Detect spoof E-mail and add disclaimer using Exchange Online rule |Part 6#12 5/5 (2) 12 min read

In the current article, we will review how to deal with Spoof mail by creating an Exchange rule that will identify incoming Spoof E-mail (spoofed sender).

In such scenario, we would like to implement the following sequence of actions:

  1. Add a disclaimer to the E-mail message.
  2. Prepend the E-mail subject.
  3. Generate + send an incident report to a designated recipient.

In our scenario, we prefer not to delete or block email messages that have the characters of Spoof E-mail and instead, we want to let the “end user” to decide if the particular mail item is a Spoof E-mail or not.

We want to enable the E-mail to reach the organization user mailbox, but at the same time, we want to inform the recipient that the E-mail that he gets, considered as “problematic E-mail.”

The “recipient warning” will be implemented by adding text to the E-mail subject + add a disclaimer to the E-mail.

The information about the possible Spoof E-mail event will be logged and reported by using the Exchange Online rule option named – incident report.

The main characters of the Spoof E-mail attack scenario:

Our company CIO, report that got an E-mail, that sent to him by the company CFO, that asks him to transfer a substantial amount of money to a particular bank account.
After a short inquiry, he discovers that the E-mail is a Spoof mail!

Dealing with Spoof mail attack | The business needs

The business need and the goals that we need to accomplish are as follows:

  1. We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
  2. We don’t want to intervene in the mail flow. The decision “what to do” with the E-mail message that there is a high chance that the sender spoofs his identity, will be considered as “user decision.”
  3. Our primary purpose is – to inform the recipient that the E-mail message that sent to him considered as “problematic E-mail.” We want to “warn” the organization recipient by adding a disclaimer to the E-mail + prepend the E-mail subject.
  4. We want to send information + a sample of the Spoofed E-mail to a designated shared mailbox.
  5. We want that a designated user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so, he could inspect and analyze the spoofed E-mail message.

The Exchange Online Spoofed E-mail rule structure and logic

The Exchange Online rule trigger

The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):

  1. An incoming E-mail message that is sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
  2. A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name –com

The Exchange Online rule response

The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:

  1. Identify E-mail that has the characters of Spoofed E-mail
  2. Prepend the E-mail subject

Detect spoof E-mail message - Prepend E-mail message subject - Step 1 - 3

  1. Add a disclaimer to the E-mail

Detect spoof E-mail message - Prepend E-mail message subject - Step 2 - 3

  1. Generate an incident report that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Detect spoof E-mail message - Prepend E-mail message subject - Step 3 - 3

Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our specific scenario Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.

In the following diagram, we can see the sequence of actions, that will be implemented by the Exchange Online Spoofed E-mail rule:

The logic of spoof E-mail rule- Prepend E-mail message of the spoofed E-mail

Note – although the information in the current article was written about Office 365 (Exchange Online) based environment, most of the information is also relevant to Exchange on-Premises based environment.

Configuring Exchange Online Rule That Will – – add a disclaimer to the E-mail + prepend the E-mail subject

In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.

Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule

  • Log in to the Exchange admin portal
  • On the left menu bar, choose –mail flow
  • On the top menu bar, choose –rules

Login to Exchange Online admin portal and create a new rule ~01

  • Click on the plus icon
  • Choose – Create a new rule…

Login to Exchange Online admin portal and create a new rule ~02

  • In the Name: box, add a descriptive name for the new rule.
    In our specific scenario, we will name the rule – Detect Spoof E-mail –Prepend subject and add Disclaimer
  • Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -03

  • In the section named –Apply this rule if… click on the small black arrow

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -04

Condition 1#2

  • Choose the primary menu –The sender…
  • In the submenu, select the option –Is external/internal

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -05

  • In the select sender location window, choose the option – Outside the organization.
    The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -06

Condition 2#2

Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).

Note – If you would like to read more information about the meaning of the Exchange Online terms– “External sender” and “outside the organization“, read the following section: Dealing with an E-mail Spoof Attack in Office 365 based environment | Introduction | Part 1#12
  • Click on the – add condition.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -07

  • In the section named – and click on the small black arrow.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -08

  • Choose the primary menu – The sender…
  • In the submenu, select the option – domain is

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -09

In the specify domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com

Note – Don’t forget to click on the plus icon to add the domain name.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -10

Click on the OK option to save the Exchange Online rule settings.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule condition -11

Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule

In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that sent to one of our organization recipients.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -01

In our situation, we wish to instruct Exchange Online to respond to the event in which
E-mail identified as Spoof E-mail by implementing the following actions

Action 1#3 – Prepend E-mail message subject.

  • In the section named – Do the following… click on the small black arrow

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -02

  • Choose the menu option – Prepend the subject of the message with…

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -03

In the text box – specify subject prefix, add the required prefix.

In our specific scenario, we will add the prefix – This E-mail is probably spoofed!

Note – there is a limitation for the maximum number of Characters.
The estimation is 32~ characters

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -04

Action 2#3 – Add a disclaimer to the E-mail message.

In this phase, we will add the “second action” in which we add a disclaimer to the E-mail message that identified as Spoof email.

  • Click on the add action option

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -05

In the section named – and click on the small black arrow

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -06

  • Choose the menu option of – Apply a disclaimer to the message…
  • In the submenu, choose the option – append to disclaimer

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -07

The configuration of the disclaimer includes two elements:

  1. The disclaimer text
  2. The fallback action
  • To add the required disclaimer message, click on the Enter text… link

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -08

In our scenario, the disclaimer text is:

Dear recipient

There is a high chance that the E-mail that you have received is a spoofed E-mail.
Please report this E-mail message to the security team!

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -09

  • To select the required fallback action, click on the link named – *Select one…

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -10

In our specific scenario, we choose the option of – wrap

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -11

Action 3#3 – Create an incident report and send it to a designated recipient.

  • Click on the option – add action

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -12

  • In the section named – *.and… click on the small black arrow.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -13

  • Choose the menu option – Generate incident report and send it to…

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -14

The settings of the incident report include two parameters:

  1. The name of the “destination recipient” which will get the incident report.
  2. The information fields that will be included within the incident report.
  • To add the required “destination recipient” name, click on the link – Select one…

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -15

  • In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -16

To select the information that will be included within the incident report, click on the link named-*include message properties

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -17

In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.

  • Select the option – Select all

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -18

In the following screenshot, we can view the available options:

  • Part A – relates to the info that will appear in the incident report summary.
  • Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -19

In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:

  • The condition part
  • The action part

Detect spoof E-mail - Prepend subject + Disclaimer - Exchange online rule -action -20

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly

In this phase, we would like to test the Exchange Online Spoof E-mail rule that was created in the former step, and verify that the rule is working properly.

The required results from the Exchange Online Spoofed E-mail rule

Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:

  1. Prepend the E-mail subject.
  2. Add a disclaimer to the E-mail.
  3. Generate an incident report, that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Simulate a Spoof E-mail attack | Scenario characters

To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:

  • A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – [email protected]
  • The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – [email protected]
Note – if you like to learn about the way that we use for simulating the E-mail spoof attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12

Step 1#2 – verifying that the spoofed E-mail subject was prepended + include a disclaimer.

In the following screenshot, we can see an example to a Spoof email that sent to Bob by “Suzan.”

Verifying That The Exchange rule Prepend add disclaimer Is Working Properly -01

When looking at the E-mail message content, we can the E-mail subject that includes the “original subject text” (in our particular example – “Hello Bob, it’s me, the company CEO, send me your bank account”), and the prepend text – “This E-mail probably spoofed!

The E-mail message body includes the disclaimer that configured in the Exchange Online Spoof email rule.

Verifying That The Exchange rule Prepend add disclaimer Is Working Properly -02

2#2 – verifying that an incident report sent to the designated recipient.

We can see that Exchange Online rule “capture” an event of Spoof E-mail.

As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.

Verifying That The Exchange rule Prepend add disclaimer Is Working Properly -03

In the following screenshot, we can see an example of the incident report E-mail.

When we look into the incident report, we can see that the incident report includes two parts:

  • The copy of the original E-mail message (A).
  • The incident report summary (B).

The incident report summary includes details such as:

  • Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number 1).
  • Sender – the sender (the “source recipient”) that claim to be a legitimate organization recipient named –[email protected] (number 2).
  • To – the recipients (the destination recipient) is –[email protected] (number 3)
  • Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event, and the action that was executed by the Exchange Online rule –”Detect spoof E-mail – Prepend subject and add Disclaimer, Action: PrependSubject, ApplyHtmlDisclaimer, GenerateIncidentReport” (number 4).

Verifying That The Exchange rule Prepend add disclaimer Is Working Properly -04

The next article in the current article series

In the next article – Detect Spoof E-mail And Send The Spoof E-mail To Administrative Quarantine Using Exchange Online Rule |Part 7#11, we will review how to create an Exchange Online rule that will identify events of spoofed E-mail and as a response, will – send the spoof E-mail to administrative quarantine.

Dealing with spoof E-mail – Office 365 | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article

Summary
Detect spoof E-mail and add disclaimer using Exchange Online rule |Part 6#12
Article Name
Detect spoof E-mail and add disclaimer using Exchange Online rule |Part 6#12
Description
In the current article, we will review how to deal with Spoof mail by creating an Exchange rule that will identify incoming Spoof E-mail (spoofed sender). In such scenario, we would like to implement the following sequence of actions: Add a disclaimer to the E-mail message. Prepend the E-mail subject. Generate + send an incident report to a designated recipient.
Author
Publisher Name
o365info.com
Publisher Logo

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron

Share your knowledge.

It’s a way to achieve immortality.

Dalai Lama


One Response to “Detect spoof E-mail and add disclaimer using Exchange Online rule |Part 6#12”

  1. How do you handle outbound messages that now have “external” in the subject when replying? Do you strip “external” string?

Leave a Reply

Your email address will not be published. Required fields are marked *