skip to Main Content

How attackers bypass third-party spam filtering

The third-party cloud spam filter is configured, and everything works as expected. Well, you thought that, but that’s not the case because spam messages appear in the user’s mailboxes. So what’s happening? In this article, you will learn how attackers bypass third-party spam filtering to Microsoft 365.

Get Microsoft 365 MX record

Attackers don’t have to put much effort into getting the Microsoft 365 MX record. That’s because Microsoft generates a default MX record address after you add a domain to the Microsoft 365 tenant.

Have a look at the table below:

DomainMicrosoft 365 MX record
exoip.nlexoip-nl.mail.protection.outlook.com
exoip.comexoip-com.mail.protection.outlook.com

Now that we have the MX record for the domain, we can proceed further.

Send email to Microsoft 365 MX record hostname

We will use the Wormly SMTP test tool to send a message and use the Microsoft 365 MX record hostname as the SMTP server. You can also try to use telnet and send a message. But, some ISPs close port 25, and you can’t proceed. So it’s good to use an external SMTP test tool, as shown here.

Fill in the below details:

  • Hostname or IP: The Microsoft 365 MX record
  • Email address: The user’s email address
  • TCP port: 25 or leave empty
  • Send SMTP test email?: Yes (so we can inspect the message header)

After you fill in everything, click on the button START SMTP TEST.

How attackers bypass third-party spam filtering SMTP test

The STMP test results show that it resolved the MX record to an IP address and sent the message to the user’s mailbox.

How attackers bypass third-party spam filtering SMTP test results

Analyze message header

Go to the Microsoft 365 user inbox and open the message. Next, view message details and copy the message header.

How attackers bypass third-party spam filtering view message details

Paste the copied message header into Message Header Analyzer by Microsoft. Click Analyze headers button.

There is no sign of the third-party cloud spam filter. The message went straight to the user’s inbox through Exchange Online.

How attackers bypass third-party spam filtering analyze header

You might say Exchange Online Protection (EOP), the default Microsoft hygiene solution, will capture the spam messages. But you must remember that you bypass EOP with enhanced filtering because you have a third-party spam filter in the organization.

Important: You should never have a third-party spam filter and EOP active simultaneously. Two active spam filters in the organization means asking for serious trouble.

Solution for attackers bypass third-party spam filtering

Now that we have a clear understanding of how attackers go to work and how they bypass third-party spam filtering and deliver straight to the user’s inboxes. The question is: What is the solution?

Read the solution in the article how to configure Microsoft 365 to only accept mail from third-party spam filter.

Conclusion

You learned how attackers bypass third-party spam filtering. If you have a third-party spam filter in the organization, test sending an email to a Microsoft 365 mailbox and use the Microsoft 365 MX record as the SMTP server. If it does send the message with success, it’s not good, and you need to apply the solution immediately.

Did you enjoy this article? You may also like Stop Exchange Server sending spam. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 10 Comments

  1. Hi Ali,
    i am sorry but with this configuration you will not anymore receive messages sent to your @mail.onmicrosoft.com email addresses. This is because you cannot move the mail.onmicrosoft.com domain on your antispam and you are accepting just the messages that cames from your antispam. Am i maybe wrong?
    Thanks in advance!

    Mario

  2. Proofpoint user, nothing is explained in the documentation about this flaw and how to plug it…I find it quite crazy.

    I hope the rest of your article will come soon.

    1. It’s not only Proofpoint that does not cover this flaw. So far, I have seen that all third-party cloud mail filtering services don’t do it.

      Hopefully, they will wake up and create documentation that explains the danger and the solution for it because Microsoft 365 customers with a third-party spam solution must configure this on every tenant!

      1. Thank you Ali,

        I got some emails from Microsoft a few days ago: Phish delivered due to an ETR override

        I wonder if it is not due to this flaw.

        Microsoft even if you deactivate must still scan a little to prevent.

        1. There are two methods to configure the third-party spam filter with Microsoft 365:

          1. Mail flow rule
          2. Enhanced filtering for connectors

          The ETR alert means that Microsoft identified an email as potential phishing and would have put the email into the junk folder, but because of the mail flow rule, that action was not taken.

          If you don’t want to get ETR alerts, remove the mail flow rule and use enhanced filtering for connectors (the recommended option). This will also not break authentication signals such as SPF, DMARC, and DKIM.

  3. This article is good to know for those who are new to the Exchange online.
    Otherwise this is very old trick, which we use in relaying the email (Direct send and Smtp relay) where we need to point our email application smart host address directly to office 365.

    This only work when we have 3rd party filtering although for protection we can use EOP.

    1. This article is suitable for anyone who uses or wants to learn Exchange Online (EXO).

      If Exchange Online Protection (EOP) is the choice for mail filtering, everything is set already, and you can use Office 365 SMTP relay.

      Suppose you have a third-party spam filter and bypassing EOP (which you should), you need to apply the solution, so attackers can’t send emails when pointing directly to the Microsoft 365 MX record.

      An excellent third-party service for mail filtering will let you relay email (outgoing) through their service, and you should not use Office 365 SMTP relay.

Leave a Reply

Your email address will not be published.