In the current article, we will review how to deal with Spoof mail by creating an Exchange rule that will identify incoming Spoof E-mail (spoofed sender).
In such scenario, we would like to implement the following sequence of actions:
- Delete (reject) the E-mail .
- Generate + send an incident report to a designated recipient.
Table of content | Click to expand
Dealing with spoofed E-mail office 365 | Article Series
- Dealing with an E-mail spoof attack | general introduction | Office 365 based environment | Part 1#12
- Detect Spoof E-mail And Send An Incident Report Using Exchange Online Rule |Part 2#12
- Configuring exceptions for the Exchange Online Spoof E-mail rule |Part 3#12
- Detect Spoof E-mail And Mark The E-mail as spam Using Exchange Online Rule |Part 4#12
- Detect Spoof E-mail And Delete The Spoof E-mail Using Exchange Online Rule |Part 5#12
- Detect Spoof E-mail – Prepend The Subject Of The Spoof E-mail + Add Disclaimer Using Exchange Online Rule |Part 6#12
- Detect Spoof E-mail And Send The Spoof E-mail To Administrative Quarantine Using Exchange Online Rule |Part 7#12
- Detect Spoof E-mail And Raise the SCL value to “9” – Send E-mail To Quarantine Using Exchange Online Rule |Part 8#12
- Analyzing The Results Of The Exchange Spoof E-mail rule |Part 9#12
- How to Simulate E-mail Spoof Attack |Part 10#12
- How to Simulate E-mail Spoof Attack |Part 11#12
- Report Spoof E-mail And Send E-mail For Inspection In Office 365|Part 12#12
In our scenario, we prefer to block (reject) E-mail message that has the characters of Spoof E-mail.
The information about the possible Spoof E-mail event will be logged and reported by using the Exchange Online rule option named – incident report.
The main characters of our specific scenario are:
Our CIO, report that gets an E-mail message which allegedly sent by a legitimate organization recipient (our company CFO) that asks him to transfer a substantial amount of money to a specific bank account number.
In reality, the organization recipient (our company CFO) didn’t send this E-mail message, and There is a high chance that the E-mail sent by a hostile element that tries to attack our organization.
The business needs
The business need and the goals that we need to accomplish are as follows:
- We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
- We want to prevent the “Spoofed E-mail” from reaching the organization user mailbox by deleting the E-mail that probably spoofed E-mail.
- We don’t wish to inform the recipient about the event in which Spoof E-mail that sent to him deleted.
- We want to send information + a sample of the Spoofed E-mail to a designated shared mailbox.
- We want that selected user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so, he could inspect and analyze the spoofed E-mail message.
The Exchange Online Spoofed E-mail rule structure and logic
The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):
- An incoming E-mail message that is sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
- A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name –com
In the following diagram, we can see the sequence of actions, that will be implemented by the Exchange Online Spoofed E-mail rule:
The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:
1. Block the E-mail message from reaching the organization user mailbox
2. Generate an incident report; that sent to the E-mail address of the designated recipient\s. In our scenario, we ask to send the incident report to a designated recipient (shared mailbox named –Spoof E-mail mailbox).
Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our scenario Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.
Configuring Exchange Online Rule That Will Detect Spoof E-Mail Message and delete the Spoof E-mail
In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.
Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule
- Log in to the Exchange admin portal
- On the left menu bar, choose –mail flow
- On the top menu bar, choose –rules
- Click on the plus icon
- Choose – Create a new rule…
- In the Name: box, add a descriptive name for the new rule.
In our specific scenario, we will name the rule – Detect Spoof E-mail & block
- Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
- In the section named –Apply this rule if… click on the small black arrow
- Choose the primary menu –The sender…
- In the submenu, select the option –Is external/internal
- In the select sender location window, choose the option – Outside the organization.
The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.
Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).
- Click on the – add a condition.
- In the section named – and click on the small black arrow.
- Choose the primary menu – The sender…
- In the submenu, select the option – domain is
In the Specify Domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com
Note – Don’t forget to click on the plus icon to add the domain name.
Click on the OK option to save the Exchange Online rule settings.
Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule
In this phase, we will set the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that sent to one of our organization recipients.
In our situation, we wish to instruct Exchange Online to respond to the event in which
E-mail identified as Spoof E-mail by implementing the following actions:
Condition 1#2 – Reject (block) the Spoof E-mail
- In the section named – *.Do the following… click on the small black arrow.
- Choose the menu option –Block the message…
- In the submenu choose the menu option –Delete the message without notifying anyone
Condition 2#2 – Create an incident report and send it to a designated recipient.
- Click on the option –add action
- In the section named – *.and… click on the small black arrow.
- Choose the menu option –Generate incident report and send it to…
The settings of the incident report include two parameters:
- The name of the “destination recipient” which will get the incident report.
- The information fields that will be included in the incident report.
- To add the required “destination recipient” name, click on the link –Select one…
- In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.
To select the information that will be included within the incident report, click on the link named-*include message properties
In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.
- Select the option –Select all
In the following screenshot, we can view the available options:
- Part A – relates to the info that will appear in the incident report summary.
- Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.
In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:
- The condition part
- The action part
Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly
In this phase, we would like to test the Exchange Online Spoof E-mail rule that was created in the former step, and verify that the rule is working properly.
The required results from the Exchange Online Spoofed E-mail rule
Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:
- Delete the Spoof E-mail message.
- Generate an incident report; that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).
Simulate a Spoof E-mail attack | Scenario characters
To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:
- A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – [email protected]
- The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – [email protected]
1#2 – Delete the Spoof E-mail message
Because the Spoof E-mail deleted by Exchange Online, we can only look at a “trace” of the event by using the Exchange Online message trace option.
In the following screenshot, we can see Exchange Online manage to identify the
Spoof E-mail message.
The status of the E-mail message is “Failed” because the E-mail message wasn’t delivered to the destination recipient mailbox (was deleted by Exchange Online).
To get more information about the mail flow, we can double-click on the log row.
Now we can see details about the event:
- In the “mail flow graph” we can see that the E-mail message was not delivered.
- The status report includes detailed information about the reason for “blocking” the specific E-mail message.
In case that we want to get even more specific details about the mail flow, we can view the information in the bottom part (part C).
2#2 – verifying that an incident report sent to the designated recipient
We can see that Exchange Online rule “capture” an event of Spoof E-mail. As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.
In the following screenshot, we can see an example of the incident report E-mail.
When we look into the incident report, we can see that the incident report includes two parts:
- The copy of the original E-mail message (A).
- The incident report summary (B).
The incident report summary includes details such as:
- Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number 1).
- Sender – the sender (the “source recipient”) that claim to be a legitimate organization recipient named –[email protected] (number 2).
- To – the recipients (the destination recipient) is –[email protected] (number 3)
- Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event and the action that was executed by the Exchange Online rule –”Detect spoof E-mail & block, Action: AuditSeverityLevel, DeleteMessage, GenerateIncidentReport” (number 4).
The next article in the current article series
In the next article – Detect Spoof E-mail – Prepend The Subject Of The Spoof E-mail + Add Disclaimer Using Exchange Online Rule |Part 6#12, we will review how to create an Exchange Online rule that will identify events of spoofed E-mail and as a response, will – prepend the subject of the spoof E-mail + add disclaimer Spoof E-mail.
It is important for us to know your opinion on this article