Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: New spamming technique - onmicrosoft.com SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New spamming technique - onmicrosoft.com

Spammers have long relied on bots, compromised webmail accounts, or open SMTP relays to send their dastardly payloads to our mailboxes. This new trend is a variation on the theme. The spammer sets up a vanity domain, and then send spam through it. The interesting bit here is that it is not hotmail.com or outlook.com but onmicrosoft.com being used. The format is as follows: <UserName>@<Vanity-name>.onmicrosoft.com. One reader Melvin has seen quite a few of these and asked me to write this up. To quote Melvin "So, spammers are registering *WITH* Microsoft for domain-hosting and web-hosting, and then abusing Microsoft's own mail-servers ("six-nines-availability/reliability")to distribute their spam/scam messages." <sarcasm>Awesome business plan! </sarcasm>

Is your IDS/IPS, anti-spam, or email gateway allowing these through, alerting on them, or blocking them?

Here are some samples:

Date: Wed, 16 Oct 2013 20:49:20 +0100
Subject: (none)
From: Uk National <001@tanlan.onmicrosoft.com>
Reply-To: <claimsagent845@yahoo.com.hk>

Your Email Id Have Won 1,000,000.00 GBP in Uk National Lottery ...
______________

Date: Mon, 7 Oct 2013 20:13:23 +0530
Subject: BARCLAY'S BANK
From: BARCLAY'SBANK <pp7@lines.onmicrosoft.com>
Reply-To: <barclaysbnnkplclondon@zing.vn

>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
______________

Date: Tue, 1 Oct 2013 18:22:23 +0100
Subject: Attn:This Is My Second Email,Please Respond
From: Ahmed Mohamed <Ahmed01@lawoffice2013.onmicrosoft.com>
Reply-To: <askahmedmhd@yahoo.co.uk>
______________

Date: Sat, 28 Sep 2013 21:35:33 +0530
Subject: Do you need A Business OR Personal Loan
From: Loan Offer <LOAN21110011@Changloan656.onmicrosoft.com>
Reply-To: <loanoff00@hotmail.com>
______________

Date: Thu, 26 Sep 2013 22:19:47 +0000
Subject: Exclusive offer, feel it for real
From: <GiuseppeArena@wabipyge.onmicrosoft.com>
______________

Date: Sat, 21 Sep 2013 04:20:00 +0530
Subject: CONTACT FEDEX COURIER SERVICE FOR YOUR FUND CONSIGNMENT BOX
From: <019@Burrows00t.onmicrosoft.com>
Reply-To: <donphilip011@gmail.com>
______________

Date: Wed, 18 Sep 2013 07:17:50 +0000
Subject: Unique product for your needs
From: <MichaelAshcroft@wabipyge.onmicrosoft.com>
______________

Date: Mon, 16 Sep 2013 17:58:25 +0530
Subject: Re
From: " Miss Zaina Abisali" <3@emailer.onmicrosoft.com>
Reply-To: <miss.zainaabisali@gmail.com>
______________


Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
 

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

Adrien de Beaupre

353 Posts
ISC Handler
I have received five of these to a personal email account at Bluehost and the default SpamAssassin there caught them.

Why bother with Microsoft? My company has been receiving spam sent from domains that were registered just a day or two prior. These are even signed using DKIM, so it is difficult for spam filters to spot them. The domains usually match the spam, like "Start Speaking A New Language in 10 Days With This Proven Approach" from queue@top-language.net or "S?v?ngs Al?rt: N?w Inc?nt?v?s P?y Y?u t? G? S?l?r" from appearance@expectsolar.co. These do appear to be simple unsolicited commercial email and not phishing attempts, but this is a good method to get past spam filters.

Jim C.
JimC

17 Posts
onmicrosoft.com emails probably originated from Microsoft Office365 (which is Microsoft's equivalent of Google Apps for Business)


Users can sign up for Office365 trial, select a domain name e.g. "mydomain".
The trial domain will then be @mydomain.onmicrosoft.com
Mike7

43 Posts

Sign Up for Free or Log In to start participating in the conversation!