Yippee! An eFile Notification…
Yesterday evening, I traveled to Copenhagen to speak at the European SharePoint Conference. While on the modern (driverless) metro to the Bella Center, I received an odd email telling me that I’d received an “eFile Notification” from someone I didn’t know. Apparently (and very excitingly), an encrypted OneDrive document awaited my attention, if only I’d open the HTML attachment.
Problems with the Message
Any experienced Office 365 user will recognize a couple of problems with this message.
- A HTML attachment from someone you don’t know is always suspicious.
- Office 365 and Outlook.com both support the Encrypt-Only option (and Office 365 now has sensitivity labels) to protect email and attachments. There’s never any need to open a HTML attachment (and be infected) to get instructions.
- OneDrive sharing doesn’t work on the basis of sending people HTML instructions.
- Any message with grammatical or spelling error (like “you will be prompt to”) purporting to come from a company is also suspicious.
In any case, to confirm my suspicions, I looked up the domain that the message supposedly came from and found that keller-services.com is a heating contractor in Texas. Their web site doesn’t use HTTPS, which might be why it was hijacked. In any case, I don’t need heating services and I am not in Texas, so there’s no reason for accepting email from this domain.
Message Headers
The useful Message Header Analyzer (MHA) add-on for Outlook can confirm problems with messages. When I looked at the headers, I found that the real originator of the message was an Office 365 tenant called netorg533059.onmicrosoft.com (MXLookup reports that the email MX record for keller-services.com is managed by ProofPoint). A mismatch between the purported sending domain and the actual domain usually bad. The IP address reported in the header is offline or unreachable too.
I could go on, but decided to simply report the message to Microsoft as a possible (!!!) phishing attempt and let their Exchange Online Protection team work out why the message got through the array of anti-malware checks used to cleanse the inbound stream to Office 365.
But let’s be clear. Although the Office 365 anti-malware checks are very good, the competition between hackers and defenders is ongoing and will continue – and some suspicious email will always get through. Driving user awareness through education about the signs that a message might not be as nice as it seems to be is the backstop for anti-malware.
The array of anti-malware checks and tools available in Exchange Online Protection and Advanced Threat Protection for Office 365 are described in Chapter 17 of the Office 365 for IT Pros eBook. Because I read Chapter 17, I knew what to look for in the bad message.