Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New spamming technique - onmicrosoft.com

Published: 2013-10-17
Last Updated: 2013-10-18 13:47:13 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

Spammers have long relied on bots, compromised webmail accounts, or open SMTP relays to send their dastardly payloads to our mailboxes. This new trend is a variation on the theme. The spammer sets up a vanity domain, and then send spam through it. The interesting bit here is that it is not hotmail.com or outlook.com but onmicrosoft.com being used. The format is as follows: <UserName>@<Vanity-name>.onmicrosoft.com. One reader Melvin has seen quite a few of these and asked me to write this up. To quote Melvin "So, spammers are registering *WITH* Microsoft for domain-hosting and web-hosting, and then abusing Microsoft's own mail-servers ("six-nines-availability/reliability")to distribute their spam/scam messages." <sarcasm>Awesome business plan! </sarcasm>

Is your IDS/IPS, anti-spam, or email gateway allowing these through, alerting on them, or blocking them?

Here are some samples:

Date: Wed, 16 Oct 2013 20:49:20 +0100
Subject: (none)
From: Uk National <001@tanlan.onmicrosoft.com>
Reply-To: <claimsagent845@yahoo.com.hk>

Your Email Id Have Won 1,000,000.00 GBP in Uk National Lottery ...
______________

Date: Mon, 7 Oct 2013 20:13:23 +0530
Subject: BARCLAY'S BANK
From: BARCLAY'SBANK <pp7@lines.onmicrosoft.com>
Reply-To: <barclaysbnnkplclondon@zing.vn

>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
______________

Date: Tue, 1 Oct 2013 18:22:23 +0100
Subject: Attn:This Is My Second Email,Please Respond
From: Ahmed Mohamed <Ahmed01@lawoffice2013.onmicrosoft.com>
Reply-To: <askahmedmhd@yahoo.co.uk>
______________

Date: Sat, 28 Sep 2013 21:35:33 +0530
Subject: Do you need A Business OR Personal Loan
From: Loan Offer <LOAN21110011@Changloan656.onmicrosoft.com>
Reply-To: <loanoff00@hotmail.com>
______________

Date: Thu, 26 Sep 2013 22:19:47 +0000
Subject: Exclusive offer, feel it for real
From: <GiuseppeArena@wabipyge.onmicrosoft.com>
______________

Date: Sat, 21 Sep 2013 04:20:00 +0530
Subject: CONTACT FEDEX COURIER SERVICE FOR YOUR FUND CONSIGNMENT BOX
From: <019@Burrows00t.onmicrosoft.com>
Reply-To: <donphilip011@gmail.com>
______________

Date: Wed, 18 Sep 2013 07:17:50 +0000
Subject: Unique product for your needs
From: <MichaelAshcroft@wabipyge.onmicrosoft.com>
______________

Date: Mon, 16 Sep 2013 17:58:25 +0530
Subject: Re
From: " Miss Zaina Abisali" <3@emailer.onmicrosoft.com>
Reply-To: <miss.zainaabisali@gmail.com>
______________


Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
 

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

Keywords: spam
2 comment(s)
Diary Archives