We make phishing campaigns to our users with Lucy Security. The emails include a link to a landing page. When clicked, stats are sent to our phishing platform that include which user clicked, when, and from which IP.
We whitelisted Lucy Security's server IP in our anti-spam (Defender 365) so that spam confidence is set to -1, attachments and links are not checked, etc. Thus far we don't get much clicks from Microsoft IPs.
The problem is that we get clicks from IPs belonging to Google Fiber, Amazon, Verizon, and a bunch of other telecom companies in the US I've never heard of (we're in Canada). All of those IPs are in the US. How is that possible?
What I feel should be happening is this:
- Lucy sends emails from its internal server to our Exchange mailboxes (hosted with Microsoft 365)
- The emails make a couple of hops within Microsoft
- All anti-spam measures that we whitelisted are skipped
- Emails are delivered in our mailboxes
That is exactly what seems to be happening when looking at the headers of Lucy emails I received, and yet we get clicks from some local ISP in the US.
Couple of notes:
- I spoof addresses when making those phishing emails. The spoofed address is put in the From header as well as in the Return-Path header. I do get more unwanted clicks when spoofing an address from a well-known domain (e.g. protonmail.com) than a random one.
- We don't have off-site workers, i.e. all our users are behind our one public IP.
What I am not getting here? How are those emails being clicked (by what appears to be anti-spams) somewhere in the US? Does someone have an idea of where to start looking to solve this? Let me know if you need more info.
