In the current article, we will review how to deal with Spoof E-mail scenario in…
Detect spoof E-mail and send the spoof E-mail to Administrative Quarantine using Exchange Online rule |Part 7#12
In the current article, we will review how to deal with Spoof E-mail scenario in an Office 365 environment, by creating an Exchange Online rule that will identify Spoofed E-mail (spoof sender) and as a response – “route” this E-mail to the Exchange Online administrative quarantine.
In our particular scenario, we don’t want to enable the E-mail to be sent to the organization user mailbox. Instead, we would like to route the E-mail that has the characters of Spoof E-mail to a “secured area” or an “isolated area” that can be accessed only by authorized representative such as the Exchange Online administrator.
An additional need is a requirement of notifying the “destination recipient” that E-mail message that sent to him blocked, and if he wants to get additional information about the particular E-mail or, ask to release the E-mail he will need to contact a specific technical representative.
Table of contents
- The Exchange Online Spoofed E-mail rule structure and logic
- Configuring The Exchange Online Spoofed E-Mail Rule | Send To Administrative Quarantine | Generate An Incident Report | Send custom E-Mail Notification to the end user
- Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly
- The next article in the current article series
The information about the possible Spoof E-mail event will be logged and reported by using the Exchange Online rule option named – incident report.
The main characters of the Spoof E-mail attack scenario:
Our CIO, report that gets an E-mail, which allegedly sent by a legitimate organization recipient (our company CFO) that asks him to transfer a substantial amount of money to a specific bank account number.
In reality, the organization recipient (our company CFO) didn’t send this E-mail message, and there is a high chance that the E-mail sent by a hostile element that tries to attack our organization.
The business needs
The business need and the goals that we need to accomplish are as follows:
- We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
- We wish to prevent Spoofed E-mail from reaching the organization user’s mailbox.
- We don’t want to delete the E-mail that looks like a spoofed E-mail. Instead, we want to send the Spoofed E-mail to a “restricted area” meaning – the Exchange Online administrative quarantine.
- Only authorized representative such as the Exchange Online administrator will be able to access the Exchange Online quarantine.
- We want to notify the destination recipient that an E-mail message that sent to him was classified as spoofed E-mail and sent to the administrative quarantine. We want to send information + a sample of the Spoofed E-mail to a designated shared mailbox.
- We want that a designated user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so, he could inspect and analyze the spoofed E-mail message.
The Exchange Online Spoofed E-mail rule structure and logic
The Exchange Online rule trigger
The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):
- An incoming E-mail message that is sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
- A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name – com
The Exchange Online rule response
The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:
1. Identify E-mail that has the characters of Spoofed E-mail
2. “Route” the E-mail to administrative quarantine (route the Spoof E-mail to Isolated area)
When Exchange Online identifies E-mail messages that answer the conditions of
“Spoofed E-mail,” the Exchange rule will activate the following sequence:
The E-mail will not be sent to the destination recipient mailbox and instead, will be “routed” to the administrative quarantine (the term administrative quarantine describes a storage space that can be accessed only by the Exchange Online administrator and not by the user).
Exchange Online will generate an E-mail message notification, which sent to the destination recipient who was supposed to receive the e-mail the E-mail (the E-mail that was identified as spoofed E-mail and sent to the quarantine).
In our scenario, we will create a custom E-mail notification and use an HTML code to make to notification message easy to understand and useful to our organization recipients.
3. Send custom E-mail notification to destination recipient
Inform the destination recipient that an E-mail that sent to him was identified as Spoof E-mail and sent to administrative quarantine.
4. Generate an incident report that sent to the E-mail address of the designated recipient\s.
In our scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).
Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our specific scenario, Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.
In the following diagram, we can see the sequence of actions, that implemented by the Exchange Online Spoofed E-mail rule:
Note: Although the information in the current article written about Office 365 (Exchange Online) based environment, most of the information is also relevant to Exchange on-Premises based environment.
Configuring The Exchange Online Spoofed E-Mail Rule | Send To Administrative Quarantine | Generate An Incident Report | Send custom E-Mail Notification to the end user
In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.
Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule
- Log in to the Exchange admin portal
- On the left menu bar, choose –mail flow
- On the top menu bar, choose –rules
- Click on the plus icon
- Choose – Create a new rule…
- In the Name: box, add a descriptive name for the new rule.
In our specific scenario, we will name the rule – Detect Spoof E-mail –Prepend subject and Send to administrative quarantine - Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
- In the section named –Apply this rule if… click on the small black arrow
Condition 1#2
- Choose the primary menu –The sender…
- In the submenu, select the option –Is external/internal
- In the select sender location window, choose the option – Outside the organization.
The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.
Condition 2#2
Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).
If you would like to read more information about the meaning of the Exchange Online terms– “External Sender” and “outside the organization“, read the following section: Dealing with an E-mail Spoof Attack in Office 365 based environment | Introduction | Part 1#12
- Click on the – add condition.
- In the section named – and click on the small black arrow.
- Choose the primary menu – The sender…
- In the submenu, select the option – domain is
In the specify domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com
Note – Don’t forget to click on the plus icon to add the domain name.
Click on the OK option to save the Exchange Online rule settings.
Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule
In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that sent to one of our organization recipients.
In our scenario, we wish to instruct Exchange Online to respond to the event in which E-mail message identified as Spoof E-mail by implementing the following actions:
1#3 – Send the spoofed E-mail to quarantine.
- In the section named –Do the following… click on the small black arrow
- Choose the menu option –Redirect the message to…
- In the submenu choose the menu option –hosted quarantine
2#3 – Create an E-mail notification that will send to the destination recipient.
In this step, we will define the action that will send a mail notification, to the Exchange Online recipient who was supposed to get the E-mail message.
- Click on the option –add action
- In the section named – *. and… click on the small black arrow.
- Choose the menu option –Notify the recipient with a message…
In the “provide the message text” window, add the required E-mail notification text.
Technically, the content if the E-mail notification can be a simple text message.
In our scenario, I have prepared a “style E-mail notification” using an HTML format.
This is an example of the content of the custom E-mail message content.
If you want to download an example to the HTML format that I have used, you can download the example from the following link
3#3 – Create an incident report and send it to a designated recipient.
In this step, we will define the “last action”, in which we instruct Exchange Online to generate + send an incident report to a designated recipient.
- Click on the option – add action
- In the section named – *. and… click on the small black arrow.
- Choose the menu option – Generate incident report and send it to…
The settings of the incident report include two parameters:
- The name of the “destination recipient” which will get the incident report.
- The information fields that will be included in the incident report.
- To add the required “destination recipient” name, click on the link – Select one…
- In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.
To select the information that will be included within the incident report, click on the link named-*include message properties
In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.
- Select the option – Select all
In the following screenshot, we can view the available options:
- Part A – relates to the info that will appear in the incident report summary.
- Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.
In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:
- The condition part
- The action part
Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly
In this phase, we would like to test the Exchange Online Spoof E-mail rule created in the previous step and verify that the rule is working properly.
The required results from the Exchange Online Spoofed E-mail rule
Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:
- Identify the event of – incoming E-mail messages that have the characters of spoof E-mail.
- Send the spoofed E-mail to administrative quarantine.
- Send a custom E-mail notification message to the destination recipient (Bob in our specific scenario) notifying him that a Spoof E-mail was sent to him, and he can contact the Exchange Online administrator if he needs to check the specific E-mail message.
- Generate an incident report, that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).
Simulate a Spoof E-mail attack | Scenario characters
To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:
- A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – Suzan@o365pilot.com
- The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – Bob@o365pilot.com
If you like to learn about the way that we use for simulating the E-mail spoof attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12
1#3 – Verifying that a custom E-mail notification message to the destination recipient
In the following screenshot, we can see an example of the custom E-mail notification that sent to the destination recipient by the Exchange Online rule.
The custom E-mail notification includes a couple of “parts.”
- The upper part (part A) includes the “warning notification” which inform the recipient that an E-mail message that was sent to him is probably Spoof E-mail.
- The second part (part B) include a report summary about the E-mail message.
- The bottom part (part B) include information about the “contact persons” that the recipient can contact in case he need more information about the specific event.
2#3 – Verifying that the spoofed E-mail sent to administrative quarantine.
To be able to view the content of the Exchange Online administrative quarantine, we will login to the Exchange Online administrative portal.
- On the left sidebar menu, choose the menu –protection
- On the top bar menu, choose the menu –quarantine
In the following screenshot, we can see the content of the Exchange Online administrative quarantine.
We can see that the E-mail that sent from Suzan@o365pilot.com (the recipient, we use for simulating the spoofed E-mail attack) was “captured by the Exchange Online Spoofed E-mail rule and sent to the Exchange Online administrative quarantine.
The Exchange Online administrator can view the particular E-mail message that was sent to the administrative quarantine and decide if he wants to send the E-mail to his “original destination” meaning the recipient mailbox.
3#3 – verifying that an incident report sent to the designated recipient.
We can see that Exchange Online rule “capture” an event of Spoof E-mail.
As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.
In the following screenshot, we can see an example of the incident report E-mail.
When we look into the incident report, we can see that the incident report includes two parts:
- The copy of the original E-mail message (A).
- The incident report summary (B).
The incident report summary includes details such as:
- Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number 1).
- The sender (the “source recipient”) that claim to be a legitimate organization recipient named –Suzan@o365pilot.com (number 2).
- The recipients (the destination recipient) is – Bob@o365pilot.com (number 3)
- Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event, and the action that was executed by the Exchange Online rule –” Detect Spoof E-mail & Send to Administrative Quarantine, Action: GenerateNotification, Quarantine, GenerateIncidentReport” (number 4).
Watch our YouTube video: Detect spoof E-mail – send the E-mail to Administrative Quarantine using Exchange Online rule | 5#7
The next article in the current article series
In the next article – Detect spoof E-mail and send the spoof E-mail to — USER quarantine using Exchange Online rule |Part 8#12, we will review how to create an Exchange Online rule that will identify events of spoofed E-mail and as a response, the Exchange Online spam filter will send the Spoof E-mail to user quarantine and the Exchange Online rule will send a custom E-mail notification to the recipient.
Hello,
I received an email from a supplier that was hacked.
Customer domain is (header.from = dhavalgroup.com), but the email was sent from (smtp.mailfrom = deltaexports.us).
How to protect yourself from receiving these fake emails from my suppliers?
———–>
Authentication-Results: spf = none (IP sender is 173,201,192,164)
smtp.mailfrom = deltaexports.us; mydominio.com.br; dkim = none (message not
signed) header.d = none; mydomain.com.br; DMARC = none action = none
header.from = dhavalgroup.com; mydomain.com.br; dkim = none (message not
signed) header.d = none;
Received-SPF: None (protection.outlook.com: deltaexports.us does not designate
permitted sender hosts)
Received: from p3plwbeout13-02.prod.phx3.secureserver.net (173,201,192,164) by
BN1BFFO11FD048.mail.protection.outlook.com (10.58.145.3) with Microsoft SMTP
Server (version = TLS1_2, cipher = TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.669.7
Frontend via Transport; Mon, 17 Oct 2016 08:56:30 +0000
Received: from localhost ([173,201,192,136])
by p3plwbeout13-02.prod.phx3.secureserver.net with bizsmtp
id wYwV1t0012x1vXx01YwVbq; Mon, 17 Oct 2016 01:56:29 -0700
<————
Thank you.