We recently received an email into the CEO's inbox, supposedly from himself asking to release some emails after logging in. He didn't send these emails, and our SPF/DKIM records did not get checked as shown from the header here (mycompany.com is us):
x-env-sender: root@vps.z19.web.core.windows.net
authentication-results: spf=none (sender IP is 85.158.142.43) smtp.mailfrom=vps.z19.web.core.windows.net; mycompany.com; dkim=none (message not signed) header.d=none;mycompany.com; dmarc=none action=none header.from=mycompany.com;compauth=pass reason=704
I'm just at a loss as to how they managed to spoof the email. Does anybody smarter than me have any ideas how and how to protect against it?
I've found a bunch of stuff online about this *web.core.windows.net being a blob storage website on Azure which then seems quite legitimate when it's"Microsoft" that's sending you this email.
Cheers!