Phishing Scenario

adem_netsys · ‎08-17-2025

Hello,

We have a phishing scenario on Exchange and we use local Exchange. However, in the new scenario, O365 has been added and some emails are being moved here. In the new environment, some emails are on Exchange and some on O365. How can we use the two environments in the same scenario and how can we tell which server the incoming mail is from?

anarula · ‎08-17-2025

@adem_netsys , try comparing the headers of sample email from both servers. I would guess the incoming paths would be different.

CTO (SOAR Business) | VP of Engineering

adem_netsys · ‎08-19-2025

@anarula How can we do this, have you tried before?

anarula · ‎08-20-2025

@adem_netsys , can you share the headers from 2 samples (one from O365, and other from Exchange Server)

CTO (SOAR Business) | VP of Engineering

adem_netsys · ‎08-26-2025

Actually, I don't think it is very important what the two headers are here. It could be what you think as an example.

adem_netsys · ‎09-07-2025

Do you have any updates? @anarula

anarula · ‎09-08-2025

No @adem_netsys -- Infact, I am waiting on you to provide the sample emails from these 2 different servers. When you proovide that, we would compare the headers and search for a clue to differentiate. Basically I expect to see differences in Recieved property in the header to identify where is the mail delivered from

see this as an example

Received: from abc.abc.com (192.168.DD.YY) by
abc.abc.com (192.168.DD.YY) with Microsoft SMTP Serve

when you parse this header (actually it would be available in JSON format (so easy to lookup), you should be able to spot the differece.

CTO (SOAR Business) | VP of Engineering

Phishing Scenario

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website