Responding to a Forwarding Event from SPO Proxy Address

If you come across an email address when working in Exchange/M365 that looks something like: "+SPO:SPO_2b4c97nc-eb6c-3e91-8n9z-59bc5e7ab9en@SPO_3159na78-994d-319b-714d-5d61897c12bb" you've found an SPO proxy addresses. The above is based on a real proxy address.

If you are responding to a Microsoft Sentinel Incident like "Rare and potentially high-risk Office operations" for example, you can see that the email address in question in the same alert is an SPO proxy address.

If you see an alert come through prefixed with SPO.* that is going to be an SPO alias. These can be seen for example after a mailbox has been soft-deleted, as the SPO alias sticks around for that mailbox.

Example alert:

Further reading:

• https://answers.microsoft.com/en-us/msoffice/forum/all/exchange-the-proxy-address-spospoe7203c8c-4f28/e84a8d43-62c5-4a6b-89ad-eb427d2cec90