Working with a customer’s security team, it was noted that some messages were set to SCL –1 and this was not initially expected. We were paying particular attention to the SCL value as work was being done to clean up old EOP configuration that was bypassing protection.
-
Two examples are shown below
EXO mailbox to demonstrate simple delivery, this is the Kim Akers mailbox -
Exchange 2016 on-premises mailbox to show message routed via hybrid connector – This is the local-1 mailbox
The environment is an Exchange 2016 hybrid lab. Only Microsoft Teams is present, and there is no Skype for Business. Sue Wilson is the person making the calls to both the EXO and on-premises users.
If you want to view the original samples they are uploaded here as .txt files.
Teams-Voicemail-Headers-EXO-Mailbox.txt
SHA256 hash of .\Teams-Voicemail-Headers-EXO-Mailbox.txt: 23217fa4cf4f987ec953a527c91a6b81a112e2b23b2e64fbb0bf5ed70c48b92d
Teams-Voicemail-Headers-On-Premises-Mailbox.txt
SHA256 hash of .\Teams-Voicemail-Headers-On-Premises-Mailbox.txt: a917561faaf5211eb7231b5e19802b0069cee10559858086da0c19040e35702f
Exchange Online Mailbox
Screenshot of the EXO mailbox showing the voice mail.
Message Headers:
Items worth noting:
-
SCL was set to –1 automatically. This was not done by the EOP spam policy or ETR.
-
Message headers such as X-MS-Exchange-Organization-AuthAs and X-MS-Exchange-CrossTenant-AuthAs are set to Internal rather than anonymous
-
AuthSource set to: TreatMessagesAsInternal-YT3CAN01FT026.eop-CAN01.prod.protection.outlook.com
-
There is no PTR record – InfoDomainNonexistent is reported
-
Sent from CAN01B.map.protection.outlook.com
-
In the EXO mailbox scenario, the only sender authentication present is SPF
On-Premises Mailbox
On-premises mailbox VM received.
Headers from the message.
Items worth noting is pretty much the same as the EXO sample apart from the fact that this message was routed to an on-premises mailbox using the hybrid configuration. EOP applied a DKIM signature to the message before delivering it to on-premises Exchange 2016.
If you scroll back up to view headers 1 to 10 in the original message, only SPF is present.
Bootnote
Certutil was used to generate the file hashes
certutil.exe -HashFile .\Teams-Voicemail-Headers-On-Premises-Mailbox.txt SHA256
Cheers,
Rhoderick