (such as social media) as their password.
  • You might have subscribed to a non-secured website. It usually occurs in the form of promotion like gifts, or a phishing email.
  • You used the same password to a different site.
  • You have a program downloaded to your computer that recorded your activities, like spyware or keylogger apps.
  • Virus or malware downloaded to your computer that allows the owner to get your account.

Spoofing

Photo by Andri from Pexels

Spoofing — means someone makes an email appear as though it was sent from somewhere it wasn’t, such as your email address. Someone is masking their identity to pretend to be you. Doing this is not complicated with the right software. They don’t need your password or access to your email to spoof your account. They only need to know what your email address is. It’s effortless for programmers.

Usual scenarios with Office365 Users

  • You received an email coming from your email address saying that your account is hacked, and you need to pay something to get access to your account again.
Sample email
Sample email
  • You might also receive an email from somebody you know asking for money or other bank account information to verify for something. And those people were claiming that they did not send the email.

Troubleshooting

So, what are you going to do when you encounter cases like this?

Step 1: Identify if it is a hack or a spoofed by getting the message header of the email you received.

  • If you are using Outlook Web Application (OWA) in Office365, select the email then click the view message details.
Message Header in Outlook Web Application (OWA)
Message Header in Outlook Web Application (OWA)
  • If you are using Outlook, open the email and click File > Properties > Copy all the Internet Headers.
Message Header in Outlook
Message Header in Outlook

Step 2: Check where the email is coming from by analyzing the message header thorough Remote Connectivity Analyzer (RCA), MX Toolbox, Viewpoint (if you are a Microsoft Employee). I recommend Remote Connectivity Analyzer because it shows all the details that you need for the spoofing/hacking situation very clear.

Step 3: Paste the header in the Remote Connectivity Analyzer > Message Header and click Analyze.

Step 4: The first and most important that you need to check is the Message Hops. If your email provider is Microsoft and the submitting host is Microsoft, then there’s a big chance that the account is hacked unless the hacker is also using Microsoft email hosting. If the submitting host is different (assuming you don’t have any third-party applications connected to Office365), then it is clear as spoofed.

Message Hops in Remote Connectivity Analyzer (RCA)
Message Hops in Remote Connectivity Analyzer (RCA)

If it is hacked, then the submitting host should have the ***.prod.protection.outlook.com server.

Important Note
Here, you can also see where the email is coming, where it is generated. If it is spoofed, you can block the IP address and domain in Office365 Exchange Admin Center:

  • For the domain, you can block it through Exchange Admin Center > Protection > Spam Filter > Default > Block List
  • For the IP address, you can block it through Exchange Admin Center > Protection > Connection Filter > Default > IP Block List

Step 5: Another thing to check from the Remote Connectivity Analyzer is the return-path. There return-path or the reply address is where the reply will be delivered. It is where you can get the information of the actual sender most of the time when it is spoofed. You can check here.

From vs Return Path in Remote Connectivity Analyzer (RCA)
From vs Return Path in Remote Connectivity Analyzer (RCA)

The From is different from the Return-Path. It is one of the signs that someone is spoofing your account. If you don’t know who the return-path is, block them in Exchange Admin Center.

Exchange Admin Center > Protection Spam Filter > Sender Block List

Exchange Admin Center > Protection > Spam Filter > Domain Block List

This is to ensure that all accounts under that specific domain will be blocked in your organization.

Step 6: To know where the email is originated, you can also check the x-originating-ip. It is the IP address of the client/server they used when they send the email.

Client IP in Remote Connectivity Analyzer (RCA)
Client IP in Remote Connectivity Analyzer (RCA)

Note: You can use the iplocation.net to check where the email has been originated.

IP Locator (https://iplocation.net)
IP Locator

From here, you can see the Country, Region, and the City.

  • If all the emails are coming from a different country, you can perform International Spam Filtering in Office365.
    Exchange Admin Center > Protection > Spam > Filter > Default > Advanced > International Spam
  • You can also block the IP Address from Connection Filtering in Office365.

Steps to do when your account is Hacked!

Step 1: Change your password

Step 2: Initiate sign out to all device using OneDrive for Business Sign Out feature from the Admin Center.

portal.office.com > Admin Center > Active Users > [Select the affected Users] > OneDrive Settings > Sign Out

Note: Initiate a one-time event that will sign this person out of all Office 365 sessions across all devices. It can take up to 15 minutes for the process to complete. This person will be able to immediately sign back in unless you have also blocked their sign-in status.

Step 3: Implement MultiFactor Authentication (MFA). This will let your account be more secured because it will ask for another verification through your mobile phone.

Admin Center > Active Users > [Select the Affected Users] > More Settings > Manage multi-factor authentication > Enable
Enable Multi-Factor Authentication (MFA)
Enable Multi-Factor Authentication (MFA)

Steps to do when your account is Spoofed!

Step 1: Block the submitting host IP address and the x-originating-ip address in the Office365 Connection Filtering

Step 2: Block the return-path (if different from the from) in the Office365 Spam Filtering

Step 3: Create a transport rule to block all the emails that will not be generated from Office365

Note: If you are using Third-party client application from Office365 using SMTP authentication, add an exception to the rule.

Transport Rule for Spoofing
Transport Rule for Spoofing

The above rule will block all the messages that were sent using your domain but did not originate from Office365 Servers.

Step 4: Implement DKIM and DMARC. DMARC is effective for spoofing since it will automatically detect all the emails that are spoofed and will perform an action depending on your conditions set. DMARC will not work without DKIM since it will check if DKIM and SPF both passed the authentication. It will perform cross-checking to the account and will prevent spoofing to happen.

For information on how to set up DMARC, please check this Microsoft Article: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email

Prevention steps to avoid getting hacked or spoofed

1. Do not use your Office365 Email address to non-Microsoft sites

2. Avoid phishing emails. Make sure to check if the email that you received is legitimate especially if it is asking for sensitive information or personal information

3. Never give your password to anyone. Social Engineering is one of the leading causes of Hacking

4. Always update your password from time to time and make it strong and complex. Never use a password that has your name or anything that can easily be found in social media.

5. Avoid visiting sites that contain promotional ads or telling you’ve won something when you know that you didn’t subscribe to anything

6. Set up multi-factor authentication especially for Global Administrator

For more information on how to protect your account, access this Microsoft Article:
https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide

I hope you are now able to differentiate hacking and spoofing. You should have a better idea of what to do when you encountered one. Even if Office365 offers built-in Exchange Online Protection for your security, you are still the last line of defense and responsible for protecting your identity. Remember, not all causes of spoofing and hacking are in Microsoft’s hand. Be vigilant; protect your identity.

Until my next blog. Thank you.

Security
Spoofing
Hacking
Exchange Admin Center
Office 365

--

--

Jennifer Agustin
JJ365

Written by Jennifer Agustin

45 Followers
Editor for

MCSE Level 2 Cloud Support Engineer for Office365

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams