Post 9rfwexh305e02kbF5M by thenomad@mastodon.cloud
(DIR) More posts by thenomad@mastodon.cloud
(DIR) Post #9rfqWpobo801ZIsUoS by tek@freeradical.zone
2020-02-03T22:05:24Z
0 likes, 0 repeats
Got an email from Microsoft with the subject "Your Microsoft billing statement", and sent to "Undisclosed recipients". I don't usually get email from them, but we subscribe to Office 365 so it's at least plausible. I looked at the raw message (see https://pastebin.com/Tr0pKST7). The first thing I noticed was that the message was `Received: from BN3SCH030020758 (25.127.110.23) by SMTPi.gme.gbl`.
(DIR) Post #9rfqYxXU3sjW6PsgRk by tek@freeradical.zone
2020-02-03T22:05:54Z
0 likes, 0 repeats
I was unfamiliar with "gme.gbl", so I tried to resolved it. That TLD doesn't exist, so it's some internal thing. I moved on to run `whois 25.127.110.23` and saw:> organisation: ORG-DMoD1-RIPE> org-name: UK Ministry of Defence
(DIR) Post #9rfqZzdjjhlKuLIa4u by tek@freeradical.zone
2020-02-03T22:06:04Z
0 likes, 0 repeats
Um, what? But the interesting part is the next handoff was from smtpi.msn.com to mx.google.com, and Google reports that the message passes both SPF and DKIM, so Microsoft's mailservers said "yep, this is ours and we vouch for this email originating in the 25/8 netblock".
(DIR) Post #9rfqeSJ55ypQyUlUq8 by tek@freeradical.zone
2020-02-03T22:06:53Z
0 likes, 0 repeats
Well, sort of. The very first email header is `X-DKIM-Signer: DkimX (v1.11.111)`, "an add-on for MS Exchange Server 2013/2016/2019 which supports DKIM-signing of outgoing messages". The *only* Google results for that are to people discussing spam. At any rate, that specific version dates back to at least 2014 (see https://web.archive.org/web/20141002173904/http://www.netal.com/products.htm).
(DIR) Post #9rfqhJavwXHMp7Tkjw by tek@freeradical.zone
2020-02-03T22:07:21Z
0 likes, 0 repeats
I can't imagine Microsoft legitimately using that, so the header is a strong indicator that it's not actually from Microsoft (but that the sender _did_ get MS to DKIM sign it), or that someone successfully faked Microsoft's DKIM signature and MS propagated it. Either of those possibilities is kind of awful.
(DIR) Post #9rfqkCIhWE3N4PKDfk by tek@freeradical.zone
2020-02-03T22:07:53Z
0 likes, 0 repeats
And finally, it contains a header I've never seen before (and that Google barely has): `X-MS-Iris-MetaData: {"Type":null,"Fields":{"InstanceID":"[UUID]","ActivityID":"[UUID]"}}`. WTF? "Iris" coming from a UK Ministry of Defence (that is, a member of "Five Eyes") netblock does not give me the warm fuzzies.
(DIR) Post #9rfql9NhrG78J17YAK by tek@freeradical.zone
2020-02-03T22:08:05Z
0 likes, 0 repeats
So, either this is suspicious as hell, or Microsoft seemingly went out of their way to make legitimate business emails look as shady as humanly possible. I'm not sure which possibility is weirder.
(DIR) Post #9rfqmEb9wlgYm8vjw8 by tek@freeradical.zone
2020-02-03T22:08:16Z
0 likes, 0 repeats
Note: people have noticed the 25/8 thing before (see https://www.reddit.com/r/Office365/comments/a3rip1/attention_investigating_attachment_issues_we_are/). It still strikes me as odd that MS supposedly decided to move into a netblock that someone else owned - think of the mischief UK MoD could cause if they started using it again! - instead of 10/8 like everyone else. It also doesn't explain those bizarre X-DKIM-Signer and X-MS-Iris-MetaData headers.
(DIR) Post #9rfrTIxpaiHule4Xxo by drwho@hackers.town
2020-02-03T22:15:58Z
0 likes, 0 repeats
@tek I can buy that possibility."We warned you - it's not our fault you were too dumb and/or scared to read our warning!"
(DIR) Post #9rfrfGhVpc7NDu8zXk by Hunter@social.quodverum.com
2020-02-03T22:18:08Z
0 likes, 0 repeats
@tek sounds like a scam. How much was the bill
(DIR) Post #9rfrwW5DtRGVr0SWPo by tek@freeradical.zone
2020-02-03T22:21:17Z
0 likes, 0 repeats
@Hunter No idea. Avast didn't alert on it, but I'm not opening the thing.
(DIR) Post #9rfryE3nsB74XIbsv2 by thenomad@mastodon.cloud
2020-02-03T22:21:37Z
0 likes, 0 repeats
@tek Do you have _any_ reason to actually believe this is legitimate?
(DIR) Post #9rfsvDBMmT5WtlH3vU by galaxis@mastodon.infra.de
2020-02-03T22:32:13Z
0 likes, 0 repeats
@tek Abusing 25/8 for private networks seems to be somewhat popular - a short search as turned up several mentions: LogMeIn VPN access, some T-Mobile services used it at a time, and Microsoft. Apparently MoD never announced that block to the public Internet.
(DIR) Post #9rftKZ50VI3Y3GOBGK by pino_ac@mastodon.social
2020-02-03T22:36:47Z
0 likes, 0 repeats
@tek Your last toots sounds as it is a great idea to be MS customer. ^^ X-MS-Iris-MetaData ROFL.......Yeah, but, hey, all who don't want to understand upfront, learn it at least this way... This is a good thing actually imho.
(DIR) Post #9rfvUwgzlbZs5bEebg by tek@freeradical.zone
2020-02-03T23:01:05Z
0 likes, 0 repeats
@thenomad We got something like that, once, 7 months ago but I never heard whether it was actually legit or not.
(DIR) Post #9rfwexh305e02kbF5M by thenomad@mastodon.cloud
2020-02-03T23:14:07Z
0 likes, 0 repeats
@tek I am seriously doubtful.
(DIR) Post #9rfwhoV7dMH8P1NiZU by tek@freeradical.zone
2020-02-03T23:14:39Z
0 likes, 0 repeats
@thenomad Likewise.
(DIR) Post #9rfxkYsIHvrKlH5tyK by cuniculus@cmpwn.com
2020-02-03T23:26:18Z
0 likes, 0 repeats
@tek Hamachi (a proprietary VPN app) uses 25/8https://en.wikipedia.org/wiki/LogMeIn_Hamachi#Addressing
(DIR) Post #9rfxyMBgFwOPSzjxOS by tek@freeradical.zone
2020-02-03T23:28:49Z
0 likes, 0 repeats
@cuniculus I'm seeing that lots of things to. OK then. There's still lots of other weirdness here. As a first pass, it seems either MS is seriously sloppy in crafting their outbound mails, or someone is successfully forging DKIM.
(DIR) Post #9rgFMOyxDPmEIyq4dU by mysteries@freeradical.zone
2020-02-04T02:43:38Z
0 likes, 0 repeats
@tek Avast? Eewww...https://www.techcentral.ie/report-avast-and-avg-collect-and-sell-your-personal-info-via-their-free-antivirus-programs/