Back to Community Threads
Fraud from Outlook.com
Problem reported by Douglas Foster - 9/25/2025 at 12:22 PM
Submitted
D
Below is an example of the security problems with Outlook.com.
  • The message is accepted from unauthenticated SMTP
  • SPF/DKIM/DMARC tests are performed on the message and documented with multiple authentication result headers.   The headers confirm that the message was accepted without authentication.
  • The message is processed as if it was valid, and then a signature is added for yeshimconsulting.onmicrosoft.com.   (If the domain had the correct CNAME entries configured, it would have received a signature for yeshimconsulting.com)
  • The message leaves Outlook.com with SPF Pass, and could have left with DMARC Pass as well.
The body of this message had a fraudulent link that requested review on an internal policy document.

Unfortunately, I have many legitimate correspondents who send messages that depend on this security hole.  I could add full-header parsing logic so that I can detect this problem, then create a policy table with allow rules for the legitimate senders.   I am reluctant to do that because my incoming filter process is taking an unacceptable amount of time to process each message already, but it may be necessary.

I have filed an abuse report with abuse@outlook.com, but they never acknowledge the submission.  I am probably wasting my time, especially since they have clients who depend on the security hole.

I note that Microsoft Forefront checked the message for spam, but found nothing wrong, as usual.

FYI.  Very frustrated.

Message Headers

Authentication-Results: smtp.<redacted>.com; arc=pass

Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11022099.outbound.protection.outlook.com [40.93.195.99])
 by <redacted>.com
 with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256);
 Tue, 23 Sep 2025 11:59:01 -0400

ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=HmBubS0WzTbyO3UWt7ueOpABhX2UFQ8NX2rNx7rQVJNbE8WPM04SJ1+OvdXQ987wH0nnouLmyG+z+vTekZtgfdHH0KAB99nLvWUmLxiVe1bajAjt9v08lyV/ZRZ2woRPTXtySS9PI5a7L3SCLcTFJ+0vNWaBLYj0SNCqdvLKzI6stxarh4chDW9BxzjWFGvkuR9cMZd3ZcfqU+RygozhfX03PNCKtvlQ6p15gW5/O61HjhdLtxKj3emY3QHO5K10izNjEE2V33Gw7xl96Q/L4v+UBWxkgo8uRc+/xz4bC6V7cOpx9W0/5D/71Rwd+uP3UFwRE6AJTgqbvsyyzKVdFg==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=P/aLBHSm1ZdroTvLOQFBuM5um14DEQQ/RkJHuYeiioM=;
 b=bt7Ks2XIoKEyaBlwN9/WWKiqfIlxSJvKdQ1KgrOzmEMYsN5cxBIntiDM7aAKwvHm3BVN5l0PgWjhNI6VUbneHbQ+XJzg3us6VeMLSmRE0474XTVjWpaNRvbgnWOaHnBeG6JVmscXUmoKbXgrc69uubfqkRSpsvgxp/OHrp2ZbFK0Nequt3wybJYDh1UbxmdJr2BBQe0D3pF2Bs9NZYaHxxilMWvO7/GrvF7AFtpjCA8FhZeOb8M5NvH89VN087nkmektWyeYZ7NiT0dfhEUOHmma/7Q+H36lN9uDxcO0sddeLdeTAYgBnla19Q/cXY12sg55kfF+HLSr0Aj57klqNw==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
 103.125.219.144) smtp.rcpttodomain=bayviewphysicians.com
 smtp.mailfrom=yes-himconsulting.com; dmarc=fail (p=none sp=none pct=100)
 action=none header.from=yes-himconsulting.com; dkim=none (message not
 signed); arc=none (0)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=yeshimconsulting.onmicrosoft.com;
 s=selector2-yeshimconsulting-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=P/aLBHSm1ZdroTvLOQFBuM5um14DEQQ/RkJHuYeiioM=;
 b=oFZDtau5Ml3gUwt8matzaY+iI3QMu+kBWD6Q2+gJQfeNcACNr9qDOZBec1Jw7Ggg3hOXrxsGjLgFjhrvMqD/QnlrYLep+WMW3qijRlRRBdyNE0o8Ad6tzp+NaR5Cr42uw4C8ibwUis6ETXMuffsN9Mpc9AGQetMk5lkKIudnhzo=

Received: from DM6PR06CA0042.namprd06.prod.outlook.com (2603:10b6:5:54::19) by
 SJ2PR22MB3965.namprd22.prod.outlook.com (2603:10b6:a03:501::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.19; Tue, 23 Sep
 2025 15:58:57 +0000

Received: from CY4PEPF0000EE3D.namprd03.prod.outlook.com
 (2603:10b6:5:54:cafe::49) by DM6PR06CA0042.outlook.office365.com
 (2603:10b6:5:54::19) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.20 via Frontend Transport; Tue,
 23 Sep 2025 15:58:57 +0000

X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 103.125.219.144)
 smtp.mailfrom=yes-himconsulting.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=none header.from=yes-himconsulting.com;

Received-SPF: Fail (protection.outlook.com: domain of yes-himconsulting.com
 does not designate 103.125.219.144 as permitted sender)
 receiver=protection.outlook.com; client-ip=103.125.219.144;
 helo=103.125.219.144;

Received: from 103.125.219.144 (103.125.219.144) by
 CY4PEPF0000EE3D.mail.protection.outlook.com (10.167.242.15) with Microsoft
 SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.12
 via Frontend Transport; Tue, 23 Sep 2025 15:58:56 +0000

Date: Tue, 23 Sep 2025 15:58:55 +0000
To: <redacted>
Subject: <redacted company name> Revised Q4 Handbook 23 Sep, 2025 8AF4-SFRZ1F-VSH1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="===============2994925143539375055=="
Content-Transfer-Encoding: 8bit

X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3D:EE_|SJ2PR22MB3965:EE_
X-MS-Office365-Filtering-Correlation-Id: a37f375b-fdd0-489e-db10-08ddfaba1a80
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|34070700014|36860700013|1800799024|110011033|8096899003;
X-Forefront-Antispam-Report: CIP:103.125.219.144;CTRY:JP;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:103.125.219.144;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(82310400026)(34070700014)(36860700013)(1800799024)(110011033)(8096899003);DIR:OUT;SFP:1102;
X-OriginatorOrg: yes-himconsulting.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2025 15:58:56.6924 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a37f375b-fdd0-489e-db10-08ddfaba1a80
X-MS-Exchange-CrossTenant-Id: 63d579c8-4752-4690-9aba-5b5db313fbf0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=63d579c8-4752-4690-9aba-5b5db313fbf0;Ip=[103.125.219.144];Helo=[103.125.219.144]
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3D.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR22MB3965
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Microsoft Outlook PST vs OST vs OLM -- What's the Difference?SmarterMail > Desktop and Mobile Synchronization
Import/Export a PST File Using OutlookSmarterMail > Desktop and Mobile Synchronization
Add to Outlook LimitationsSmarterMail > Desktop and Mobile Synchronization
How to Thoroughly Replace Your MAPI AccountSmarterMail > Troubleshooting
Set Up a MAPI Account in Outlook 2016 and Above for WindowsSmarterMail > Desktop and Mobile Synchronization