blog.icewolf.ch

Let's talk about IT!
posts - 2247, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Sending "Reset Password" Links may be considered as phishing in Exchange Online

Hi All,

A few Weeks ago i received the Mail below that was filtered out as Junk-E-Mail.
So i took a closer look as it is legitimate. It contained a "Forgot Password" Link to theyr Portal.
These are classic Phishing Techniques-


I took a look at the Mailheaders with the Message Header Analyzer https://mha.azurewebsites.net/

As you can see the Spam Confidence Level (SCL) is high at 5 and it's classified also as spam (SPM).
The Phishing Message is very high - i expect the "Password Reset" Link was responsible for that.
The Authentication Results are fine: SPF, DKIM and DMARC are all valid.


While looking at the Message in Threat Explorer you can see that the Message was considered as Spam and delivered into the Junkmail Folder. No Link was considered Malicious.

This seems a bit odd - i would have expected to be threated as Phishing. But sometimes the Lines between Spam and Phishing are a little bit blurry.


Finnaly i would say - good Job Microsoft. You detected some of the classic behaviours how phishing threat actors send theyr emails.

Regards
Andres Bohren


Print | posted on Saturday, February 26, 2022 10:01 AM | Filed Under [ Exchange ]

Powered by:
Powered By Subtext Powered By ASP.NET