一名 Office 365 使用者發現大約 100 封電子郵件顯然是由他發送的;他們有某種惡意 PDF 附件。郵件標題顯示「已接收:來自 XXX.XXX.PROD.OUTLOOK.COM」作為電子郵件的初始來源。已傳送的電子郵件會顯示在 Exchange Online 郵件追蹤中,傳送給內部和外部收件者。但是,它們不會出現在使用者的「已傳送郵件」資料夾中。
這是否證明有人成功入侵了他的帳戶(以他的身分登入)或是否有其他解釋?
我需要了解是什麼決定了電子郵件是否最終出現在已發送項目中,以及傳出電子郵件是否可以出現在訊息追蹤中,而無需有人以該用戶身份登入。
我們更改了他的密碼並檢查了他的電腦是否有惡意軟體。是否可以採取其他措施來防止再次發生?
更新:範例電子郵件標題僅稍作編輯:
Received: from MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.235.24) by
MMXP123MB1376.GBRP123.PROD.OUTLOOK.COM with HTTPS via
MMXP123CA0017.GBRP123.PROD.OUTLOOK.COM; Fri, 16 Mar 2018 09:33:43 +0000
Authentication-Results: [somedomain].co.uk; dkim=none (message not signed)
header.d=none;[somedomain].co.uk; dmarc=none action=none
header.from=[somedomain].co.uk;
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM (10.166.217.148) by
MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.217.152) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.588.14; Fri, 16 Mar 2018 09:33:40 +0000
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179]) by MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179%14]) with mapi id 15.20.0588.016; Fri, 16 Mar
2018 09:33:39 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: somename lastname <somename.lastname@[somedomain].co.uk>
Subject: Important New Document
Thread-Topic: Important New Document
Thread-Index: AQHTvQgYiGQw1JKKkUqd6+Gw0vjPcg==
Date: Fri, 16 Mar 2018 09:33:39 +0000
Message-ID: <MM1P123MB10344D41BCA2D78978E4E07AB2D70@MM1P123MB2034.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <MM1P123MB10344D41BCA8D78958E4E08AB2D70@MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM>
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [104.238.169.26]
X-MS-Exchange-Organization-Network-Message-Id: c73bdaf1-0213-4d24-0323-08d58b210068
X-MS-PublicTrafficType: Email
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1034;35:kkBmPP7Ug2FbZQv6FmW4qdaBWuYCBMr2zepmSHBV2rdHXXwDyIzi9ducjSfxpVuRt/dOsLsDrz0OZ4mNI1aHqA==
To: Undisclosed recipients:;
Return-Path: somename.lastname@[somedomain].co.uk
X-MS-Office365-Filtering-Correlation-Id: c73bdaf1-0213-4e24-0323-08d58b210068
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603328)(7153060)(49563074)(7193020);SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;3:MKs5dzQ/5p8jCk129hgZqVFyrVdW4oqo956FU19Gz6o66Unzd8gOmuAe96KHit/deI2AGcyk5YsW4TdOBUpvDRDE/biwpipBNWqCew73rz2QTq0UigEkF/tpEDsZrjfYFy7ttCS5WOCCF9ucTE/csak2HFuOhClND6vgOYTkIv2vO71EuwXEV1VEVSjJY2xa8vQVgujXpV8fXjuHfMsSf15b4jEKrR4DNrfBLKBBzlhAhV9sRhrwgNpkJw6jXzwu;25:lsCL0Xn0ALPbUZX7lN0wSHe3M03QBMrYjezvAOzvmeVZuw2GxtDyDocNxIOdKS6Dq8SPBMS4VpO0QyROPaBKDZN+KMl5W+kJp8zB3MbkK/XWXu+WSCopjtRqHhSnmlMDg3sM+wrZH/KajOUG6tpX9sV3oJvgUxe+QKrNFkQIPiR9CtzbOHfVIP3qlIwPalPZKvePtxAqi8VTqEd2zEhYgkFgb42rGQiojV+u886t63cDuk48gONDh50zTKCNZBsx+WMp50Mvf1DTMQvrhGlI19jFPQXBn+OWFspUbYl4RU/ffNzeScDtd5MQlQHRrVMWVtRyPMSSpFNunAF0v3FPpQ==;31:6/IkDDU1nB+3jDDavYeG/5F/SVFU6klrmyNZybg+jl6aWOby3KSnbGW0flAnSdoMgMXLQmIwBWPSst2OvZxkUr/krEl9bUWQ6yAd29ApyLevAn3Bz1MFWY0rBCMYUWKLDqywMdme2t2jdzRgsL3ptcLOHTf+uyHkPxdwXgMMdpskEiXjSiEdZ44zQ+6sfG7mE4L6kne1szkFD7oOpEpq634v1uMG18OPIH7wZnl7cG4=
X-MS-TrafficTypeDiagnostic: MM1P123MB1050:
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415395)(9101524173)(2401047)(8121501046)(10201501046)(3002001)(3231221)(944501281)(52105095)(93006095)(93001095)(201708071742011);SRVR:MM1P123MB1050;BCL:0;PCL:0;RULEID:;SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;4:YiLYVcHiqdwQ2TvyHy73ZHflE4/t75LwbybbMbaUqb5+lDNcIt67qn8n1nguaN2DoJe5+A4SuUkRsXlU/B5beqY3VYKgjgDT4gX88aVRThxarwKGVWq3QSibHpRJ5SfEqHCEd+VjsAKpsyUaRhoMlb1khU4g5ZUScRse0NSr5JzGCykJXq2owW26lTVRVR996gR+lNNqbnRjHznKB0B7wJ1j6VaiyN+/KkdVIuGOOoqg6YhOAqtmlst+5p+RLn6pJheu/X2FTt1tvXGuonj28g==;23:/+BLEjWIxDShX9ISFYWuiCw/K2j0u5PyWxPnIa83Phz8tNUSbo/DIC5s9WX7w0t4TwSPlSpfmYySC88zZfTY6w62AzLhU7Qu3b+dgCcFrEsK7sbd9du+eGzfc+Koh5Q6cUKPZs6STtr/AM2+n3ud1g==;6:uMHoPglLFm5KjX+egFCC8o1xTqoOy2wC5PCQ2Hwsg8JbPHD4b+0d+nvdJrfqVhYKDZ4fb+sYjAM++qegs0RcdatAJOf16FxmVi6KWBi4tY2MKsDQzCcwrFQp2SsrNnUoXZ9MoXQBg5alkozBSoLqSA9IVj8uLA6fl1NqV126Pa0v/fR6eUgiCthevxvI7zCWhG8LaMQ9NTNT/LYW/T1QXliUEkRz+9fc8RO2TKd0qeyxHYmRVhdRZDCeF9wdkTrng/Kw/uMerN/pADH+YNaaIYhUbexjNmSMkqQk0LKqXl2iLmZ0Nok5Yt0V/pi/8LFGj2hOLW0wKysIe0QYWVKAWx1be7CjXAJRoh3CA+WbvKKw77GlzndPrzWiXwq3jFjLTlyiHEGog8KgrLMM156esg==
X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:MM1P123MB1050;H:MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;5:wHYf7tAv11+nrCsudTXtynwYAPuhi1pzk3yOAme0fA8z6IocnoWhR177EFgZq1Xc0IJFtlepjfGvPRfSpV6khoOmvfBnc888+li7MWPy9MmcytBamFFNTBRRQubNXlVX4iod/sx0/B0P5S/XM3QUj8ePQqDFpImOihsJ9H0aO74=;24:4kyptGwsYWd1ZT+26o+I0CBQlBrcQ8h+zew6YTmtUXA9N/geEmMrI4MKVi9fA7d4rubwuZP41qSgyOUJnF7mhhK5bcdtC6r3plfk/yBW1Ik=;7:z3M30YeKmiLr5ZIQZyr7CdYHNyz9BMehyMHzopBPtKiUgRfCDgrBQPZRKv/F5OXywocBBjEqDwMRSM9JiOJ+VYZtyB+JXs21UBGgcGOlA7hQ3Hvf962KPM8Bk2NYMrtQJFZX38C4Yz9AiV0tYwYI5VMCP/fgO1m4535y8l6thoUJ7n2XhdO98SlILO4oS72KwO2/o9cPjmOFzjSWZ0+2QF/KiB6r/VQiD7MeOTjWlNfr/EsEoXT1OigLdhScT85y
SpamDiagnosticOutput: 1:0
X-MS-Exchange-Organization-Recipient-P2-Type: Bcc
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2018 09:33:39.6510
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ca1b5da9-6835-4de9-bcdb-725dd3465770
X-MS-Exchange-CrossTenant-Network-Message-Id: c73bdaf1-0213-4d34-0323-08d58b210068
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM1P123MB1050
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.6173868
X-MS-Exchange-Processed-By-BccFoldering: 15.20.0588.000
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;9:JeTvLnsi4tWvcXHjg15P88aBMJDwS5f1cmKeerPeym9XHWffsOWF02ezQoaUszKtnPAzrUeVeD1JXwn0D73LmoKOzSSmOhvKV/qDnW7i4NSMg8izAEZ4nGrtqIuwb60w
X-Microsoft-Antispam-Message-Info:
42YAk622i4b1TInn5/SNrkWM2WM/YRVLnepCJZPatr5a5tFQGXQ3bBOu5zjNrTOPitdlDLRMFGvxptU1TeCxJmkbXqXmpQStW85oIvB3YDQ7Oc0aqR1D7gCfxwPH/xF0yoP7oY2MZgR0mt28ZTFlumzOIZiUFROq74AN5faDHvCZSzcwQQ74n53d9tPCPXpwj2joudqcI+DdOuB9OhvzRk6B3JMtIlWvZmtptF2VYAGAJ12n66xEMxrasY70Q44taDysFoV957KHwN6HBd4LGc9PmUBh+qyAfbZPvIVfbVYU1JKmveiMgVRF0k3FmUyiAp25+/SZ3W6eFs9LKsx+EQ==
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;27:hDScNnAaL4YD31DCET01EwH48PoQxhTLLMf4TVCiQ52Pi5zX0Euf7jis8bhP6CvWSsVDul58ojaseWCRFR0M6KH3OXgc
答案1
我想說的是,是的,看起來有人擁有您的 Outlook.com 憑證,因為該電子郵件並未被欺騙,而是實際上源自 Microsoft。
兩天前我們也遇到過類似的情況,用戶在一封虛假電子郵件中收到了一個指向據稱位於 OneDrive 中的文件的虛假連結。點擊該連結後,他們被帶到一個虛假網站,要求提供憑證。一旦輸入,他們的 Outlook.com 帳戶就會被用來將電子郵件發送到任何可能被收集的電子郵件地址 - 如此循環繼續...
在幫助防止再次發生方面,2FA 和教育是您的選擇:-)