New spamming technique – onmicrosoft.com, (Thu, Oct 17th)

Spammers have long relied on bots, compromised webmail accounts, or open SMTP relays to send their dastardly payloads to our mailboxes. This new trend is a variation on the theme. The spammer sets up a vanity domain, and then send spam through it. The interesting bit here is that it is not hotmail.com or outlook.com but onmicrosoft.com being used. The format is as follows: <UserName>@<Vanity-name>.onmicrosoft.com. One reader Melvin has seen quite a few of these and asked me to write this up. To quote Melvin "So, spammers are registering *WITH* Microsoft for domain-hosting and web-hosting, and then abusing Microsoft's own mail-servers ("six-nines-availability/reliability")to distribute their spam/scam messages." <sarcasm>Awesome business plan! </sarcasm>

Is your IDS/IPS, anti-spam, or email gateway allowing these through, alerting on them, or blocking them?

Here are some samples:

Date: Wed, 16 Oct 2013 20:49:20 +0100
Subject: (none)
From: Uk National <[email protected]>
Reply-To: <[email protected]>

Your Email Id Have Won 1,000,000.00 GBP in Uk National Lottery …
______________

Date: Mon, 7 Oct 2013 20:13:23 +0530
Subject: BARCLAY'S BANK
From: BARCLAY'SBANK <[email protected]>
Reply-To: <[email protected]

>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <[email protected]>
______________

Date: Tue, 1 Oct 2013 18:22:23 +0100
Subject: Attn:This Is My Second Email,Please Respond
From: Ahmed Mohamed <[email protected]>
Reply-To: <[email protected]>
______________

Date: Sat, 28 Sep 2013 21:35:33 +0530
Subject: Do you need A Business OR Personal Loan
From: Loan Offer <[email protected]>
Reply-To: <[email protected]>
______________

Date: Thu, 26 Sep 2013 22:19:47 +0000
Subject: Exclusive offer, feel it for real
From: <[email protected]>
______________

Date: Sat, 21 Sep 2013 04:20:00 +0530
Subject: CONTACT FEDEX COURIER SERVICE FOR YOUR FUND CONSIGNMENT BOX
From: <[email protected]>
Reply-To: <[email protected]>
______________

Date: Wed, 18 Sep 2013 07:17:50 +0000
Subject: Unique product for your needs
From: <[email protected]>
______________

Date: Mon, 16 Sep 2013 17:58:25 +0530
Subject: Re
From: " Miss Zaina Abisali" <[email protected]>
Reply-To: <[email protected]>
______________

Date: Fri, 4 Oct 2013 16:23:48 +0000
Subject: Let the moment last as much as you want.
From: <[email protected]>

 

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

 

 

 

 

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin