Skip to content

Detect spoof E-mail and send an incident report using Exchange Online rule (Learning mode) |Part 2#12

In the current article, we will review how to deal with Spoof E-mail scenario in an Office 365 environment, by creating an Exchange Online rule that will identify Spoofed E-mail (spoof sender) and as a response, will generate and send an incident report to a designated recipient.
In our scenario, we want to use the Exchange Online Spoof E-mail rule in a “learning mode” or, “inspecting mode”.

We don’t want to intervene in the mail flow because our main purpose is just to collect information about “events of Spoof E-mail”.

The E-mail that identified as a “potential Spoof E-mail,” will be forwarded by Exchange Online to the destination organization recipient mailbox.

The information about the possible Spoof E-mail event will be logged and reported by using the Exchange Online rule option named – incident report.

Note – although the information in the current article written about Office 365 (Exchange Online) based environment, most of the information is also relevant to Exchange on-Premises based environment.

The main characters of our specific scenario are:

Our CIO, report that gets an E-mail message which allegedly sent by a legitimate organization recipient (our company CFO) that asks him to transfer a substantial amount of money to a specific bank account number.

In reality, the organization recipient (our company CFO) didn’t send this E-mail message, and There is a high chance that the E-mail sent by a hostile element that tries to attack our organization.

The business needs

The business need and the goals that we need to accomplish are as follows:

  1. We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
  2. We don’t want to intervene in the mail flow because our primary purpose is just to collect information about “Spoof E-mail events”. In other words, use the Exchange Online rule for gathering information about a possible Spoof E-mail event (“learning mode” or “inspection mode”).
  3. E-mail message that is identified by the Exchange Online rule as “Spoof E-mail,” will be forwarded to the destination organization recipient mailbox.
  4. We want to send information + a sample of the Spoofed E-mail to a designated shared mailbox.
  5. We want that selected user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so, he could inspect and analyze the spoofed E-mail message.

Using the option of Exchange Online rule

To be able to accomplish this business requirement, we can create an Exchange Online rule that will inspect each of the incoming mail message and “capture” E-mail message that has the characters of Spoof E-mail.

As a response, the Exchange Online will report the event to a designated recipient\s by generating an incident report.

The Exchange Online incident report will include a summary of the specific E-mail message characters + a copy of the original E-mail message.

The Exchange Online Spoofed E-mail rule structure and logic

The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):

  1. An incoming E-mail message that sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
  2. A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name – com

The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:

  • Action 1#1 – Generate + Send an incident report to the designated recipient (shared mailbox named – Spoof E-mail mailbox).

In the following diagram, we can see the sequence of actions, that will be implemented by the Exchange Online Spoofed E-mail rule:

The logic of Exchange Spoof E-mail rule

When Exchange Online identifies E-mail messages that answer the conditions of “spoofed E-mail,” the Exchange rule will activate the following sequence:

The E-mail will sent to the destination recipient mailbox without any intervention from the Exchange Online server side.

1- Detect spoof E-mail message - deliver the E-mail message to the recipient -inspection mode

Exchange Online will generate an incident report, which will sent to the E-mail address of the designated recipient\s. In our scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our specific scenario Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.

Step 2 0f-2 - Generate + Send Incident report to designated recipient

Configuring Exchange Spoof E-Mail Rule, That Identifies Spoofed E-Mail And Generates An Incident Report

In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.

Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule

  • Log in to the Exchange admin portal
  • On the left menu bar, choose –mail flow
  • On the top menu bar, choose –rules
Login to Exchange Online admin portal and create a new rule ~01
  • Click on the plus icon
  • Choose – Create a new rule…
Login to Exchange Online admin portal and create a new rule ~02
  • In the Name: box, add a descriptive name for the new rule.
    In our specific scenario, we will name the rule – detect Spoof E-mail & Send the incident report
  • Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
Detect spoof E-mail & send incident report - condition - 03
  • In the section named –Apply this rule if… click on the small black arrow
Detect spoof E-mail & send incident report - condition - 04

Condition 1#2

  • Choose the primary menu –The sender…
  • In the submenu, select the option –Is external/internal
Detect spoof E-mail & send incident report - condition - 05
  • In the select sender location window, choose the option – Outside the organization.
    The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.
Detect spoof E-mail & send incident report - condition - 06

Condition 2#2

Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).

If you would like to read more information about the meaning of the Exchange Online terms– “External sender” and “outside the organization“, read the following section: Dealing with an E-mail Spoof Attack in Office 365 based environment | Introduction | Part 1#12

  • Click on the – add condition.
Detect spoof E-mail & send incident report - condition - 07
  • In the section named – and click on the small black arrow.
Detect spoof E-mail & send incident report - condition - 08
  • Choose the primary menu – The sender…
  • In the submenu, select the option – domain is
Detect spoof E-mail & send incident report - condition - 09

In the specify domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com

Note – Don’t forget to click on the plus icon to add the domain name.

Detect spoof E-mail & send incident report - condition - 10

Click on the OK option to save the Exchange Online rule settings.

Detect spoof E-mail & send incident report - condition - 11

Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule

In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that is sent to one of our organization recipients.

Detect spoof E-mail & send incident report - action -01

In our scenario, we wish to instruct Exchange Online to respond to the event in which
The E-mail identified as Spoof E-mail by creating an incident report and send it to a designated recipient: a shared mailbox named – Spoof E-mail mailbox.

In the section named – *.Do the following… click on the small black arrow.

Detect spoof E-mail & send incident report - action -02
  • Choose the menu option – Generate incident report and send it to…
Detect spoof E-mail & send incident report - action -03

The settings of the incident report include two parameters:

  1. The name of the “destination recipient” which will get the incident report.
  2. The information fields that will be included within the incident report.
  • To add the required “destination recipient” name, click on the link – Select one…
Detect spoof E-mail & send incident report - action -04
  • In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.
Detect spoof E-mail & send incident report - action -05

To select the information that will be included within the incident report, click on the link named-*include message properties

Detect spoof E-mail & send incident report - action -06

In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.

  • Select the option – Select all
Detect spoof E-mail & send incident report - action -07

In the following screenshot, we can view the available options:

  • Part A – relates to the info that will appear in the incident report summary.
  • Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.
Detect spoof E-mail & send incident report - action -08

In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:

  • The condition part
  • The action part
Detect spoof E-mail & send incident report - action -09

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly

In this phase, we would like to test the Exchange Online Spoof E-mail rule that was created in the previous step, and verify that the rule is working properly.

The required results from the Exchange Online Spoofed E-mail rule

Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:

  • Generate and send an incident report to the designated recipient. In our scenario, we ask to send the incident report to the shared mailbox named – Spoof E-mails mailbox.

Simulate a Spoof E-mail attack | Scenario characters

To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:

  • A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – Suzan@o365pilot.com
  • The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – Bob@o365pilot.com

Note: If you like to learn about the way that we use for simulating the E-mail spoof attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12

1#2 – verifying that the Spoof E-mail was sent to the destination recipient.

As mentioned, we don’t want to intervene in the mail flow because our primary purpose is just to collect information about “Spoof E-mail events.”

The E-mail that identified as “Spoof E-mail,” will be forwarded to the destination organization recipient mailbox.

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly -01

2#2 – verifying that an incident report sent to the designated recipient

We can see that Exchange Online rule “capture” an event of Spoof E-mail. As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly -02

In the following screenshot, we can see an example of the incident report E-mail.

When we look into the incident report, we can see that the incident report includes two parts:

  • The copy of the original E-mail message (A).
  • The incident report summary (B).

The incident report summary includes details such as:

  • Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number 1).
  • The sender (the “source recipient”) that claim to be a legitimate organization recipient named –Suzan@o365pilot.com (number 2).
  • The recipients (the destination recipient) is – Bob@o365pilot.com (number 3)
  • Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event, and the action that was executed by the Exchange Online rule –”action: GenerateIncidentReport” (number 4).
Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly -03

The next article in the current article series

In the next article – Configuring exceptions for the Exchange Online Spoof E-mail rule |Part 3#12 , we will review how to create an exception to the Exchange Online Spoof E-mail rule.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *