Office has been receiving Phishing emails from reputable domains
Hi y’all! I’ve gotten two tickets so far from users receiving emails that look suspiciously like phishing, but the addresses look legitimate. One of them ends in @zoomus (a real domain owned by Zoom) and the other @microsoftonline.com (also owned by Microsoft) but both emails are directed towards people that neither user have ever been in communication with.
Any advice on how to further look into these messages and how to educate users on spotting them in the future?
UPDATE: both users HAVE been encouraged to delete the message or already have. We have a spam filter system but I’m not quite sure if I should be blocking these addresses since they COULD be used for legitimate purposes in the future.
Solution:Jump to solution
I'd nuke anything that doesn't come from their outlined addresses for the meantime, unless there is potential for operation impact, quick way to address the zoom domain at least momentarily.
18 Replies
SpamHero
I spoke with my director and the best course of action is to just encourage the users to delete the emails and report them if they’re ever unsure. I just hope to learn from this and from you guys to learn how to better analyze and understand these sorts of emails when they come in
it's been a while since ive worked with email
but i believe you can verify the DMARC to verify they're actually from that address
I think Zoom only has a couple dedicated email addresses they'd ever send anything from, could use those to filter from there for that. As far as the Microsoft one, I'll dig into that one too.
Looks like we deep filter messages that fail DKIM and SPF
i believe that's what it is
Yep, Zoom stuff here: https://community.zoom.com/t5/Zoom-Meetings/Is-this-real-or-spam/m-p/180713
If that's still valid, and I'd reach out to them to be sure, those are the only addresses they'd send from so maybe that'll help filter further?
if it's a spoofed email you should be able to reply to it and have it actually go to that company
Wait, did they not fail SPF?
They didn’t, came through as reputable
:ZimaWhatAmIReading:
That's... odd to say the least lol
Reporting the address. It was no-reply-docs@ zoom.us (space so I don’t ping a user lol)
well if it's real you should still be able to reply
I’ve been IT here for about 8 months, I don’t think my suggestions really matter here when the main engineer runs this circus. I’ll send a report to zoom and if they confirm it’s not a real address, I’ll add it to our filter
Thanks y’all!
Solution
I'd nuke anything that doesn't come from their outlined addresses for the meantime, unless there is potential for operation impact, quick way to address the zoom domain at least momentarily.
My goat. Thanks Krypton 🙇
Same goes for the rest of you!
Marking as solved
From a quick google, that domain and zoom-tech[.]us are apparently being utilized as of late, just tossing that in there as an FYI since a recent article (from June) from TechRadar popped up and mentioned it.
I've seen a few of these as of late. People tend to use the sharing feature to get through phishing analysis engines. It's pretty creative. Last I saw was some sort of Zoom note that got shared and the subject n shit was set to make it seem like something from Zoom
They do the same shit with PayPal invoice requests or something like that