For the last few months I have been seeing an annoying behavior from spammers. At it’s core it is the use of pairs of emails coming in with a time gap to give the impression of validity. The second email gives the impression of a co-worker or supervisor following up on the communication. Some versions of these messages synthesize fake email threads with other co-workers in an attempt to make them seem more real.
These spammers take advantage of Microsoft Graph’s profile data that leaks out from every Microsoft account user to create realistic looking communications between departments. Be wary of any email, even ones that appear to show contact with your co-workers.
I have been blocking domains as these message come in, only to find a batch of newly minted similar sounding domains. In the screen shot below you can see two domains that are very close coming in just 7 minutes apart. These messages are hard to block because they take the time set up a mail account on Google including all the appropriate SFP and DKIM configurations.