Skip to content

Detect spoof E-mail and mark the E-mail as spam using Exchange Online rule | Part 4#12

In the current article, we will review how to deal with Spoof mail by creating an Exchange rule that will identify incoming Spoof E-mail (spoofed sender).

In such scenario, we would like to implement the following sequence of actions:

  1. Mark the E-mail as spam by setting the SCL (spam confidence level) value to 5.
  2. Generate + send an incident report to a designated recipient.

The characters of the Spoof mail attack scenario

The main characters of our specific scenario are:

Our CIO, report that gets an E-mail message which is allegedly sent by a legitimate organization recipient (our company CFO) that asks him to transfer a substantial amount of money to a specific bank account number.

In reality, the organization recipient (our company CFO) didn’t send this E-mail message, and there is a high chance that the E-mail sent by a hostile element that tries to attack our organization.

The business needs we need to accomplish

We don’t want to intervene in the mail flow because our main purpose is just to collect information about “events of Spoof E-mail”.

The E-mail message that will identified as a “potential Spoof E-mail,” will be forwarded by Exchange Online to the destination organization recipient mailbox.

The information about the possible Spoof E-mail event will be logged and reported by using the Exchange Online rule option named – incident report.

In our scenario, we prefer not to delete or block E-mail message that has the characters of Spoof E-mail and inserted; we prefer to let the “end user” decide if the particular mail item is a Spoof E-mail or not.

The action that we want to implement regarding mail items that look like a Spoof E-mail is “stamp” the E-mail using an SCL value of 5.

When the E-mail reaches the user mailbox, the E-mail will be automatically sent to the junk mail folder.

Note: Although the information in the current article written about Office 365 (Exchange Online) based environment, most of the information is also relevant to Exchange on-Premises based environment.

The business need and the goals that we need to accomplish are as follows:

  1. We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
  2. We don’t want to intervene in the mail flow. The decision “what to do” with the E-mail message that there is a high chance that the sender spoofs his identity, will be considered as “user decision”.
  3. Our primary purpose is – to inform the recipient that the E-mail message that sent to him considered as “problematic E-mail.” We want to “warn” the organization recipient, by stamping the E-mail as “spam mail.”
  4. We want to send information + a sample of the Spoofed E-mail to a designated shared mailbox.
  5. We want that a designated user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so, he could inspect and analyze the spoofed E-mail message.

What is the meaning of SCL?

The process of “stamping” or classifying a specific E-mail message as a “spam E-mail” is implemented by setting the value of the SCL.
SCL stand for – Spam Confidence Level.
The ability of the Exchange server to mark an email message as a “safe E-mail” or, “spam E-mail” is, by using a specific number for the SCL value.

For example:

  • An SCL value of “-1” – the meaning of the SCL value “-1” is translated to “the specific E-mail message is totally safe and trusted”.
  • The SCL value of “5” – the meaning of the SCL value “5” is translated to – “the specific E-mail message considered as spam mail”.

Note: The SCL value range is -1 up to 9.
In our particular scenario, we will use the value 5 for the SCL. Technically speaking, we can use other SCL values such as 6, 7, etc.

Using the option of Exchange Online rule

To be able to accomplish this business requirement, we can create an Exchange Online rule that will inspect each of the incoming mail message and “capture” E-mail message that has the characters of Spoof E-mail.

As a response, the Exchange Online will:

  1. Set the SCL value of the E-mail message to “5”.
  2. Report the event to a designated recipient\s by generating an incident report. The Exchange Online incident report will include a summary of the specific E-mail message characters + a copy of the original E-mail message.

The Exchange Online Spoofed E-mail rule structure and logic

The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):

  1. An incoming E-mail message that sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
  2. A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name –com

The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:

  • Action 1#2 – stamp the E-mail message as a spam E-mail by using the SCL value of “5”.
  • Action 2#2 – Generate + Send an incident report to the designated recipient (shared mailbox named – Spoof E-mail mailbox).

In the following diagram, we can see the sequence of actions that will be implemented by the Exchange Online Spoofed E-mail rule:

The logic of Exchange rule for detecting spoof E-mail ?- Mark as spam E-mail

When Exchange Online identifies E-mail messages that answer the description of –
“Spoofed E-mail,” the Exchange rule will activate the following sequence:

1. Exchange Online will – set the SCL value of the E-mail to “5.”

2. Exchange Online will – forward the E-mail message to the destination recipient mailbox without any intervention from the Exchange Online server side.

Detect spoof E-mail message and classify the E-mail as spam E-mail - Step 1 -2

3. Exchange Online will generate an incident report, which will be sent to the E-mail address of the designated recipient\s. In our scenario, we ask to send the incident report to a designated recipient (shared mailbox named –Spoof E-mail mailbox).

Detect spoof E-mail message and classify the E-mail as spam E-mail - Step 2 -2

Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our specific scenario, Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.

Configuring Exchange Online Rule That Will – Detect Spoof E-Mail Message and Raise The SCL Value to “5”

In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.

Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule

  • Log in to the Exchange admin portal
  • On the left menu bar, choose –mail flow
  • On the top menu bar, choose –rules
Login to Exchange Online admin portal and create a new rule ~01
  • Click on the plus icon
  • Choose – Create a new rule…
Login to Exchange Online admin portal and create a new rule ~02
  • In the Name: box, add a descriptive name for the new rule.
    In our specific scenario, we will name the rule – Detect Spoof E-mail & mark as spam
  • Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
Detect spoof E-mail & mark as spam – the condition -02
  • In the section named –Apply this rule if… click on the small black arrow
Detect spoof E-mail & mark as spam – the condition -03

Condition 1#2

  • Choose the primary menu –The sender…
  • In the submenu, select the option –Is external/internal
Detect spoof E-mail & mark as spam – the condition -04
  • In the select sender location window, choose the option – Outside the organization.
    The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.
Detect spoof E-mail & mark as spam – the condition -05

Condition 2#2

Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).

If you would like to read more information about the meaning of the Exchange Online terms– “External sender” and “outside the organization“, read the following section: Dealing with an E-mail Spoof Attack in Office 365 based environment | Introduction | Part 1#12

  • Click on the – add condition.
Detect spoof E-mail & mark as spam – the condition -06
  • In the section named – and click on the small black arrow.
Detect spoof E-mail & mark as spam – the condition -07
  • Choose the primary menu – The sender…
  • In the submenu, select the option – domain is
Detect spoof E-mail & mark as spam – the condition -08

In the specify domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com

Note – Don’t forget to click on the plus icon to add the domain name.

Detect spoof E-mail & mark as spam – the condition -09

Click on the OK option to save the Exchange Online rule settings.

Detect spoof E-mail & mark as spam – the condition -10

Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule

In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that is sent to one of our organization recipients.

Detect spoof E-mail & mark as spam – the action -01

In our scenario, we wish to instruct Exchange Online to respond to the event in which
E-mail identified as Spoof E-mail by

  1. Set the SCL value of the E-mail message to “5”
  2. Creating an incident report and send it to a designated recipient: a shared mailbox named –Spoof E-mail mailbox.
  • In the section named – *.Do the following… click on the small black arrow.
Detect spoof E-mail & mark as spam – the action -02
  • Choose the menu option – Modify the message properties…
  • In the submenu choose the menu option – set the spam conference level (SCL)
Detect spoof E-mail & mark as spam – the action -03
  • In the window named – specify SCL, we will choose the default value of “5
Detect spoof E-mail & mark as spam – the action -04
  • Click on the option –add action
Detect spoof E-mail & mark as spam – the action -05
  • In the section named – *.Do the following… click on the small black arrow.
Detect spoof E-mail & mark as spam – the action -06
  • Choose the menu option –Generate incident report and send it to…
Detect spoof E-mail & mark as spam – the action -07

The settings of the incident report include two parameters:

  1. The name of the “destination recipient” which will get the incident report.
  2. The information fields that will be included in the incident report.
  • To add the required “destination recipient” name, click on the link –Select one…
Detect spoof E-mail & mark as spam – the action -08
  • In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.
Detect spoof E-mail & mark as spam – the action -09

To select the information that will be included within the incident report, click on the link named-*include message properties

Detect spoof E-mail & mark as spam – the action -10

In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.

  • Select the option –Select all
Detect spoof E-mail & mark as spam – the action -11

In the following screenshot, we can view the available options:

  • Part A – relates to the info that will appear in the incident report summary.
  • Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.
Detect spoof E-mail & mark as spam – the action -12

In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:

  • The condition part
  • The action part
Detect spoof E-mail & mark as spam – the action -13

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly |Spoof mail is stamped using SCL 5

In this phase, we would like to test the Exchange Online Spoof E-mail rule that was created in the previous step, and verify that the rule is working properly.

The required results from the Exchange Online Spoofed E-mail rule

Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:

  1. Set the SCL value of the E-mail message to “5”
  2. Forward the E-mail message to the destination recipient mailbox without any intervention from the Exchange Online server side.
  3. Generate an incident report, that sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Simulate a Spoof E-mail attack | Scenario characters

To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:

  • A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – Suzan@o365pilot.com
  • The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – Bob@o365pilot.com

If you like to learn about the way that we use for simulating the E-mail spoof attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12

1#3 – verifying that the Spoof E-mail was sent to the destination recipient.

As mentioned, we don’t want to intervene in the mail flow.
The decision “what to do” with the E-mail message that there is a high chance that the sender spoofs his identity, will be considered as “user decision.”

In the following screenshot, we can see an E-mail message that was sent by Suzan to Bob.
The E-mail sent to the Junk mail folder because Exchange “stamp” the E-mail using the SCL value of “5”.

Verifying That The Exchange -SCL Spoofed E-Mail Rule Is Working Properly -01

When looking at the E-mail that sent to the junk mail folder, we can see the following information-

This message marked as spam using a junk filter other than the Outlook junk
E-mail filter

The meaning is that the “other Junk E-mail filter” is the Exchange Online server

Verifying That The Exchange -SCL Spoofed E-Mail Rule Is Working Properly -02

2#3 – verifying that the SCL value of the E-mail message is “5”

In case that we want to verify the process in which Exchange Online stamp the E-mail using an SCL value of 5, we can analyze the content of the E-mail header

To be able to view the value of the SCL (spam confidence level), we can look at the E-mail header.

In the following section, we will see how to access the information in the E-mail header and then we will analyze the data by using the ExRCA (Exchange remote connectivity analyzer) tool.

  • Open the specific E-mail message that you want to check her SCL value
Analyzing the E-mail message header by using ExRCA -01
  • Choose the File menu
  • Choose the property option
Analyzing the E-mail message header by using ExRCA -02

In the section named- internet headers, we can see the content of the E-mail header.

To be able to analyze the data, we will copy the information.

  • Select all the information by using the Keyboard key combination – CTRL + A
  • Copy the information by using the Keyboard key combination – CTRL + C
Analyzing the E-mail message header by using ExRCA -03

Now, we will access the ExRCA (Exchange remote connectivity analyzer) tool.

  • Choose the tab – Message Analyzer
  • In the white space, paste the information that was copied in the previous step by using the Keyboard key combination – CTRL + V
  • Choose the option –Analyze headers
Analyzing the E-mail message header by using ExRCA -04

In the following screenshot, we can see the results.

The value of the information field named- X-MS-Exchange-Organization-SCL is “5”.
In other words, the SCL value is equal to “5”.

Analyzing the E-mail message header by using ExRCA -05

3#3 – verifying that an incident report sent to the designated recipient

We can see that Exchange Online rule “capture” an event of Spoof E-mail. As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.

Verifying That The Exchange -SCL Spoofed E-Mail Rule Is Working Properly -03

In the following screenshot, we can see an example of the incident report E-mail.

When we look into the incident report, we can see that the incident report includes two parts:

  • The copy of the original E-mail message (A).
  • The incident report summary (B).

The incident report summary includes details such as:

  • Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number1).
  • The sender (the “source recipient”) that claim to be a legitimate organization recipient named –Suzan@o365pilot.com (number 2).
  • The recipients (the destination recipient) is –Bob@o365pilot.com (number 3)
  • Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event and the action that was executed by the Exchange Online rule –”Detect spoof E-mail & mark as spam, Action: SetHeader, GenerateIncidentReport” (number 4).
Verifying That The Exchange -SCL Spoofed E-Mail Rule Is Working Properly -04

Check out our video: https://www.youtube.com/watch?v=8_O4_OhQjjk

The next article in the current article series

Read the next article – Detect Spoof E-mail And Delete The Spoof E-mail Using Exchange Online Rule |Part 5#12

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *