New tenant and domain classed as phishing

%3CLINGO-SUB%20id%3D%22lingo-sub-3024931%22%20slang%3D%22en-US%22%3ENew%20tenant%20and%20domain%20classed%20as%20phishing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3024931%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20searched%20and%20tried%20to%20find%20an%20answer%20on%20my%20questions%20but%20can't%20find%20anything.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20configured%20a%20new%20tenant%20with%20a%20new%20custom%20domain%20with%20%22Enabled%20Security%20Defaults%22.%3C%2FP%3E%3CP%3EWhen%20my%20friends%20now%20tries%20to%20send%20emails%20they%20get%20%22Spam%20Confidence%20Level%205%22%20on%20every%20email%20they%20send%3F%3C%2FP%3E%3CP%3EThey%20have%20a%20Microsoft%20365%20Business%20Premium%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECountry%2FRegion%20SE%3CBR%20%2F%3ELanguage%20en%3CBR%20%2F%3ESpam%20Confidence%20Level%205%3CBR%20%2F%3ESpam%20Filtering%20Verdict%20SPM%3CBR%20%2F%3EIP%20Filter%20Verdict%20NLI%3CBR%20%2F%3EHELO%2FEHLO%20String%20SWE01-MM0-obe.outbound.protection.outlook.com%3CBR%20%2F%3EPTR%20Record%20mail-mm0swe01on2112.outbound.protection.outlook.com%3CBR%20%2F%3EConnecting%20IP%20Address%2040.107.120.112%3CBR%20%2F%3EProtection%20Policy%20Category%20SPM%3CBR%20%2F%3ESpam%20rules%20(4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004)%3CBR%20%2F%3ESource%20header%20CIP%3A40.107.120.112%3BCTRY%3ASE%3BLANG%3Aen%3BSCL%3A5%3BSRV%3A%3BIPV%3ANLI%3BSFV%3ASPM%3BH%3ASWE01-MM0-obe.outbound.protection.outlook.com%3BPTR%3Amail-mm0swe01on2112.outbound.protection.outlook.com%3BCAT%3ASPM%3BSFS%3A(4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004)%3BDIR%3AINB%3B%3CBR%20%2F%3EUnknown%20fields%20DIR%3AINB%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20email%20my%20outlook.com%2C%20work%20email%20(M365)%20and%20my%20personal%20M365%20tenant%20and%20same%20classification%20on%20the%20emails.%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20problem%20if%20I%20try%20to%20send%20an%20email%20from%20.onmicrosoft.com%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20find%20anything.%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20change%20the%20outgoing%20policys%2C%20phishing%20policys%2C%20etc.%20and%20still%20the%20same%20problem.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20out%20of%20id%C3%A9as.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20to%20configure%20DKIM%20i%20get%20%22%3CSPAN%3EError%20in%20retrieving%20encrypted%20key.%3C%2FSPAN%3E%22.%3C%2FP%3E%3CP%3EOn%20both%20custom%20domain%20and%20onmicrosoft.com.%3C%2FP%3E%3CP%3Eattached%20two%20pictures%20of%20the%20error%20aswell.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help%20and%20thanks%20in%20advance.%3C%2FP%3E%3CP%3EBest%20regards%26nbsp%3B%3C%2FP%3E%3CP%3EThomas%20Malmesater%3C%2FP%3E%3CP%3ESweden%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3024931%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDKIM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESpam%20Confidence%20Level%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi everyone. 

I have searched and tried to find an answer on my questions but can't find anything. 

I configured a new tenant with a new custom domain with "Enabled Security Defaults".

When my friends now tries to send emails they get "Spam Confidence Level 5" on every email they send?

They have a Microsoft 365 Business Premium license.

 

Country/Region SE
Language en
Spam Confidence Level 5
Spam Filtering Verdict SPM
IP Filter Verdict NLI
HELO/EHLO String SWE01-MM0-obe.outbound.protection.outlook.com
PTR Record mail-mm0swe01on2112.outbound.protection.outlook.com
Connecting IP Address 40.107.120.112
Protection Policy Category SPM
Spam rules (4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004)
Source header CIP:40.107.120.112;CTRY:SE;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:SWE01-MM0-obe.outbound.protection.outlook.com;PTR:mail-mm0swe01on2112.outbound.protection.outlook.com;CAT:SPM;SFS:(4636009)(58800400005)(9686003)(7116003)(55016003)(564344004)(19627405001)(83310400002)(6916009)(7696005)(26005)(33656002)(83380400001)(83320400002)(83280400002)(83290400002)(83300400002)(5660300002)(8676002)(356005)(6506007)(7636003)(8636004)(22186003)(336012)(1096003)(52536014)(86362001)(76010400004);DIR:INB;
Unknown fields DIR:INB;

 

I have tried to email my outlook.com, work email (M365) and my personal M365 tenant and same classification on the emails. 

Same problem if I try to send an email from .onmicrosoft.com address.

 

I can't find anything.

I have tried to change the outgoing policys, phishing policys, etc. and still the same problem. 

I'm out of idéas. 

 

When I try to configure DKIM i get "Error in retrieving encrypted key.".

On both custom domain and onmicrosoft.com.

attached two pictures of the error aswell. 

 

Please help and thanks in advance.

Best regards 

Thomas Malmesater

Sweden

12 Replies
I guess no one has an answer for this question?

@malmesater 
perhaps the cause is the spam from different IPs from 40.107.xxx.xxx
"from" is every time the same sender

Bildschirmfoto 2021-12-15 um 21.47.38.png


Bildschirmfoto 2021-12-15 um 21.45.38.png

i registered the first message at the 2021.12.09 (9th of dec.) in germany
Hi,
Thanks for the replay.
I'm not sure what you mean, how can I prevent this from happening?

BR
Thomas M

@malmesater 
hi
what i want to show,
that there is someone sending spam from, or try to send via relay, or faked IPs, or a combination of these, with the name of these servers.
perhaps it is possible to report it to microsoft and ask them.
i am to lazy to do it, as my mailserver is a very small one in germany and these kind of "spamfloods" will normally go away in view days or weeks. as you see my server blocks it already.

your problem is the other way around, you want to send.
perhaps you are able to contact microsoft and show them also my findings and ask about the cause of the "pishing error" with your settings (if they have questions, want some logs, i am able to help them).

short explanation
i found your thread by searching the IPs(beginning with 40.107. .....), at google, trying to find similar "victims" as me and what they do about it, but can't find any other message about it yet.
i do not know if your problem is connected with mine.

i wish you a lot of passion, if you get in contact microsoft.(by the way it is possible, but the information will not be easy to find)

wkr
stephy

It appears that you have already published the SPF record.
However, I was unable to find CNAMEs required for DKIM.
You can follow https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-out... to configure DKIM.
After that you can configure DMARC as well by following https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-em...
SPF, DKIM, and DMARC will help in deliverability of the emails.
Thank you so much for your answer.
I will try to get in contact with MS and se what they say.

BR
Thomas M

I deleted records because I thought they were the ones causing the problem.
But I will add them again and see if I can activate DKIM.

The problem with DKIM is that M365 can't "create" encryption key.

 

BR

Thomas M

Based on my experience, yes, the DNS records are needed to successfully configure DKIM.

@ShaikhRA 

I was after long time waiting able to activate DKIM and Dmarc. 

So I hope this might resolve my problem, if not I will contact Microsoft about it. 

 

Thanks for the help and I wish you Marry Christmas and happy new year. 

 

BR 

Thomas M

You too have a Merry Christmas and Happy New Year.
If the problem persists, check content and signature in the emails.
If the signature has hyperlinks, you may get a higher SCL score. Try removing the signature and see if it helps.

@malmesater 

greetings
what I need to show,
that there is somebody sending spam from, or attempt to send by means of transfer, or faked IPs, or a mix of these, with the name of these servers.
maybe it is feasible to report it to microsoft and ask them.
I'm to languid to do it, as my mailserver is a tiny one in germany and these sort of "spamfloods" will regularly disappear in view days or weeks. as you see my server blocks it as of now.

your concern is the reverse way around, you need to send.
maybe you can contact microsoft and show them likewise my discoveries and get some information about the reason for the "pishing mistake" with your settings (assuming they have questions, need a few logs, I'm ready to help them).

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE