0

Microsoft Teams Voicemail Headers–April 2022

Working with a customer’s security team, it was noted that some messages were set to SCL –1 and this was not initially expected.  We were paying particular attention to the SCL value as work was being done to clean up old EOP configuration that was bypassing protection.

  • Two examples are shown below
    EXO mailbox to demonstrate simple delivery, this is the Kim Akers mailbox
  • Exchange 2016 on-premises mailbox to show message routed via hybrid connector – This is the local-1 mailbox

The environment is an Exchange 2016 hybrid lab.  Only Microsoft Teams is present, and there is no Skype for Business.  Sue Wilson is the person making the calls to both the EXO and on-premises users.

If you want to view the original samples they are uploaded here as .txt files.

Teams-Voicemail-Headers-EXO-Mailbox.txt

SHA256 hash of .\Teams-Voicemail-Headers-EXO-Mailbox.txt:                   23217fa4cf4f987ec953a527c91a6b81a112e2b23b2e64fbb0bf5ed70c48b92d

 

Teams-Voicemail-Headers-On-Premises-Mailbox.txt

SHA256 hash of .\Teams-Voicemail-Headers-On-Premises-Mailbox.txt:  a917561faaf5211eb7231b5e19802b0069cee10559858086da0c19040e35702f

Exchange Online Mailbox

Screenshot of the EXO mailbox showing the voice mail.

Outlook Desktop Client With Exchange Online Mailbox Showing Voicemail User Experience

Message Headers:

Teams Voicemail Message Hops For Exchange Online Mailbox

Teams Voicemail Message Hops For Exchange Online Mailbox - Note Only SPF Is Present For Sender Authentication

Teams Voicemail Message Hops For Exchange Online Mailbox - Note Only SPF Is Present For Sender Authentication - AuthAs Headers

Items worth noting:

  • SCL was set to –1 automatically.  This was not done by the EOP spam policy or ETR.
  • Message headers such as X-MS-Exchange-Organization-AuthAs and X-MS-Exchange-CrossTenant-AuthAs are set to Internal rather than anonymous
  • AuthSource set to: TreatMessagesAsInternal-YT3CAN01FT026.eop-CAN01.prod.protection.outlook.com
  • There is no PTR record – InfoDomainNonexistent is reported
  • Sent from CAN01B.map.protection.outlook.com
  • In the EXO mailbox scenario, the only sender authentication present is SPF

On-Premises Mailbox

On-premises mailbox VM received.

Outlook Desktop Client With Exchange 2016 On-Premises Mailbox Showing Voicemail User Experience

Headers from the message.

Teams Voicemail Message Hops For Exchange 2016 On-Premises Mailbox

Teams Voicemail Message Hops For Exchange 2016 On-Premises Mailbox - AuthAs Headers

Items worth noting is pretty much the same as the EXO sample apart from the fact that this message was routed to an on-premises mailbox using the hybrid configuration.  EOP applied a DKIM signature to the message before delivering it to on-premises Exchange 2016.

Teams Voicemail Message Hops For Exchange 2016 On-Premises Mailbox - Note EOP Added DKIM Signature

If you scroll back up to view headers 1 to 10 in the original message, only SPF is present.

Bootnote

Certutil was used to generate the file hashes

certutil.exe -HashFile .\Teams-Voicemail-Headers-On-Premises-Mailbox.txt SHA256

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *