I am trying to figure out how this one phishing email (used our Company's domain as from) was able to bypass the O365 Spamfilter.
Looking at the Header it looks like they passed the DKIM even though the Domain that is used differs completely from the sender domain.
smtp.mailfrom=contoso.com; dkim=pass (signature was verified) header.d=myprivategym.ae;dmarc=fail action=quarantine header.from=noser.ch;compauth=fail reason=000 Received-SPF: Fail (protection.outlook.com: domain of contoso.com does not designate 220.127.116.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.104.22.168; helo=5264291.stepup.ae;
And here is the complete DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=myprivategym.ae; s=default; h=Content-Type:MIME-Version:Date:Subject:To: From:Reply-To:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=suy1b+63b/U2RVJlwzBdnXUOlOuPf+shUSL9AwCk8Xw=; b=eUvt0Q7HjDXwECOgEc8cIWRMAEj8/0hQOvxyX8J2jZlVTwvupRc6x2v96MNDi8nuLw9/vPSenK20R5JoRFqoywTfycnpvIj0HBsfTwxihpJJlz98Y2YNYz1TEW/1OK1sIQ6tWUYore3TXFHFyin7hSbZKLCkiRdHT9UxGsd70WiFDTZH+hwubvNOytOMZHC0F9uxWaeaZc5AIp6ZB7rHcq4wdHmqWVQm04FCIrCyq/f7zUeCeKUhrRCgDKqFhGh/ZT/Ek5Yq5BL6E2p99X6LyCgGfDQ8IUvYHXLbVlUK1rllP1pnhzn/mBNvpo8fvXGAtS4K2+9TyrSKkZL8iPhy3A==; Received: from [22.214.171.124] (port=49903 helo=126.96.36.199) by 5264291.stepup.ae with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from firstname.lastname@example.org)
My DMARC DNS Records look like this:
Do I have to add a Domain Alignment checker for SPF and DKIM to prevent this? Or is there any other reason that I am missing why the DKIM passed in this case?
DMARC requires passing either SPF or DKIM. Passing requires domain alignment.
While this message does have valid DKIM (for
d=myprivategym.ae), it does not align with your domain (
contoso.com). Anybody can set up their own DKIM for their own domain, so this is not a useful signal unless it claims to be your domain, in which case they'd have to obtain a DNS entry to be valid. That's why DMARC Alignment is so important.
Since it doesn't pass SPF and doesn't have aligned DKIM, DMARC failed and your prescribed policy of
However, your mail server likely isn't configured to do anything useful with DMARC
p=quarantine. That's probably a good thing, it's not a strong signal. Incorporating it as one of many features in a larger anti-spam system (like giving it some points in SpamAssassin) makes sense, as does actually quarantining it (assuming you have a useful quarantine system, say that rescans its content after some time delay).
Even in the best circumstances, it's easy for a quarantine action to be insufficient to block spoofed messages. When you've finished vetting the aggregate DMARC reports after some window of time, you can decide that it's safe to upgrade to
p=reject, at which point you can configure your MX records to reject or delete such violations, but many admins have sadly concluded that even DMARC
p=reject is not a strong enough signal, so it again must be combined with other threat indicators and a clever campaign can still sneak through.
dkim=pass (signature was verified)(So this part only checks if the Sender has a verified DKIM or not - it doesn't matter what Domain this DKIM represents.) header.d=myprivategym.ae;dmarc=fail action=quarantine (The dmarc entry checks for the domain alignment - if there was no dmarc record the DKIM message above would have no impact how the mails were marked. I will check with Microsoft how we can manage those kind of mails. — Jan 12, 2022 at 08:18
External links referenced by this document: