Identifying source of spam/malware emails apparently from Office 365 user

emailexchangeonlineoffice365spam

An office 365 user discovered that around 100 emails were sent apparently from him; they have some kind of malicious PDF attachment. The message headers show "Received: from XXX.XXX.PROD.OUTLOOK.COM" as the initial source of the emails. The sent emails show up in an Exchange Online message trace, to both internal and external recipients. However they do not appear in the user's Sent Items folder.

Does this prove that someone has successfully hacked his account (logged in as him) or could there be another explanation?

I need to understand what determines whether an email ends up in Sent items and whether an outgoing email could be in the Message Trace without someone logging in as that user.

We have changed his password and checked his PC for malware. Is there anything else that can be done to prevent a recurrence?

Update: Sample email header only slightly redacted:

Received: from MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.235.24) by
MMXP123MB1376.GBRP123.PROD.OUTLOOK.COM with HTTPS via
MMXP123CA0017.GBRP123.PROD.OUTLOOK.COM; Fri, 16 Mar 2018 09:33:43 +0000
Authentication-Results: [somedomain].co.uk; dkim=none (message not signed)
header.d=none;[somedomain].co.uk; dmarc=none action=none
header.from=[somedomain].co.uk;
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM (10.166.217.148) by
MM1P123MB1050.GBRP123.PROD.OUTLOOK.COM (10.166.217.152) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.588.14; Fri, 16 Mar 2018 09:33:40 +0000
Received: from MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179]) by MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
([fe80::bd23:2882:93cc:c179%14]) with mapi id 15.20.0588.016; Fri, 16 Mar
2018 09:33:39 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: somename lastname <somename.lastname@[somedomain].co.uk>
Subject: Important New Document
Thread-Topic: Important New Document
Thread-Index: AQHTvQgYiGQw1JKKkUqd6+Gw0vjPcg==
Date: Fri, 16 Mar 2018 09:33:39 +0000
Message-ID: <MM1P123MB10344D41BCA2D78978E4E07AB2D70@MM1P123MB2034.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <MM1P123MB10344D41BCA8D78958E4E08AB2D70@MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM>
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [104.238.169.26]
X-MS-Exchange-Organization-Network-Message-Id: c73bdaf1-0213-4d24-0323-08d58b210068
X-MS-PublicTrafficType: Email
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1034;35:kkBmPP7Ug2FbZQv6FmW4qdaBWuYCBMr2zepmSHBV2rdHXXwDyIzi9ducjSfxpVuRt/dOsLsDrz0OZ4mNI1aHqA==
To: Undisclosed recipients:;
Return-Path: somename.lastname@[somedomain].co.uk
X-MS-Office365-Filtering-Correlation-Id: c73bdaf1-0213-4e24-0323-08d58b210068
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603328)(7153060)(49563074)(7193020);SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;3:MKs5dzQ/5p8jCk129hgZqVFyrVdW4oqo956FU19Gz6o66Unzd8gOmuAe96KHit/deI2AGcyk5YsW4TdOBUpvDRDE/biwpipBNWqCew73rz2QTq0UigEkF/tpEDsZrjfYFy7ttCS5WOCCF9ucTE/csak2HFuOhClND6vgOYTkIv2vO71EuwXEV1VEVSjJY2xa8vQVgujXpV8fXjuHfMsSf15b4jEKrR4DNrfBLKBBzlhAhV9sRhrwgNpkJw6jXzwu;25:lsCL0Xn0ALPbUZX7lN0wSHe3M03QBMrYjezvAOzvmeVZuw2GxtDyDocNxIOdKS6Dq8SPBMS4VpO0QyROPaBKDZN+KMl5W+kJp8zB3MbkK/XWXu+WSCopjtRqHhSnmlMDg3sM+wrZH/KajOUG6tpX9sV3oJvgUxe+QKrNFkQIPiR9CtzbOHfVIP3qlIwPalPZKvePtxAqi8VTqEd2zEhYgkFgb42rGQiojV+u886t63cDuk48gONDh50zTKCNZBsx+WMp50Mvf1DTMQvrhGlI19jFPQXBn+OWFspUbYl4RU/ffNzeScDtd5MQlQHRrVMWVtRyPMSSpFNunAF0v3FPpQ==;31:6/IkDDU1nB+3jDDavYeG/5F/SVFU6klrmyNZybg+jl6aWOby3KSnbGW0flAnSdoMgMXLQmIwBWPSst2OvZxkUr/krEl9bUWQ6yAd29ApyLevAn3Bz1MFWY0rBCMYUWKLDqywMdme2t2jdzRgsL3ptcLOHTf+uyHkPxdwXgMMdpskEiXjSiEdZ44zQ+6sfG7mE4L6kne1szkFD7oOpEpq634v1uMG18OPIH7wZnl7cG4=
X-MS-TrafficTypeDiagnostic: MM1P123MB1050:
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415395)(9101524173)(2401047)(8121501046)(10201501046)(3002001)(3231221)(944501281)(52105095)(93006095)(93001095)(201708071742011);SRVR:MM1P123MB1050;BCL:0;PCL:0;RULEID:;SRVR:MM1P123MB1050;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;4:YiLYVcHiqdwQ2TvyHy73ZHflE4/t75LwbybbMbaUqb5+lDNcIt67qn8n1nguaN2DoJe5+A4SuUkRsXlU/B5beqY3VYKgjgDT4gX88aVRThxarwKGVWq3QSibHpRJ5SfEqHCEd+VjsAKpsyUaRhoMlb1khU4g5ZUScRse0NSr5JzGCykJXq2owW26lTVRVR996gR+lNNqbnRjHznKB0B7wJ1j6VaiyN+/KkdVIuGOOoqg6YhOAqtmlst+5p+RLn6pJheu/X2FTt1tvXGuonj28g==;23:/+BLEjWIxDShX9ISFYWuiCw/K2j0u5PyWxPnIa83Phz8tNUSbo/DIC5s9WX7w0t4TwSPlSpfmYySC88zZfTY6w62AzLhU7Qu3b+dgCcFrEsK7sbd9du+eGzfc+Koh5Q6cUKPZs6STtr/AM2+n3ud1g==;6:uMHoPglLFm5KjX+egFCC8o1xTqoOy2wC5PCQ2Hwsg8JbPHD4b+0d+nvdJrfqVhYKDZ4fb+sYjAM++qegs0RcdatAJOf16FxmVi6KWBi4tY2MKsDQzCcwrFQp2SsrNnUoXZ9MoXQBg5alkozBSoLqSA9IVj8uLA6fl1NqV126Pa0v/fR6eUgiCthevxvI7zCWhG8LaMQ9NTNT/LYW/T1QXliUEkRz+9fc8RO2TKd0qeyxHYmRVhdRZDCeF9wdkTrng/Kw/uMerN/pADH+YNaaIYhUbexjNmSMkqQk0LKqXl2iLmZ0Nok5Yt0V/pi/8LFGj2hOLW0wKysIe0QYWVKAWx1be7CjXAJRoh3CA+WbvKKw77GlzndPrzWiXwq3jFjLTlyiHEGog8KgrLMM156esg==
X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:MM1P123MB1050;H:MM1P123MB1034.GBRP123.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;MM1P123MB1050;5:wHYf7tAv11+nrCsudTXtynwYAPuhi1pzk3yOAme0fA8z6IocnoWhR177EFgZq1Xc0IJFtlepjfGvPRfSpV6khoOmvfBnc888+li7MWPy9MmcytBamFFNTBRRQubNXlVX4iod/sx0/B0P5S/XM3QUj8ePQqDFpImOihsJ9H0aO74=;24:4kyptGwsYWd1ZT+26o+I0CBQlBrcQ8h+zew6YTmtUXA9N/geEmMrI4MKVi9fA7d4rubwuZP41qSgyOUJnF7mhhK5bcdtC6r3plfk/yBW1Ik=;7:z3M30YeKmiLr5ZIQZyr7CdYHNyz9BMehyMHzopBPtKiUgRfCDgrBQPZRKv/F5OXywocBBjEqDwMRSM9JiOJ+VYZtyB+JXs21UBGgcGOlA7hQ3Hvf962KPM8Bk2NYMrtQJFZX38C4Yz9AiV0tYwYI5VMCP/fgO1m4535y8l6thoUJ7n2XhdO98SlILO4oS72KwO2/o9cPjmOFzjSWZ0+2QF/KiB6r/VQiD7MeOTjWlNfr/EsEoXT1OigLdhScT85y
SpamDiagnosticOutput: 1:0
X-MS-Exchange-Organization-Recipient-P2-Type: Bcc
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2018 09:33:39.6510
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ca1b5da9-6835-4de9-bcdb-725dd3465770
X-MS-Exchange-CrossTenant-Network-Message-Id: c73bdaf1-0213-4d34-0323-08d58b210068
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM1P123MB1050
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.6173868
X-MS-Exchange-Processed-By-BccFoldering: 15.20.0588.000
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;9:JeTvLnsi4tWvcXHjg15P88aBMJDwS5f1cmKeerPeym9XHWffsOWF02ezQoaUszKtnPAzrUeVeD1JXwn0D73LmoKOzSSmOhvKV/qDnW7i4NSMg8izAEZ4nGrtqIuwb60w
X-Microsoft-Antispam-Message-Info:
42YAk622i4b1TInn5/SNrkWM2WM/YRVLnepCJZPatr5a5tFQGXQ3bBOu5zjNrTOPitdlDLRMFGvxptU1TeCxJmkbXqXmpQStW85oIvB3YDQ7Oc0aqR1D7gCfxwPH/xF0yoP7oY2MZgR0mt28ZTFlumzOIZiUFROq74AN5faDHvCZSzcwQQ74n53d9tPCPXpwj2joudqcI+DdOuB9OhvzRk6B3JMtIlWvZmtptF2VYAGAJ12n66xEMxrasY70Q44taDysFoV957KHwN6HBd4LGc9PmUBh+qyAfbZPvIVfbVYU1JKmveiMgVRF0k3FmUyiAp25+/SZ3W6eFs9LKsx+EQ==
X-Microsoft-Exchange-Diagnostics:
1;MMXP123MB1376;27:hDScNnAaL4YD31DCET01EwH48PoQxhTLLMf4TVCiQ52Pi5zX0Euf7jis8bhP6CvWSsVDul58ojaseWCRFR0M6KH3OXgc

Best Answer

I would say that yes, it looks like someone has your Outlook.com credentials as the email has not been spoofed but actually originated from Microsft.

We had something similar 2 days ago where a user got a bogus link in an fake email to a document that was purported to be in OneDrive. On clicking the link they were taken to a fake site asking for their credentials. Once typed in, their Outlook.com account was used to send emails to any email address that could be harvested - and so the cycle continues...

In terms of helping prevent a re-occurrence, 2FA and education are your options :-)

Related Topic