Office 365 NDR for strange email address.
-
So currently checking a user's account whos been getting Non-Delivery Reports for emails he hasn't been sending himself or replying to himself. This is caused by publicity email coming into his mailbox which appears to trigger some sort of autoreply to this mail address [email protected].
The user's main method of access to his mail is via his Ipad and iPhone. He does have a windows machine which in the first instance I believe was the culprit, but he doesn't have any email clients there. Whenever he needs to use the laptop he logs in via OWA from his browser and he pretty much never really uses the machine.From within Office 365 admin and exchange consoles, I don't see anything that would be set to forward emails or autoreply to specific ones. We have already reset the account's password and it still keeps happening.
Does anyone have an idea of what other things to check to avoid this happening?
For now, I have set a mail flow route targetted at this recipient so the user doesn't get the NDR emails while we try to dig up was is actually happening.
-
@Romo said in Office 365 NDR for strange email address.:
This is caused by publicity email coming into his mailbox which appears to trigger some sort of autoreply to this mail address [email protected].
How do you know this? Where is the email (and possibly more important) the header of that email that's causing the "auto reply" on your end to happen?
Can you share the header on one of these emails (the one in the OP)?
Have you enabled outbound logging to see if this user really is sending anything out to that address at all?
-
@Dashrender Screenshot in OP is the log from the trace on the user's account trying to send to [email protected], its failing but it is trying to.
here is an example of the header, where you can see its trying to email that address.
Doesn't seem to be any rule on the mailbox but the default ones:
-
How about the message you think might be triggering this?
Does a scan of his email show this address in anything in his account?
-
@Dashrender No, incoming email is regular email no traces of this [email protected] address on incoming mail.
-
This post is deleted! -
You can also check the audit logs in O365 to confirm successful logins not from him.
-
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
-
@Romo said in Office 365 NDR for strange email address.:
Does anyone have an idea of what other things to check to avoid this happening?
Have him log into OWA and look for auto replies or rules set up.
-
There could also be rules set up in O365.
-
I'm pretty sure there is an NDR Backscatter setting in spam rules
-
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Not sure what is causing it yet really, I cant seem to find any autoreply or rule enabled.
-
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
-
@Dashrender said in Office 365 NDR for strange email address.:
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
To me, it looks like a spam email is being sent in, and from what OP said, the user may have something set up that is auto-replying to the spam email, which has a reply address consisting of a non-existent domain, which is causing the NDR.
-
@Obsolesce said in Office 365 NDR for strange email address.:
@Dashrender said in Office 365 NDR for strange email address.:
@Obsolesce said in Office 365 NDR for strange email address.:
Oh just seen they were caused by an auto reply. Just disable auto replies to that domain and g2g.
Wouldn't an auto-reply mean that an email has to come in with a reply address of the one in question?
To me, it looks like a spam email is being sent in, and from what OP said, the user may have something set up that is auto-replying to the spam email, which has a reply address consisting of a non-existent domain, which is causing the NDR.
Right - but I inquired earlier if they had found an actual email with the invalid email address in it? and the answer was - no, they found no email with the bad email address in it.
-
@Obsolesce Found the client side rules that were set to forward to that address, thanks
-
@Romo said in Office 365 NDR for strange email address.:
@Obsolesce Found the client side rules that were set to forward to that address, thanks
What client? something on mobile?
-
@Dashrender said in Office 365 NDR for strange email address.:
@Romo said in Office 365 NDR for strange email address.:
@Obsolesce Found the client side rules that were set to forward to that address, thanks
What client? something on mobile?
Rules were set on OWA, targetting specific keywords on emails that was why not all emails where trying to get forwarded. Account was indeed compromised.
-
Azure AD > Monitoring > Sign-ins: to track unauthorized access to accounts. There's no telling what all they did, so it may be best to back up the data and recreate the account... and of course enable 2FA/MFA on ALL accounts.
-
@Obsolesce said in Office 365 NDR for strange email address.:
Azure AD > Monitoring > Sign-ins: to track unauthorized access to accounts. There's no telling what all they did, so it may be best to back up the data and recreate the account... and of course enable 2FA/MFA on ALL accounts.
This is a good idea. You can also set alerts to be notified if forwarding rules are created like the ones you discovered.
