r/EmailSecurity

I almost closed a mailbox compromise while mail was still being read

Had an M365 mailbox compromise this week where I was about ten minutes from calling email containment done. Password reset, MFA re-registered, sessions revoked, inbox rules checked, message trace reviewed, phishing cleanup done.

Then I checked consented apps because one sign-in trail still felt weird (not 100% sure I would have done this a year ago). The user had approved some sketchy PDF app with Graph Mail.Read and offline_access, and it was still pulling messages after the password reset.

That was the uncomfortable part. I was treating the credential as the incident, but email access had moved to an OAuth grant.

We removed the grant and started scoping with MailItemsAccessed, but I’m still annoyed at how close I got to closing it early. For people doing M365 mailbox IR regularly, is OAuth consent review mandatory for every compromised mailbox in your runbook, or only when the logs point that way?

reddit.com
u/littleko — 1 day ago

Copier scan-to-email is blocking p=reject on the root domain

Client wants DMARC at p=reject on the root domain before renewal paperwork goes in this month. Their normal mail is clean enough, but 31 copiers across 5 sites are still sending scan-to-email through the ISP SMTP relay as invoices@clientdomain.com.

SPF is either failing or passing for the ISP's envelope domain, not aligned with the client's domain. No DKIM, because of course the copier fleet has firmware from three different eras and half of it barely supports modern SMTP auth.

My answer is to stop pretending this is production mail until it can send through a real relay with aligned SPF or DKIM. The pushback is predictable: accounting likes the From address, facilities owns the copiers, and nobody wants scan workflows touched before quarter-end.

Would you hold p=reject until the copier path is fixed, or publish reject and let broken scan-to-email become the forcing function?

reddit.com
u/saltyslugga — 3 days ago
▲ 14 r/EmailSecurity+1 crossposts

Securence possible attack/hack/security breach in progress

Several reddit visitors, including myself, have reported not being able to access the Securence management portal since Tuesday or Wednesday of last week.

Going to admin dot securence dot com you are greeted with a 503/server unavailable message.

Email is still being filtered, in and outbound, but quarantined false-positives cannot be released, nor any account changes made. Tech support claims to have no access to the portal as well.

While the company says that they are working on it, and asks that we be patient, they have also not responded when asked if there has been a security breach. They do answer the phone and reply to email, but the universal response is that they have no information from higher-up the chain to give out, and that they are in the dark themselves.

This behavior usually indicates that there has indeed been a major breach.

The previous Securence issue (in 2024) was an open public access issue, was quickly patched, and many of us considered that to be a one-off thing. The current issue "feels" more like a hack, hijacking and/or ransomware attack.

I/we have yet to find out how much data was exposed, but the process has already begun to move my accounts from Securence ASAP.

Possibly exposed data would include current and archived emails, going back several years.

reddit.com
u/MorseScience — 6 days ago
▲ 11 r/EmailSecurity+1 crossposts

Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay

Spent time researching a Sneaky 2FA-style campaign that was interesting because the email delivery and the phishing kit both showed meaningful evolution.

The initial message was not sent from a random throwaway account. It came through a compromised trusted SaaS sender account and targeted enterprise IT users. The lure was a Microsoft sign-in activity alert, but it was placed inside a business-thread chain, which made the message look more like part of an existing operational conversation than a standalone phishing email.

The web flow was also more interesting than a basic Microsoft credential clone. From the samples I reversed, the kit supported:

  • identity-check gating before exposing the Microsoft page
  • session-mutated routes, loader names, validation paths, and tokens
  • tenant-branded Microsoft 365 rendering using Microsoft tenant branding assets
  • signed resource URLs with hashed IP and user-agent values
  • password collection
  • verification code collection
  • SMS code collection
  • Microsoft Authenticator approval and number matching flows
  • final redirect back to Outlook

The strongest evidence came from controlled testing with non-valid credentials. After submitting them to the phishing page, Microsoft Entra ID recorded near-real-time OfficeHome sign-in attempts from external infrastructure. The attempts failed with error 50126, which confirms the credentials were replayed against Microsoft rather than only stored by the page.

The observed asset set, MFA workflow, href[.]li decoy behavior, and Sneaky/WikiKit-style page structure make Sneaky 2FA a strong match for this case.

u/ZeroBEC — 5 days ago

why does a phish feel safer once it hits the shared ops mailbox?

A credential phish hit our shared ops@ inbox this week and one of the on-call folks treated it as less suspicious because it was in the shared queue. Same RFC5322 From, same link domain, same gateway verdict, but it felt like "company mail" because it was sitting next to real vendor tickets.

The annoying part is they probably would have reported it immediately if it landed in their own mailbox. Once it became a ticket, the mental model changed from "is this email legit?" to "is this ticket assigned to me?"

I'm not 100% sure if this is awareness training failing or the shared inbox UI laundering trust. Do you make users report suspicious mail from shared mailboxes the same way as personal inboxes, or do you treat those queues as needing a separate review step before anyone opens links?

reddit.com
u/littleko — 5 days ago

Monitor-only email DLP is just a receipt after send

Client bought outbound email DLP, left every rule in monitor-only, then asked us to recall a sent patient roster after the external SMTP handoff had already accepted it.

Legal wanted to know why the tool “let it happen.” Compliance wanted a report. Operations wanted the email pulled back like that is a real control once it has left their tenant.

This is the part that drives me nuts. Monitor-only is fine for tuning, but after 30 days it is either a blocking rule or it is logging with nicer screenshots.

Would you let a healthcare client keep PHI rules in monitor-only after tuning, or make them sign the risk every time they refuse to block? end of rant

reddit.com
u/saltyslugga — 6 days ago
▲ 15 r/EmailSecurity+2 crossposts

Friday brainfart: how to block internal spoofing when using proofpoint on MX records?

An end user was bombarded yesterday by emails from herself that she did not send. I've had Proofpoint on their domain for over a year (on their MX records) with very few issues. The emails she received bypassed the MX records, sample header properties below. Both Microsoft and Proofpoint have writeups on this very issue, but I'm having a brainfart as to how to proceed. Stephanie@mydomain.com is using M365 Business Premium.

Received: from CO1PR05MB7879.namprd05.prod.outlook.com (::1) by
 IA3PR05MB10713.namprd05.prod.outlook.com with HTTPS; Thu, 25 Jun 2026
 14:37:05 +0000
Received: from DS7P220CA0008.NAMP220.PROD.OUTLOOK.COM (2603:10b6:8:1ca::15) by
 CO1PR05MB7879.namprd05.prod.outlook.com (2603:10b6:303:f3::17) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.21.181.7; Thu, 25 Jun 2026 14:32:24 +0000
Received: from DS1PEPF00017099.namprd05.prod.outlook.com
 (2603:10b6:8:1ca:cafe::60) by DS7P220CA0008.outlook.office365.com
 (2603:10b6:8:1ca::15) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.21.159.17 via Frontend Transport; Thu,
 25 Jun 2026 14:32:23 +0000
Authentication-Results: spf=none (sender IP is 108.175.8.93)
 smtp.helo=mta-80-125.sparkpostmail.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=quarantine
 header.from=mydomain.com;compauth=none reason=451
Received-SPF: None (protection.outlook.com: mta-80-125.sparkpostmail.com does
 not designate permitted sender hosts)
Received: from mta-80-125.sparkpostmail.com (108.175.8.93) by
 DS1PEPF00017099.mail.protection.outlook.com (10.167.18.103) with Microsoft
 SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.181.6
 via Frontend Transport; Thu, 25 Jun 2026 14:32:23 +0000
Return-Path: <>
From: stephanie@mydomain.com
To: stephanie <stephanie@mydomain.com>
Subject: mCaller left stephanie - 34s  Preview vHC- June 25, 2026
 3517286943
Message-ID:
 <[1782397942584.17a9c193f74e0b73-JFZGS42DN5WW25LONFRWC5DJN5XFA3DBORTG64TNFVIHE33EFVGVOMKQPREUCTKTKNIFE7CTKNIFERLNMFUWY7CFPBXVG3LUOA======@mydomain.com]>
Date: Thu, 25 Jun 2026 14:32:22 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--_NmP-289a666a40f8f530-Part_1"
X-MS-Exchange-Organization-ExpirationStartTime: 25 Jun 2026 14:32:23.4717
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 b48d577c-0b2c-4399-3061-08ded2c69266
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 220a3ae7-e220-4b76-abb2-d1cefeba692f:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
 DS1PEPF00017099:EE_|CO1PR05MB7879:EE_|IA3PR05MB10713:EE_
X-MS-Exchange-Organization-AuthSource:
 DS1PEPF00017099.namprd05.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: b48d577c-0b2c-4399-3061-08ded2c69266
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam:
 BCL:0;ARA:13230040|29132699027|5009299003|6049299003|57112099003|55112099003|18002099003|19002099009|17002299006|4053099003|5063699009;
X-Forefront-Antispam-Report:
 CIP:108.175.8.93;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mta-80-125.sparkpostmail.com;PTR:ip108-175-8-93.pbiaas.com;CAT:NONE;SFS:(13230040)(29132699027)(5009299003)(6049299003)(57112099003)(55112099003)(18002099003)(19002099009)(17002299006)(4053099003)(5063699009);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jun 2026 14:32:23.1133
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b48d577c-0b2c-4399-3061-08ded2c69266
X-MS-Exchange-CrossTenant-Id: 220a3ae7-e220-4b76-abb2-d1cefeba692f
X-MS-Exchange-CrossTenant-AuthSource:
 DS1PEPF00017099.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB7879
X-MS-Exchange-Transport-EndToEndLatency: 00:04:42.5262254
X-MS-Exchange-Processed-By-BccFoldering: 15.21.0159.007
X-MS-Exchange-ExternalInOutlookResult: NotEnabled
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(920097)(930201)(20251009189)(140003)(1310096);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?n+j9JsLrhwvRb6OmvBUb3zljh6lgyFRYEtg3psgCsmqnGcQ/8jBmnCrECPJg?=
u/pkokkinis — 9 days ago

AI phishing is making static email defenses look dumb

Cofense has a writeup here on polymorphic phishing: rotating URLs, sender identities, subjects, and body copy until old-school detection loses the plot.

The board angle is fine, but the fix is still boring work: DMARC enforcement, tight OAuth/app controls, mailbox monitoring, and testing against real phish instead of pretty dashboards.

u/shokzee — 9 days ago
▲ 9 r/EmailSecurity+3 crossposts

Domain has no DMARC/DKIN/SPF etc

Hi all I have started a new job several months ago in sales and I feel like I am being gaslighted by multiple employees and am hoping someone can clarify for me.

I have a client list of about 15,000 contacts and when I email them through my mail merge I have been getting maybe 3-4 replies, tops.

I check the open rates and they are good however recently I’ve read that is mostly vanity metrics as so many spam filters open the emails and even click links.

Recently I ran a diagnostic using MXtools on the domain and my email address.

I got several errors, no certificates for DMARC DKIN and SPF whatever that is ??

The diagnostic says this is causing my emails to go directly to spam.

Is this true ??

Our IT department says it’s not a big deal or necessary to have these things. But I’ve read not having them affects deliverables and also it allows scammers to spoof our emails (we definitely get that at this company.)

Not only that, but the marketing consultant on the other side of the country says that none of that matters at all and that I just need to get used to how difficult the marketing and sales is for this company.

Any advice is sorely needed - I feel very lied to about the reality of this situation and it’s greatly affecting my performance.

Also, when IT was asked to fix these issues, they said they would, they never did, and then when we tried again they admitted they had no access to the domain, that some other consultant has that info.

Mind you, that was the head of IT.

Does this not all seem a bit strange ?

We are a 90 million company, also.

reddit.com
u/Easy-Caterpillar-449 — 11 days ago

DMARC provider suggestions?

Hey all, saw a recent post in her around deliverability issues and DMARC/ DKIM/ SPF etc... tbh don't really know where to start? I've looked up the suggested MxTool Kit and others like Red Sift and Mimecast? We're a mid-size company and our IT team tells me we're at something call monitoring mode?

reddit.com
u/Due_Pomelo_6958 — 11 days ago
▲ 4 r/EmailSecurity+1 crossposts

Help with outlook email being constantly hacked

Hi can anyone advise how I can stop my outlook from being constantly hacked. I manage to recover account and change the contact email for security but that takes 30days to take place and who ever is hacking me still has an email associated with my account and keeps going back in to change details. And I can’t make any security changes for 30days

reddit.com
u/Apprehensive_Sir7349 — 11 days ago
▲ 4 r/EmailSecurity+1 crossposts

SimpleLogin MTA-STS Policy Still Set to "Testing" After 5 Years

Over five years ago, I reached out to Proton regarding a security gap in SimpleLogin: the lack of MTA-STS enforcement. Without an enforced policy, mail servers are not mandated to use encrypted connections, leaving email traffic vulnerable to interception via man-in-the-middle (MITM) operations.

Initially, there was no policy in place. After multiple follow-ups, they implemented a "testing" mode policy roughly two years ago. However, a testing policy does not enforce encryption, meaning the traffic remains vulnerable to interception.

Fixing this requires changing the policy status from "testing" to "enforce."

Given how straightforward this configuration change is, why would a privacy-focused company knowingly and intentionally leave it in testing mode for years?

reddit.com
u/Level-Profile-7841 — 11 days ago

Chat approval is not change control for mail DNS

A PM got a webinar sender approved in Slack 30 minutes before a campaign, then asked for SPF and DKIM records on the main company domain. The pushback I got was basically "it's just TXT records," which is exactly the problem.

SPF, DKIM, MX, and DMARC changes are production mail path changes. One bad include, stale selector, or vendor sending unauthenticated can mess with deliverability, reporting, and domain reputation way outside that one webinar.

I'm not saying every marketing sender needs a three-week CAB ritual. But at minimum I want a ticket, owner, sender purpose, DNS diff, rollback plan, and proof the vendor can sign aligned DKIM before anything touches the company domain.

Would you block the launch until that exists, or let it ship if the blast is time-sensitive and DKIM passes in a quick test?

reddit.com
u/littleko — 11 days ago

Marketing ignored three weeks of abuse@ complaints and tanked the client domain reputation

One of our clients had abuse@ forwarding into a shared marketing inbox because they insisted spam complaints were a "campaign quality" issue. A stale newsletter segment started throwing spam complaints after an old CRM import, 42 complaints over 19 days, all the same campaign ID.

Nobody actioned them. The sender kept hitting that segment twice a week, then normal invoices and password resets from the same client domain started landing in junk for a chunk of recipients.

Marketing's argument is that those users technically opted in back in 2023. My argument is that complaint handling is not a vibes-based unsubscribe queue, it's part of keeping the domain usable.

I can isolate future bulk mail onto a subdomain, but that doesn't fix the process. Would you pull their send access until abuse@ has an owned SLA, or accept the subdomain split and let marketing own the blast radius?

reddit.com
u/saltyslugga — 13 days ago
▲ 6 r/EmailSecurity+1 crossposts

Notes from reversing a CodeStorm M365 phishing flow

I spent some time reversing a CodeStorm Microsoft 365 phishing flow that looked like a basic voicemail lure at first, but the deeper chain was more interesting.

The visible email was short:

missed call
date received
duration
reference number
open voicemail portal

Nothing too special on the surface.

The strange part was the full message body. Far below the visible lure, after a lot of whitespace, there was a full unrelated historical email thread with reply headers, signatures, disclaimers, addresses, and phone numbers.

I saw the same buried thread reused across unrelated victim environments.

That feels intentional. To the user, it is a short voicemail email. To a filter, it is a much longer business-looking message. That can change things like URL-to-text ratio, body length scoring, reply-chain heuristics, keyword density, and normal-business-language signals.

The rough flow I observed:

email lure
→ trusted redirectors
→ adservice hops
→ randomized landing domain
→ Cloudflare Turnstile
→ anti-analysis JavaScript
→ second-stage JavaScript
→ POST /google.php

The landing pages accepted the victim identity in multiple formats:

#<email>
?e=<email>
#?<random_param>=<base64_email>

The first-stage JavaScript included a few analyst-friction checks:

if (
  navigator.webdriver ||
  window.callPhantom ||
  window._phantom ||
  navigator.userAgent.includes("Burp")
) {
  window.location = "about:blank";
}

It also blocked common DevTools shortcuts, right-click, and used a debugger timing trap. If debugging was detected, it redirected to what looked like a legitimate Outlook encrypted-message URL.

The second stage used a backend controller pattern:

var file = "<base64 encoded URL>";
const controller = atob(file);

// decoded to:
// https://<backend-domain>/google.php

The backend actions I observed included:

do=check
do=login
do=verify
checkVerify

do=check appeared to perform Microsoft identity discovery. In controlled testing, managed M365 users, nonexistent users, and federated tenants received different responses.

Examples of the behavior:

managed M365 existing user
→ status=success
→ type=office
→ federationLogin=""
→ canary returned

managed M365 nonexistent user
→ status=error
→ "We couldn't find an account with that username. Try another account."

federated M365 tenant
→ status=success
→ federationLogin=<tenant federation route>
→ branding returned

provider-labeled federation example
→ type=godaddy
→ federationLogin=sso.godaddy.com/?domain=...&realm=pass&app=o365...

I would not treat GoDaddy as a separate authentication category. It is still a federated M365 path. The interesting part is that the backend can label some provider-backed federation routes.

For do=login, I only used fake credentials against a controlled tenant. The backend returned a Microsoft-style error:

{"status":"error","message":"Your account or password is incorrect"}

Immediately after, Entra sign-in logs showed failed OfficeHome sign-ins for the same account:

Application: OfficeHome
Client app: Browser
Status: Failure
Error: 50126
Failure reason: invalid username or password
Authentication requirement: single-factor authentication
Source IPs: external IPs

So this did not behave like a simple credential collection form. It attempted to validate or replay the submitted credentials against Microsoft.

I also saw the same /google.php controller model across rotating infrastructure. The visible frontend domains changed, but the protocol stayed consistent:

victim identity in URL
→ POST /google.php
→ do=check
→ do=login
→ do=verify / checkVerify

Static strings in the second-stage JavaScript showed support for multiple MFA-related paths, including authenticator app, OTP, SMS, phone call, and Hotmail-style recovery/OTP flows.

Some detection ideas from this analysis:

- short visible lure + very long unrelated buried thread
- voicemail-themed M365 lure with organization-specific subject
- self-addressed sender/recipient pattern
- Google redirector → adservice hop → S3 or randomized landing
- victim identity carried as email or base64 email in URL
- Turnstile gate before content
- anti-analysis checks for webdriver, Phantom, Burp, DevTools shortcuts
- browser POST to cross-site /google.php
- Entra OfficeHome failures with 50126 from external replay IPs after a phishing click

Main takeaway: the lure was basic, but the backend was not. The flow behaved like a tenant-aware M365 authentication relay, with identity discovery before credential replay.

u/ZeroBEC — 14 days ago