December 16, 2020 | By Moshe Dadush Infrastructure Security Manager
Onmicrosoft will bypass your Email protections
In 2020, one of the most common channels via which we saw most of the cyber-attacks developing and targeting organizations and users alike has been E-mail. This channel may also continue to be the most common medium of attack for the upcoming years.
Adversaries repeatedly continue to increase the momentum in this channel – trying to trick users into downloading malicious files, captivate users to click on the malicious links, and gain sensitive information.
To reduce the attack surface for specified attacks emerging from this channel – organizations implement Mail Relay systems. These systems can have anti-malware, anti-phishing, anti-spam engines, and other potential capabilities to significantly reduce the threats targeted at end users.
Once an organization implements a Mail Relay solution and hardens it, it is generally assumed that the entire email channels are secured, protecting its users. If they are also using Office 365, we would highly recommend thinking again.
What does it mean for an organization?
When an organization signs up for an Office 365 subscription, Microsoft primarily creates a new domain with this onmicrosoft.com domain, for the organization. For instance, with @trustnet3.onmicrosoft.com – the Office 365 admins of this company can create user accounts with this @trustnet3.onmicrosoft.com domain and manage the data under this tenant.
Let’s take a look on “Trustnet.co.il” MX record:
And now let’s take a look on how “trustnet3.onmicrosoft.co.il” MX record looks like:
As we can see, we have two “onmicrosoft” domains:
What does this signify?
If we send an email to User1 in this domain, to the following address: email@example.com, the email would bypass the deployed email relay and would reach directly to the organization’s Office 365 mailbox. This way an organization’s security control could be bypassed, which may also expose the organization to adversaries and cyber criminals who can use multiple attack vectors.
How can you mitigate that risk?
Considering the flow of incoming email for Trustnet.co.il is:
To prevent adversaries to target the custom domain, we would recommend defining a rule in Office 365 which may permit emails to direct into the organization’s mailbox only if the email comes from the IP address corresponding to the organization’s Mail Relay. This would ensure, emails that are targeted directly would be quarantined.
Stay Safe with TrustNet!