Phishing and Spoofing
------------------------------------------
A. Why was the spoofed email not caught by the Office365 spam filters?
· Office 365 spam filters marked any email as spam based on the following factors:
1. Sender IP Reputation - Blacklist Check, PTR Record
2. Sender Domain Reputation (Customer's own domain) - Blacklist Check, SPF Check, DMARC Check
3. Email Content - URL's, Specific Keywords (Ex. Sensitive Words), Attachment, etc.
· If the received spoofed email have a good reputation and does not contain resemble any spam characteristics, then there is a possibility that the email will not be marked as spam by Office365 filters.
B. Why does Office365 does not block the spoofed emails by default?
· As Office 365 is a hosted service, there are many customers who have their printers, scanner or 3rd party websites/partners sending spoofed emails using their own domain and blocking the emails by default will result in data loss.
C. What can be done to prevent such emails from being delivered to the end users?
· We can create a transport rule in order to block such emails from getting through to the end users. However, we have to collect the necessary IP address of the scanners, printers or 3rd party websites which are sending emails using their own domain.
· Below is the transport rule that we have to create to block the spoofed emails:
------------------------------------------------------------------------------------------------------------------
If The sender domain is "domain.com" And The sender is outside the organization
Then
Redirect the message to the hosted quarantine
And
Generate an incident report and send it to "Administrator" and select "include all properties"
Except if
The sender IP address is "Public IP address of any scanners/printers/websites in your network sending emails to Office 365 mailbox"·
Before we implement the rule and start moving emails to the hosted quarantine, we should suggest the following rule for testing (for 1-2 days) and once confirmed that it is working properly and we have added all the exceptions, we will change it to the above rule.
If The sender domain is "domain.com" And The sender is outside the organization
Then
Generate an incident report and send it to "Administrator" and select "include all properties"
and
Redirect the email to hosted quarantine
Except if
The sender IP address is "Public IP address of any scanners/printers/websites in your network sending emails to Office 365 mailbox"
Note: While creating the rule, we have to take precautions when you have Hybrid environment or if you have customized mail flow enabled using a 3rd party filtering service.
Regards,
Abdul Rahman
Deployment Engineer | Office 365 | Mail Infra - CS
Netcore Solutions | Email : abdul.rahman@netcore.co.in
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article