Relaying Email from the Microsoft High Risk Delivery Pool (HRDP)
search cancel

Relaying Email from the Microsoft High Risk Delivery Pool (HRDP)

book

Article ID: 403405

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

How to prevent attackers using EchoSpoofing from sending spoofed email through your email security cloud tenant from the Microsoft High Risk Delivery Pool.

EchoSpoofing is a process that allows a bad actor to spoof the From address of domains registered in ClientNet by relaying a message through Microsoft 365 Exchange Online (O365). EchoSpoofing is possible because the O365 SMTP relay allows O365 customers to send mail from any domain.

 

Environment

Email security cloud

Cause

In July 2024, a vulnerability in Microsoft O365 was discovered, allowing attackers to bypass email authentication checks when a message is relayed. Attackers were able to send millions of spoofed emails impersonating large brands that used O365 to host their email.

One of the indicators of EchoSpoofing is that the spoofed emails emanate from a different range of IP addresses than regular production O365 email. This range is known as the Microsoft High-Risk Delivery Pool (HRDP). Microsoft created the HRDP exclusively to send low-quality messages, and you can learn more about it here.

Accepting emails from the HRDP increases the risk of our service being added to IP blocklists. Most organizations don’t send emails from this range, so we will begin disallowing traffic from the HRDP by default on July 22nd. Therefore, if you would like to continue allowing traffic from the HRDP, you must explicitly designate the Microsoft High-Risk Delivery Pool as an allowed delivery option within Clientnet, as per the instructions below. Please note that we are aware that non-delivery reports (NDRs) and similar emails are occasionally sent from this range legitimately, and we will continue to process them.

Resolution

First, check to see if your organisation has a legitimate use for the HRDP. The easiest way to do this is by running message traces on your outbound mail using the O365 tools and checking the delivery pool.

If you are an existing customer and you do not have any outbound email using the HRDP, you do not need to take any further action. Broadcom will be separating the production and high-risk IP pools on July 22nd. From this point onwards, we will disallow any outbound emails from the HRDP unless they have been explicitly selected.

If you are an existing customer with a legitimate requirement for the HRDP, please follow the instructions below before July 22nd. If you are a new customer requiring the use of the HRDP, please follow the instructions below when initially configuring the service.

Configure your outbound routes to permit email from the HRDP.

  1. Access the ClientNet portal and navigate to Dashboard> Platform> Outbound Routes
  2. Select Hosted Email Services
  3. Select the "Microsoft Office 365 High Risk Delivery Pool" from the drop-down menu (select both the HRDP AND Microsoft Office 365 if you are a new customer) and click Add.

IMPORTANT: Do not select "Microsoft Office 365 High-Risk Delivery Pool" unless you are certain you need it, else your domains are at risk of abuse by other Microsoft tenants. If you require the Microsoft HRDP, we strongly recommend implementing our recommended data protection policy for EchoSpoofing, as outlined in this article.

Powered by Wolken Software