Targeted Phishing Emails From Legit autonotificati...

pastorlibre · ‎Feb 7, 2023

Hi,

I wanted to see if anyone else is experiencing this issue but we seem to be getting targeted emails internally from autonotification@concursolutions.com. The header and all signs point to it being legit but the email itself the link seems to be a phishing attempt. Has anyone else seen phishing emails from autonotification@concursolutions.com that seem to be a relay? I wanted to open a support ticket but I work in security for my company and do not currently have an account for it so I thought I would try here first.

AH_C · ‎Feb 9, 2023

Regarding this topic, please check my community entry -> https://community.concur.com/t5/General/IT-security-emails-with-a-customer-ending-quot-company-com-q...

we would like to set up a feature to send CONCUR mails with a "@company.com" email address, but unfortunately CONCUR does not offer this at the moment. So, it would be great, if you can give us a vote/KUDO.

Arntzie · ‎Mar 17, 2023

We learned today, the functionality in Cognos 10 that enabled clients to choose the email sender (we used our internal functional mailbox) was disabled with the move to Cognos 11. We ONLY discovered this recently when we realized our bursting communications are reflecting from "autonotification@us2-mail.concursolutions.com". This is HUGELY problematic for us! We heavily use bursting to manage our entire travel program on a global basis. Our associates hit 'reply' and know the emails will be delivered to the internal functional mailbox and answered. Without the ability for clients to select the email sender, we have NO way to route the responses to our internal mailbox. We NEED a viable solution from Concur!!!! This is beyond frustrating...... How many emails have we missed now? We have had to stop our bursting communications until we have figure out a solution.

CaJu · ‎Feb 9, 2023

Users also received these phishing attempts. Luckily the users were trained and aware and reported them at an early stage. Reason was a missing DMARC

Please see Concurs response about the fix on their side (26.01.2023) However they still refuse to support DKIM tech in order to have emails seem to come from our own companies domain

Dear SAP Concur Administrator,

Thank you for your patience,

We would like to inform you that, we have now updated the Domain: concursolutions.com DMARC policy to p=reject;pct=50 for all our outgoing emails. In the first week of February, the pct will be set to 100. Meanwhile, as a next step, we would request your IT team to update your email server policy to accept emails only if SPF or DKIM passes. Below are the DKIM & SPF records,

DKIM Selectors are consistent and can be found within the email header sent from concursolutions.com.

SPF Records:
spf:us.mail.concursolutions.com
v=spf1 ip4:54.240.61.19/32 ip4:54.240.61.20/30 ip4:54.240.61.24/30 ip4:54.240.61.28/31 ip4:54.240.61.30/32 -all

spf:eu.mail.concursolutions.com
v=spf1 ip4:54.240.53.130/31 ip4:54.240.53.132/30 ip4:54.240.53.136/30 ip4:54.240.53.140/31 ip4:69.169.227.155/32 ip4:69.169.227.156/30 ip4:69.169.227.160/30 ip4:69.169.227.164/31 ip4:69.169.227.166/32 -all

Kindly let us know if you have any other queries. Will be happy to assist.

MMM_567 · ‎Feb 5, 2024

I have got the same phishing email but it is fake as you can identify from the email address. Scammers have invested to buy a domain it seems.

Targeted Phishing Emails From Legit autonotification@concursolutions.com