New spamming technique - onmicrosoft.com

Published: 2013-10-17. Last Updated: 2013-10-18 13:47:13 UTC
by Adrien de Beaupre (Version: 2)
3 comment(s)

Spammers have long relied on bots, compromised webmail accounts, or open SMTP relays to send their dastardly payloads to our mailboxes. This new trend is a variation on the theme. The spammer sets up a vanity domain, and then send spam through it. The interesting bit here is that it is not hotmail.com or outlook.com but onmicrosoft.com being used. The format is as follows: <UserName>@<Vanity-name>.onmicrosoft.com. One reader Melvin has seen quite a few of these and asked me to write this up. To quote Melvin "So, spammers are registering *WITH* Microsoft for domain-hosting and web-hosting, and then abusing Microsoft's own mail-servers ("six-nines-availability/reliability")to distribute their spam/scam messages." <sarcasm>Awesome business plan! </sarcasm>

Is your IDS/IPS, anti-spam, or email gateway allowing these through, alerting on them, or blocking them?

Here are some samples:

Date: Wed, 16 Oct 2013 20:49:20 +0100
Subject: (none)
From: Uk National <001@tanlan.onmicrosoft.com>
Reply-To: <claimsagent845@yahoo.com.hk>

Your Email Id Have Won 1,000,000.00 GBP in Uk National Lottery ...
______________

Date: Mon, 7 Oct 2013 20:13:23 +0530
Subject: BARCLAY'S BANK
From: BARCLAY'SBANK <pp7@lines.onmicrosoft.com>
Reply-To: <barclaysbnnkplclondon@zing.vn

>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
______________

Date: Tue, 1 Oct 2013 18:22:23 +0100
Subject: Attn:This Is My Second Email,Please Respond
From: Ahmed Mohamed <Ahmed01@lawoffice2013.onmicrosoft.com>
Reply-To: <askahmedmhd@yahoo.co.uk>
______________

Date: Sat, 28 Sep 2013 21:35:33 +0530
Subject: Do you need A Business OR Personal Loan
From: Loan Offer <LOAN21110011@Changloan656.onmicrosoft.com>
Reply-To: <loanoff00@hotmail.com>
______________

Date: Thu, 26 Sep 2013 22:19:47 +0000
Subject: Exclusive offer, feel it for real
From: <GiuseppeArena@wabipyge.onmicrosoft.com>
______________

Date: Sat, 21 Sep 2013 04:20:00 +0530
Subject: CONTACT FEDEX COURIER SERVICE FOR YOUR FUND CONSIGNMENT BOX
From: <019@Burrows00t.onmicrosoft.com>
Reply-To: <donphilip011@gmail.com>
______________

Date: Wed, 18 Sep 2013 07:17:50 +0000
Subject: Unique product for your needs
From: <MichaelAshcroft@wabipyge.onmicrosoft.com>
______________

Date: Mon, 16 Sep 2013 17:58:25 +0530
Subject: Re
From: " Miss Zaina Abisali" <3@emailer.onmicrosoft.com>
Reply-To: <miss.zainaabisali@gmail.com>
______________


Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <JackChappell@morriswatanabe.onmicrosoft.com>
 

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

Keywords: spam
3 comment(s)

Comments

I have received five of these to a personal email account at Bluehost and the default SpamAssassin there caught them.

Why bother with Microsoft? My company has been receiving spam sent from domains that were registered just a day or two prior. These are even signed using DKIM, so it is difficult for spam filters to spot them. The domains usually match the spam, like "Start Speaking A New Language in 10 Days With This Proven Approach" from queue@top-language.net or "S?v?ngs Al?rt: N?w Inc?nt?v?s P?y Y?u t? G? S?l?r" from appearance@expectsolar.co. These do appear to be simple unsolicited commercial email and not phishing attempts, but this is a good method to get past spam filters.

Jim C.

Anonymous

Oct 17th 2013
1 decade ago

onmicrosoft.com emails probably originated from Microsoft Office365 (which is Microsoft's equivalent of Google Apps for Business)


Users can sign up for Office365 trial, select a domain name e.g. "mydomain".
The trial domain will then be @mydomain.onmicrosoft.com

Anonymous

Oct 18th 2013
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives