Office 365 사용자는 약 100통의 이메일이 자신에게서 전송된 것으로 확인되었습니다. 일종의 악성 PDF 첨부 파일이 있습니다. 메시지 헤더에는 이메일의 초기 소스로 "수신됨: XXX.XXX.PROD.OUTLOOK.COM에서"가 표시됩니다. 보낸 이메일은 내부 및 외부 수신자 모두에게 Exchange Online 메시지 추적에 표시됩니다. 그러나 사용자의 보낸 편지함 폴더에는 표시되지 않습니다.
이것은 누군가가 자신의 계정을 성공적으로 해킹했다는 것을 증명합니까(그 사람으로 로그인했음) 아니면 다른 설명이 있을 수 있습니까?
이메일이 보낸 편지함에 있는지 여부와 누군가가 해당 사용자로 로그인하지 않고도 보내는 이메일이 메시지 추적에 있을 수 있는지 여부를 결정하는 요소를 이해해야 합니다.
우리는 그의 비밀번호를 변경하고 그의 PC에 악성 코드가 있는지 확인했습니다. 재발을 방지하기 위해 할 수 있는 다른 조치가 있습니까?
업데이트: 샘플 이메일 헤더가 약간만 수정되었습니다.
Received: from MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.235.24) by
MMXP123MB1376.GBRP123.PROD.OUTLOOK.COM with HTTPS via
MMXP123CA0017.GBRP123.PROD.OUTLOOK.COM; Fri, 16 Mar 2018 09:33:43 +0000
Authentication-Results: [somedomain].co.uk; dkim=none (message not signed)
header.d=none;[somedomain].co.uk; dmarc=none action=none
header.from=[somedomain].co.uk;
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM (10.166.217.148) by
MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.217.152) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.588.14; Fri, 16 Mar 2018 09:33:40 +0000
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179]) by MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179%14]) with mapi id 15.20.0588.016; Fri, 16 Mar
2018 09:33:39 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: somename lastname <somename.lastname@[somedomain].co.uk>
Subject: Important New Document
Thread-Topic: Important New Document
Thread-Index: AQHTvQgYiGQw1JKKkUqd6+Gw0vjPcg==
Date: Fri, 16 Mar 2018 09:33:39 +0000
Message-ID: <MM1P123MB10344D41BCA2D78978E4E07AB2D70@MM1P123MB2034.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <MM1P123MB10344D41BCA8D78958E4E08AB2D70@MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM>
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [104.238.169.26]
X-MS-Exchange-Organization-Network-Message-Id: c73bdaf1-0213-4d24-0323-08d58b210068
X-MS-PublicTrafficType: Email
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1034;35:kkBmPP7Ug2FbZQv6FmW4qdaBWuYCBMr2zepmSHBV2rdHXXwDyIzi9ducjSfxpVuRt/dOsLsDrz0OZ4mNI1aHqA==
To: Undisclosed recipients:;
Return-Path: somename.lastname@[somedomain].co.uk
X-MS-Office365-Filtering-Correlation-Id: c73bdaf1-0213-4e24-0323-08d58b210068
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603328)(7153060)(49563074)(7193020);SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;3:MKs5dzQ/5p8jCk129hgZqVFyrVdW4oqo956FU19Gz6o66Unzd8gOmuAe96KHit/deI2AGcyk5YsW4TdOBUpvDRDE/biwpipBNWqCew73rz2QTq0UigEkF/tpEDsZrjfYFy7ttCS5WOCCF9ucTE/csak2HFuOhClND6vgOYTkIv2vO71EuwXEV1VEVSjJY2xa8vQVgujXpV8fXjuHfMsSf15b4jEKrR4DNrfBLKBBzlhAhV9sRhrwgNpkJw6jXzwu;25:lsCL0Xn0ALPbUZX7lN0wSHe3M03QBMrYjezvAOzvmeVZuw2GxtDyDocNxIOdKS6Dq8SPBMS4VpO0QyROPaBKDZN+KMl5W+kJp8zB3MbkK/XWXu+WSCopjtRqHhSnmlMDg3sM+wrZH/KajOUG6tpX9sV3oJvgUxe+QKrNFkQIPiR9CtzbOHfVIP3qlIwPalPZKvePtxAqi8VTqEd2zEhYgkFgb42rGQiojV+u886t63cDuk48gONDh50zTKCNZBsx+WMp50Mvf1DTMQvrhGlI19jFPQXBn+OWFspUbYl4RU/ffNzeScDtd5MQlQHRrVMWVtRyPMSSpFNunAF0v3FPpQ==;31:6/IkDDU1nB+3jDDavYeG/5F/SVFU6klrmyNZybg+jl6aWOby3KSnbGW0flAnSdoMgMXLQmIwBWPSst2OvZxkUr/krEl9bUWQ6yAd29ApyLevAn3Bz1MFWY0rBCMYUWKLDqywMdme2t2jdzRgsL3ptcLOHTf+uyHkPxdwXgMMdpskEiXjSiEdZ44zQ+6sfG7mE4L6kne1szkFD7oOpEpq634v1uMG18OPIH7wZnl7cG4=
X-MS-TrafficTypeDiagnostic: MM1P123MB1050:
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415395)(9101524173)(2401047)(8121501046)(10201501046)(3002001)(3231221)(944501281)(52105095)(93006095)(93001095)(201708071742011);SRVR:MM1P123MB1050;BCL:0;PCL:0;RULEID:;SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;4:YiLYVcHiqdwQ2TvyHy73ZHflE4/t75LwbybbMbaUqb5+lDNcIt67qn8n1nguaN2DoJe5+A4SuUkRsXlU/B5beqY3VYKgjgDT4gX88aVRThxarwKGVWq3QSibHpRJ5SfEqHCEd+VjsAKpsyUaRhoMlb1khU4g5ZUScRse0NSr5JzGCykJXq2owW26lTVRVR996gR+lNNqbnRjHznKB0B7wJ1j6VaiyN+/KkdVIuGOOoqg6YhOAqtmlst+5p+RLn6pJheu/X2FTt1tvXGuonj28g==;23:/+BLEjWIxDShX9ISFYWuiCw/K2j0u5PyWxPnIa83Phz8tNUSbo/DIC5s9WX7w0t4TwSPlSpfmYySC88zZfTY6w62AzLhU7Qu3b+dgCcFrEsK7sbd9du+eGzfc+Koh5Q6cUKPZs6STtr/AM2+n3ud1g==;6:uMHoPglLFm5KjX+egFCC8o1xTqoOy2wC5PCQ2Hwsg8JbPHD4b+0d+nvdJrfqVhYKDZ4fb+sYjAM++qegs0RcdatAJOf16FxmVi6KWBi4tY2MKsDQzCcwrFQp2SsrNnUoXZ9MoXQBg5alkozBSoLqSA9IVj8uLA6fl1NqV126Pa0v/fR6eUgiCthevxvI7zCWhG8LaMQ9NTNT/LYW/T1QXliUEkRz+9fc8RO2TKd0qeyxHYmRVhdRZDCeF9wdkTrng/Kw/uMerN/pADH+YNaaIYhUbexjNmSMkqQk0LKqXl2iLmZ0Nok5Yt0V/pi/8LFGj2hOLW0wKysIe0QYWVKAWx1be7CjXAJRoh3CA+WbvKKw77GlzndPrzWiXwq3jFjLTlyiHEGog8KgrLMM156esg==
X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:MM1P123MB1050;H:MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;5:wHYf7tAv11+nrCsudTXtynwYAPuhi1pzk3yOAme0fA8z6IocnoWhR177EFgZq1Xc0IJFtlepjfGvPRfSpV6khoOmvfBnc888+li7MWPy9MmcytBamFFNTBRRQubNXlVX4iod/sx0/B0P5S/XM3QUj8ePQqDFpImOihsJ9H0aO74=;24:4kyptGwsYWd1ZT+26o+I0CBQlBrcQ8h+zew6YTmtUXA9N/geEmMrI4MKVi9fA7d4rubwuZP41qSgyOUJnF7mhhK5bcdtC6r3plfk/yBW1Ik=;7:z3M30YeKmiLr5ZIQZyr7CdYHNyz9BMehyMHzopBPtKiUgRfCDgrBQPZRKv/F5OXywocBBjEqDwMRSM9JiOJ+VYZtyB+JXs21UBGgcGOlA7hQ3Hvf962KPM8Bk2NYMrtQJFZX38C4Yz9AiV0tYwYI5VMCP/fgO1m4535y8l6thoUJ7n2XhdO98SlILO4oS72KwO2/o9cPjmOFzjSWZ0+2QF/KiB6r/VQiD7MeOTjWlNfr/EsEoXT1OigLdhScT85y
SpamDiagnosticOutput: 1:0
X-MS-Exchange-Organization-Recipient-P2-Type: Bcc
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2018 09:33:39.6510
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ca1b5da9-6835-4de9-bcdb-725dd3465770
X-MS-Exchange-CrossTenant-Network-Message-Id: c73bdaf1-0213-4d34-0323-08d58b210068
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM1P123MB1050
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.6173868
X-MS-Exchange-Processed-By-BccFoldering: 15.20.0588.000
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;9:JeTvLnsi4tWvcXHjg15P88aBMJDwS5f1cmKeerPeym9XHWffsOWF02ezQoaUszKtnPAzrUeVeD1JXwn0D73LmoKOzSSmOhvKV/qDnW7i4NSMg8izAEZ4nGrtqIuwb60w
X-Microsoft-Antispam-Message-Info:
42YAk622i4b1TInn5/SNrkWM2WM/YRVLnepCJZPatr5a5tFQGXQ3bBOu5zjNrTOPitdlDLRMFGvxptU1TeCxJmkbXqXmpQStW85oIvB3YDQ7Oc0aqR1D7gCfxwPH/xF0yoP7oY2MZgR0mt28ZTFlumzOIZiUFROq74AN5faDHvCZSzcwQQ74n53d9tPCPXpwj2joudqcI+DdOuB9OhvzRk6B3JMtIlWvZmtptF2VYAGAJ12n66xEMxrasY70Q44taDysFoV957KHwN6HBd4LGc9PmUBh+qyAfbZPvIVfbVYU1JKmveiMgVRF0k3FmUyiAp25+/SZ3W6eFs9LKsx+EQ==
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;27:hDScNnAaL4YD31DCET01EwH48PoQxhTLLMf4TVCiQ52Pi5zX0Euf7jis8bhP6CvWSsVDul58ojaseWCRFR0M6KH3OXgc
답변1
그렇습니다. 이메일이 스푸핑된 것이 아니라 실제로 Microsft에서 보낸 것이므로 누군가가 귀하의 Outlook.com 자격 증명을 가지고 있는 것 같습니다.
이틀 전에도 사용자가 OneDrive에 있는 것으로 추정되는 문서에 대한 가짜 이메일의 가짜 링크를 받은 것과 비슷한 일이 있었습니다. 링크를 클릭하면 자격 증명을 요구하는 가짜 사이트로 연결되었습니다. 입력한 후에는 Outlook.com 계정을 사용하여 수집할 수 있는 모든 이메일 주소로 이메일을 보냈습니다. 따라서 이러한 주기는 계속됩니다...
재발 방지에 도움이 되는 측면에서 2FA 및 교육이 귀하의 선택 사항입니다 :-)