[SOLVED] False positive KAM_FAKESHAREPOINT

[team2021]

Hello, recently we noticed that legitimate emails from Office 365 SharePoint, fall into spam.
And it looks like emails are getting a score "KAM_FAKESHAREPOINT". But I can't think of why, these are legitimate sharepoint emails informing about file sharing etc.


If I open mail body, then i see:
X-SPAM-LEVEL: Spam detection results: 3
AWL 0.175 Adjusted score from AWL reputation of From: address
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
KAM_FAKESHAREPOINT 4 Fake Sharepoint Phish
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
RCVD_IN_DNSWL_LOW -0.7 Sender listed at https://www.dnswl.org/, low trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
X-Spam-Flag: Yes


Any ideas what to do with that please?


Thank you


PMG message tracking log:
Jun 29 00:04:30 pmg postfix/smtpd[59681]: connect from mail-eopbgr30128.outbound.protection.outlook.com[40.107.3.128]
Jun 29 00:04:30 pmg postfix/smtpd[59681]: C3D1E6C0A31: client=mail-eopbgr30128.outbound.protection.outlook.com[40.107.3.128]
Jun 29 00:04:30 pmg postfix/cleanup[59685]: C3D1E6C0A31: message-id=<odspmicro-ReceivedSpoShare-3a6dd69f-e0dc-3000-02e3-4467cf073e2a-eeb4c32c-5a48-4716-9fd1-3ec21d48569d-a9567d09-64c4-45d5-9e13-077dc6033ee9@RDDC984027594A>
Jun 29 00:04:30 pmg postfix/qmgr[941]: C3D1E6C0A31: from=<no-reply@sharepointonline.com>, size=42258, nrcpt=1 (queue active)
Jun 29 00:04:30 pmg postfix/smtpd[59681]: disconnect from mail-eopbgr30128.outbound.protection.outlook.com[40.107.3.128] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jun 29 00:04:30 pmg pmg-smtp-filter[59566]: 6C121960DA476ED25A0: new mail message-id=<odspmicro-ReceivedSpoShare-3a6dd69f-e0dc-3000-02e3-4467cf073e2a-eeb4c32c-5a48-4716-9fd1-3ec21d48569d-a9567d09-64c4-45d5-9e13-077dc6033ee9@RDDC984027594A>#012
Jun 29 00:04:34 pmg pmg-smtp-filter[59566]: 6C121960DA476ED25A0: SA score=3/5 time=3.295 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.175),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),KAM_FAKESHAREPOINT(4),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_LOW(-0.7),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
Jun 29 00:04:34 pmg postfix/smtpd[59697]: connect from localhost.localdomain[127.0.0.1]
Jun 29 00:04:34 pmg postfix/smtpd[59697]: 3CDCA6C1474: client=localhost.localdomain[127.0.0.1], orig_client=mail-eopbgr30128.outbound.protection.outlook.com[40.107.3.128]
Jun 29 00:04:34 pmg postfix/cleanup[59685]: 3CDCA6C1474: message-id=<odspmicro-ReceivedSpoShare-3a6dd69f-e0dc-3000-02e3-4467cf073e2a-eeb4c32c-5a48-4716-9fd1-3ec21d48569d-a9567d09-64c4-45d5-9e13-077dc6033ee9@RDDC984027594A>
Jun 29 00:04:34 pmg postfix/qmgr[941]: 3CDCA6C1474: from=<no-reply@sharepointonline.com>, size=43439, nrcpt=1 (queue active)
Jun 29 00:04:34 pmg postfix/smtpd[59697]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 29 00:04:34 pmg pmg-smtp-filter[59566]: 6C121960DA476ED25A0: accept mail to <username@ourdomain.com> (3CDCA6C1474) (rule: default-accept)
Jun 29 00:04:34 pmg pmg-smtp-filter[59566]: 6C121960DA476ED25A0: processing time: 3.393 seconds (3.295, 0.058, 0)
Jun 29 00:04:34 pmg postfix/lmtp[59686]: C3D1E6C0A31: to=<username@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4, delays=0.58/0.02/0/3.4, dsn=2.5.0, status=sent (250 2.5.0 OK (6C121960DA476ED25A0))
Jun 29 00:04:34 pmg postfix/qmgr[941]: C3D1E6C0A31: removed
Jun 29 00:04:34 pmg postfix/smtp[59698]: 3CDCA6C1474: to=<username@ourdomain.com>, relay=192.168.1.90[192.168.1.90]:25, delay=0.44, delays=0.01/0.02/0.05/0.36, dsn=2.6.0, status=sent (250 2.6.0 <odspmicro-ReceivedSpoShare-3a6dd69f-e0dc-3000-02e3-4467cf073e2a-eeb4c32c-5a48-4716-9fd1-3ec21d48569d-a9567d09-64c4-45d5-9e13-077dc6033ee9@RDDC984027594A> [InternalId=156667522056204, Hostname=mailserver.domain] Queued mail for delivery)
Jun 29 00:04:34 pmg postfix/qmgr[941]: 3CDCA6C1474: removed



All emails contain url to our subdomain on SharePoint - https://ourdomain-my.sharepoint.com/ and are in the Czech language.
Example of what sharepoint emails look like:

 

[mira]

You can find the definition of KAM_FAKESHAREPOINT in /usr/share/spamassassin-extra/KAM.cf and it contains the following:

#FAKESHAREPOINT
header          __KAM_FAKESHAREPOINT1   Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
header          __KAM_FAKESHAREPOINT2   from =~ /sharepoint|accounts? payable|RFQ/i
uri             __KAM_FAKESHAREPOINT3   /my\.sharepoint\.com|appdomain\.cloud/i
body            __KAM_FAKESHAREPOINT4   /Sharepoint Fileshare/i
mimeheader      __KAM_FAKESHAREPOINT5   Content-Type =~ /.html?\"?$/i


meta            KAM_FAKESHAREPOINT      (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
describe        KAM_FAKESHAREPOINT      Fake Sharepoint Phish
score           KAM_FAKESHAREPOINT      4.0

You could customize the score of that rule by going to Configuration -> Spam Detector -> Custom Scores.

 

[team2021]

Thanks, i look in to that

In the meantime, I made a hotfix by creating a rule to accept if the email contains our unique tenant ID (guid string) in body and the sender is @sharepointonline.com
This may not be such a bad solution in the end - I won't have to disable "FAKESHAREPOINT" and the risk that phishing emails would contain our guid is probably not great