Skip to main content

The third-party cloud spam filter is configured, and everything works as expected. Well, you thought that, but that’s not the case because spam messages appear in the user’s mailboxes. So what’s happening? In this article, you will learn how attackers bypass third-party spam filtering to Microsoft 365.

Get Microsoft 365 MX record

Attackers don’t have to put much effort into getting the Microsoft 365 MX record. That’s because Microsoft generates a default MX record address after you  add a domain to the Microsoft 365 tenant .

Have a look at the table below:

Domain Microsoft 365 MX record
exoip.nl exoip-nl.mail.protection.outlook.com
exoip.com exoip-com.mail.protection.outlook.com

Now that we have the MX record for the domain, we can proceed further.

Send email to Microsoft 365 MX record hostname

We will use the Wormly SMTP test tool to send a message and use the Microsoft 365 MX record hostname as the SMTP server. You can also try to use telnet and send a message. But, some  ISPs close port 25 , and you can’t proceed. So it’s good to use an external SMTP test tool, as shown here.

Fill in the below details:

  • Hostname or IP: The Microsoft 365 MX record
  • Email address: The user’s email address
  • TCP port: 25 or leave empty
  • Send SMTP test email?: Yes (so we can inspect the message header)

After you fill in everything, click on the button START SMTP TEST.

How attackers bypass third-party spam filtering SMTP test

The STMP test results show that it resolved the MX record to an IP address and sent the message to the user’s mailbox.

How attackers bypass third-party spam filtering SMTP test results

Analyze message header

Go to the Microsoft 365 user inbox and open the message. Next, view message details and copy the message header.

How attackers bypass third-party spam filtering view message details

Paste the copied message header into Message Header Analyzer by Microsoft. Click Analyze headers button.

There is no sign of the third-party cloud spam filter. The message went straight to the user’s inbox through Exchange Online.

How attackers bypass third-party spam filtering analyze header

You might say Exchange Online Protection (EOP), the default Microsoft hygiene solution, will capture the spam messages. But you must remember that you  bypass EOP with enhanced filtering  because you have a  third-party spam filter in the organization.

Important: You should never have a third-party spam filter and EOP active simultaneously. Two active spam filters in the organization means asking for serious trouble.

Solution for attackers bypass third-party spam filtering

Now that we have a clear understanding of how attackers go to work and how they bypass third-party spam filtering and deliver straight to the user’s inboxes. The question is: What is the solution?

Leave a Reply