Enforcing DMARC policy (reject) on an Office 365 tenant

The domain & tenant has SPF and DKIM properly configured and DMARC policy set to p=reject. Still, emails spoofed with the domain in the From header aren’t rejected, but appear in the Junk Email folder on Office 365. People do check their Junk Email for false positives, and are still reading all the CEO frauds, sextortion letters etc.

This seems a feature instead of a bug, as described in Microsoft’s documentation:

How Office 365 handles inbound email that fails DMARC

If the DMARC policy of the sending server is p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats p=reject and p=quarantine the same way.

Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

However, this reasoning has some flaws:

  • DKIM protects legitimate mail; DKIM signed messages do pass with the DMARC policy even if it fails to align with the SPF when forwarded on a mailing list. (Mailing lists should change the envelope sender to pass SPF checks, anyway, so the SPF checks are probably passed, but not aligned.)

  • By implementing p=reject instead of p=quarantine the owner of the domain has stated that the emails should be rejected. Therefore, Microsoft’s implementation is against RFC 7489, 6.3:

    p: Requested Mail Receiver policy ...     reject:  The Domain Owner wishes for Mail Receivers to reject       email that fails the DMARC mechanism check.  Rejection SHOULD       occur during the SMTP transaction. 

Is there any setting on Office 365 to alter this behaviour and reject these messages?

Microsoft Office, MS Open XML detect macros

Do MS Open XML files need the vbaData.xml file and events declarations with the <wne:docEvents> tag and child <wne:eventDoc(Open|New|Close...)> for a macro in the embedded project vbaProject.bin to run correctly using a <wne:mcd wne: macroName...> tag

or

if this xml code <wne:eventDoc> is not present and that the source code VBA, the Execode or the P-Code contains the procedure for the macro in vbaProject.bin and only <wne:mcd wne: macroName...> xml it is still executed ?

I did some analysis and it seems that this tag is required but there may be other conditions where this is not the case, do you have an idea ? thank you.

How to make office network printers work at all times [closed]

I have 20 computers hooked up by Ethernet to our router, and 2 printers. All wired. I install the official hp printer software/drivers and everything works.

Now throughout the day, different days, someone can’t print… I check their print queue, it’s just sitting there, often multiple items since they tried to print multiple times because the first attempt did not work.

This is happening constantly, almost every day at least 1 person has issues and I need to restart the print spool, the printer itself, or restart their PC for it to work.

When a closed-source company hires somebody to audit their code, is the auditor forced to do it in the company’s office?

Let’s say that ACME, Inc. is making closed-source software. It’s closed for a reason (they don’t want it leaving their building other than in compiled form). Now, they are hiring some company/person to audit the code for them. How exactly is this done?

If I were ACME, Inc., I would want the audit person (or persons) to come to my physical location, get literally locked into a room with no Internet access, carefully frisked for any USB sticks or any other electronics both when they enter and leave. With cameras recording the screen and the auditor’s face/hands 100% of the time he/she spends in there, which is carefully looked at by my own employees as it happens and/or afterwards.

However, this sounds both demeaning for the person doing the audit, and also unrealistic for anything but the biggest and richest companies. (And with a security-conscious/paranoid CEO.)

I cannot imagine that they just ZIP up their source code tree and e-mail it to the auditor or something similar. Even with encryption and whatnot, this just feels horribly insecure. I would feel as if the second the source code is sent to the auditor remotely, it’s “left the building” and become “potentially public”.

How is this done in practice? Do companies really trust the security of the audit companies? As I type this, I realize how silly that sounds, since they are after all paying them to find flaws in their own code, but still, something about not controlling the whole process just sounds horribly insecure.

I wouldn’t be surprised if you answered that most companies these days just have a “private GitHub repo” to which they grant the auditor access in some GUI. But I would never, ever do that myself…

Why an invisible iframe to logout from Office in a Office phishing?

In a phishing page for Office account (login mimicking the normal login page and stealing the credentials through a simple ajax request, then navigating to a dummy public google doc), attackers have put an invisible iframe with the url

https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392 

Why would they do that? I don’t see the point.

Get User Photo, Name &Title of an office 365 group using SPfx

I am trying get the user details i.e. UserName, Title and Profile picture of users that belong to a office 365 distribution group.

I tried this code sample, but i get an undefined error i.e. msGraphClientFactory is undefined.

export default class HelloWorldWebPart extends BaseClientSideWebPart<IHelloWorldWebPartProps> {   public render(): void {     // ...      this.context.msGraphClientFactory       .getClient()       .then((client: MSGraphClient): void => {         // use MSGraphClient here       });   }    // ... }` 

Can someone suggest what i might be doing wrong or suggest an alternative to get the groups members and their user profile info like photo, name an title.

User passwords printed on paperwork at a dental office?

My dental office just printed my password (to their portal) on some checkout paperwork.

I asked on law stackexchange and it doesn’t sound like this is a HIPAA violation, but I am really curious if this violates other regulations or goes against known best practices, as it seems really bad security-wise.

It doesn’t feel right that they can even see my password.

Any thoughts / resources much appreciated.