Skip to content

Detect spoof E-mail and send the spoof E-mail to — USER quarantine using Exchange Online rule |Part 8#12

In the current article, we will review how to deal with Spoof E-mail scenario in an Office 365 environment, by creating an Exchange Online rule that will identify Spoofed E-mail (spoof sender) and as a response – “route” this E-mail to the Exchange Online user quarantine.
In our scenario, we don’t want to enable the E-mail to sent to the organization user mailbox.

Instead, we would like to route the E-mail that has the characters of Spoof E-mail to a “secured area” or an “isolated area” that can be accessed by the user himself and also, by authorized representative such as the Exchange Online administrator.

Besides of “routing” the Spoof E-mail to the Exchange Online quarantine, we would like to implement a notification procedure in which we notify the “destination recipient” and our representative about the fact that a Spoof E-mail sent to quarantine.

  1. The “recipient notification” will be implemented by a custom E-mail message that we will create and will be used by the Exchange Online rule.
  2. The information about the possible Spoof E-mail event, will be logged and reported by using the Exchange Online rule option named – incident report.

The main characters of the Spoof E-mail attack scenario:

Our CIO, report that gets an E-mail, which allegedly sent by a legitimate organization recipient (our company CFO) that asks him to transfer a substantial amount of money to a specific bank account number.

In reality, the organization recipient (our company CFO) didn’t send this E-mail message, and There is a high chance that the E-mail sent by a hostile element that tries to attack our organization.

The business needs

The business need and the goals that we need to accomplish are as follows:

  1. We want to identify events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender).
  2. We wish to prevent Spoofed E-mail from reaching the organization user’s mailbox.
  3. We don’t want to delete the E-mail message that looks like a spoofed E-mail. Instead, we want to send the Spoofed E-mail to a “restricted area” meaning – the Exchange Online User quarantine.
  4. We want to enable the “destination recipient” (the recipient who should have got the E-mail message before the E-mail message was sent to quarantine) to be able to access “his quarantine space”, view the E-mail message and decide what to do with the E-mail message.
  5. The Exchange Online User quarantine is accessible to the specific recipient whom the
    E-mail sent to him and routed to the Exchange Online quarantine + to an authorized representative such as the Exchange Online administrator will be able to access the Exchange Online quarantine.
  6. We want to notify the destination recipient that an E-mail message that sent to him, was classified as spoofed E-mail, and sent to the Exchange Online quarantine.
  7. We want to send information about the Spoof E-mail + a sample of the Spoofed E-mail to a designated shared mailbox by using the Exchange Online option of the incident report.
  8. We want that selected user (such as the Exchange Online administrator), will be able to access the shared mailbox that stores the incident reports, so he could inspect and analyze the spoofed E-mail message.

Exchange Online – user quarantine vs. administrative quarantine

Exchange Online offers two types of “quarantine”.

  • The Exchange Online administrative quarantine can be accessed only by used with the required permission such as the Exchange Online administrator. Only the Exchange Online administrator has the “right” to access the quarantine and decide if he wants to release particular E-mail message from the quarantine space back to the user mailbox.
  • The Exchange Online user quarantine can be accessed only by the user whom the E-mail message that sent to him routed to the quarantine space + user with the required permission such as the Exchange Online administrator. When using the Exchange Online user quarantine, the user can decide by himself if he wants to “release” a particular mail item from the quarantine back into his mailbox.

Q: What is the different process which is implemented by Exchange Online regarding an E-mail message that sent to Exchange Online user quarantine vs. administrative quarantine?

A:

  • E-mail message can be “sent” to the user quarantine, by the Exchange Online component described as: Exchange Online spam filter.
  • E-mail message can be “sent” to the administrative quarantine, by using an Exchange Online rule.

A short description of the Exchange Online spam filter

The Exchange Online spam filter component, can be considered as a part of the EOP (Exchange Online protection)

The Exchange Online spam filter enables us to define our desired policy regarding E-mail message that has a specific SCL value.

Although the term SCL stands for – spam confidence level, the purpose of the SCL is to classify the “risk level” of a particular E-mail item.

A specific E-mail item can be considered problematic or dangerous, not just because the E-mail considers as a spam E-mail but for many other reasons such as – E-mail message that recognizes as a Spoof E-mail, E-mail message that can regard as a Phishing E-mail, E-mail message that is sent by mail the server who has a bad reputation and so on.

The SCL values range over that is used by Exchange Online is -1 up to 9.

  • SCL value of 2 -5 is assigned to E-mail message with a low or medium risk level.
  • SCL value of 6 -9 is assigned to E-mail message with a high-risk

Lest assume that Exchange Online (or EOP if we want to be more accurate) decide to “stamp”
E-mail message with a specific SCL value ranging between 2-9.

Q: What does Exchange Online is configured to “do” with such E-mail messages?

A: The default setting of the Exchange Online spam filter is, to forward E-mail messages to the destination recipient mailbox regardless of their SCL value.

For example, even when the SCL value of s specific E-mail message is higher than 1 (2-9) the
E-mail message will be sent to the recipient without any intervention from the Exchange Online server.

The Exchange Online server considered as “Neutral”. His primary job is to “stamp” the E-mail message with a specific “risk level value” (the SCL value) and the decision “what to do” with a problematic or dangerous E-mail message is a “user decision”.

Most of the time, when the mail user application such as Outlook or OWA will recognize that the E-mail has high SCL value (2-9), the mail application will send the E-mail to the junk mail folder.

Changing the default Exchange Online spam filter policy

The Exchange Online administrator can change the default settings of the Exchange Online spam filter and “instruct” the Exchange Online spam filter, to implement other actions for an E-mail that have a specific SCL value.

For example, we can define a configuration setting in which the Exchange Online spam filter will send an E-mail message that their SCL value is between 6-9 to the Exchange Online quarantine instead of delivering the E-mail to the user mailbox.

The combination of Exchange Online rule + Exchange Online spam filter

As mentioned, the ability to send E-mail message to the Exchange Online user quarantine (the quarantine space that can be accessed by the recipient) can be implemented only if we change the default response of the Exchange Online spam filter and instruct the Exchange Online spam filter to send E-mail message with a specific SCL value to the quarantine.

To be able to implement our desired scenario in which Spoof E-mail will sent to the Exchange Online user quarantine, we will use a little trick.

The first phase will be – change the default setting of the Exchange Online spam filter so E-mail message that has a high SCL value, meaning a value between 6-9, will automatically send to the Exchange Online user quarantine instead of being forwarded to the recipient mailbox.

In the next phase, we will create an Exchange Online rule, which will “stamp” Spoof E-mail using the SCL value of “9”.

The flow that will be implemented will be:

  1. E-mail message is classified as Spoof E-mail by the Exchange Online rule.
  2. The Exchange Online stamps the E-mail message using the SCL value of “9”.
  3. Exchange Online spam filter recognizes that a specific E-mail message has the SCL value of “9”, and for this reason, he sent the E-mail message to the Exchange Online user quarantine.

The Exchange Online Spoofed E-mail rule structure and logic

The Exchange Online rule trigger

The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):

  1. An incoming E-mail message that is sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
  2. A recipient who presents himself by using an E-mail address that includes our public domain name. In our specific scenario, an E-mail address that includes the domain name – com

The Exchange Online rule response

Before we start with the description of the Exchange Online rule flow, let’s start with the first step in which we change the default setting of the Exchange Online spam filter.

In our scenario, we will change the default setting of the section named – “High confidence spam” which realities to an E-mail message that their SCL value is between 6 and 9.

We will instruct the Exchange Online spam filter to send this type of E-mail messages to the Exchange Online user quarantine.

send Spoof E-mail to Exchange Online user quarantine by using Exchange Online rule -04

The Exchange Online user quarantine is an “isolated space” that can be accessed by the Exchange Online recipient (each Exchange Online recipient has his own private quarantine space) and also, the Exchange Online administrator can access the quarantine space.

Exchange Online user quarantine

send Spoof E-mail to Exchange Online user quarantine by using Exchange Online rule -05

The “action” that will be executed by our Exchange Online “Spoofed E-mail rule” will include the following “parts”:

1. Identify E-mail that has the characters of Spoofed E-mail

2. The Exchange Online rule will change\update the SCL value of the Spoof E-mail to “9”.

Notice that the fact that the SCL value of the E-mail is “9,” will cause the Exchange Online spam filter to route the E-mail to the Exchange Online user quarantine instead of sending the E-mail to the recipient mailbox.

send Spoof E-mail to Exchange Online user quarantine by using Exchange Online rule -01

3. Send custom E-mail notification to the destination recipient

Inform the target recipient that an E-mail that sent to him was identified as Spoof E-mail and sent to administrative quarantine.

The Exchange Online rule will generate a custom E-mail message notification, which sent to the destination recipient who was supposed to receive the E-mail (the E-mail that was identified as spoofed E-mail and sent to the quarantine).

In our particular scenario, we will create a custom E-mail notification and use an HTML code to make to notification message easy to understand and useful to our organization recipients.

send Spoof E-mail to Exchange Online user quarantine by using Exchange Online rule -02

4. Generate an incident report

The Exchange Online rule will generate an incident report that sent to the E-mail address of the designated recipient\s. In our scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Only authorized user\s can access the “Spoof E-mail shared mailbox”. In our specific scenario Brad (Brad is our Exchange Online administrator) will have access to the shared mailbox.

send Spoof E-mail to Exchange Online user quarantine by using Exchange Online rule -03

In the following diagram, we can see the sequence of actions, that implemented by the Exchange Online Spoofed E-mail rule:

Diagram image coming soon: The logic of Exchange Spoof E-mail rule that Send Spoofed E-mail – USER quarantine

Note: Although the information in the current article written about Office 365 (Exchange Online) based environment, most of the information is also relevant to Exchange on-Premises based environment.Prepend subject and add

Configuring the default setting of the Exchange Online spam filter

In the following section, we will change the default settings of the Exchange Online spam filter, by setting the spam filter to send an E-mail message with high SCL value to quarantine.

  • Log in to the Exchange admin portal
  • On the left menu bar, choose –protection
  • On the top menu bar, choose – spam filter
Update the default Exchange Online spam policy -01
  • Choose the menu – spam and bulk action
  • In the section named- High confidence spam, click on the small black arrow
Update the default Exchange Online spam policy -02
  • Choose the option of – Quarantine message
Update the default Exchange Online spam policy -03

In the following screenshot, we can see the result

  • An E-mail message with “low SCL” (2-5) will be sent to the destination recipient mailbox.
  • an E-mail message with “High SCL” (6-9) will be sent to the Exchange Online quarantine.
Update the default Exchange Online spam policy -04

Configuring The Exchange Online Spoofed E-Mail Rule | Send To user Quarantine | Send custom E-Mail Notification to the end user | Generate An Incident Report

In the following section, we will provide “step by step” instructions for creating the required “Exchange Online Spoofed E-mail rule” that will answer our business needs.

Part 1#2 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule

  • Log in to the Exchange admin portal
  • On the left menu bar, choose –mail flow
  • On the top menu bar, choose –rules
Login to Exchange Online admin portal and create a new rule ~01
  • Click on the plus icon
  • Choose – Create a new rule…
Login to Exchange Online admin portal and create a new rule ~02
  • In the Name: box, add a descriptive name for the new rule.
    In our specific scenario, we will name the rule – Detect Spoof E-mail – Send to user Quarantine
  • Click on the –More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
Detect Spoof E-mail & Send to user Quarantine -condition -03
  • In the section named –Apply this rule if… click on the small black arrow
Detect Spoof E-mail & Send to user Quarantine -condition -04

Condition 1#2

  • Choose the primary menu –The sender…
  • In the submenu, select the option –Is external/internal
Detect Spoof E-mail & Send to user Quarantine -condition -05
  • In the select sender location window, choose the option – Outside the organization.
    The meaning of the term “outside the organization”, relates to a un-authenticated recipient, meaning – a recipient that doesn’t provide user credentials to the mail server.
Detect Spoof E-mail & Send to user Quarantine -condition -06

Condition 2#2

Now, we will add an additional “layer” to the “rule condition”, in which we relate to
the recipient who uses an E-mail address that includes our domain name (o365pilot.com in our specific scenario).

If you would like to read more information about the meaning of the Exchange Online terms– “External sender” and “outside the organization“, read the following section: Dealing with an E-mail Spoof Attack in Office 365 based environment | Introduction | Part 1#12

  • Click on the – add condition.
Detect Spoof E-mail & Send to user Quarantine -condition -07
  • In the section named – and click on the small black arrow.
Detect Spoof E-mail & Send to user Quarantine -condition -08
  • Choose the primary menu – The sender…
  • In the submenu, select the option – domain is
Detect Spoof E-mail & Send to user Quarantine -condition -09

In the specify domain window, add the required domain name that represents your organization.
In our specific scenario, the public domain name is – o365pilot.com

Note – Don’t forget to click on the plus icon to add the domain name.

Detect Spoof E-mail & Send to user Quarantine -condition -10

Click on the OK option to save the Exchange Online rule settings.

Detect Spoof E-mail & Send to user Quarantine -condition -11

Part 2#2 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule

In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that sent to one of our organization recipients.

Detect Spoof E-mail & Send to user Quarantine - action -01

In our situation, we wish to instruct Exchange Online to respond to the event in which
E-mail identified as Spoof E-mail by implementing the following actions:

1#3 – Stamp E-mail message that identified as a Spoof email using the SCL value of “9.”

  • In the section named –Do the following… click on the small black arrow
Detect Spoof E-mail & Send to user Quarantine - action -02
  • Choose the menu option –Modify the message properties…
  • In the submenu choose the menu option –set the spam conference level (SCL)
Detect Spoof E-mail & Send to user Quarantine - action -03

In the window named – specify SCL, we will choose the default value of “9

Detect Spoof E-mail & Send to user Quarantine - action -04
  • Choose OK to save the configuration settings
Detect Spoof E-mail & Send to user Quarantine - action -05

3#3 – Create an E-mail notification that sent to the destination recipient.

In this step, we will define the action that will send a mail notification, to the Exchange Online recipient who was supposed to get the E-mail message.

  • Click on the option –add action
Detect Spoof E-mail & Send to user Quarantine - action -B01
  • In the and section, click on the small black arrow
Detect Spoof E-mail & Send to user Quarantine - action -B02
  • Choose the menu option –Notify the recipient with a message…
Detect Spoof E-mail & Send to user Quarantine - action -B03

This is an example of the content of the custom E-mail message content.

Detect Spoof E-mail & Send to user Quarantine - action -B04

In the “provide the message text” window, add the required E-mail notification text.

Technically, the content if the E-mail notification can be a simple text message.
In our scenario, I have prepared an E-mail notification” using an HTML format.

If you want to download an example to the HTML format that I have used, you can download the example from the following link

Detect Spoof E-mail & Send to user Quarantine - action -B05

3#3 – Create an incident report and send it to a designated recipient.

In this step, we will define the “last action”, in which we instruct Exchange Online to generate + send an incident report to a designated recipient.

  • Click on the option – add action
Detect Spoof E-mail & Send to user Quarantine - action -C01
  • In the section named – *. and… click on the small black arrow.
Detect Spoof E-mail & Send to user Quarantine - action -C02
  • Choose the menu option – Generate incident report and send it to…
Detect Spoof E-mail & Send to user Quarantine - action -C03

The settings of the incident report include two parameters:

  1. The name of the “destination recipient” which will get the incident report.
  2. The information fields that will be included within the incident report.
  • To add the required “destination recipient” name, click on the link – Select one…
Detect Spoof E-mail & Send to user Quarantine - action -C04
  • In our specific scenario, the recipient who will get the incident report is Spoof E-mails mailbox.
Detect Spoof E-mail & Send to user Quarantine - action -C05

To select the information that will be included within the incident report, click on the link named-*include message properties

Detect Spoof E-mail & Send to user Quarantine - action -C06

In our scenario, we will choose to include all the available message properties in the summary report + a copy of the “original Spoof E-mail message”.

  • Select the option – Select all
Detect Spoof E-mail & Send to user Quarantine - action -C07

In the following screenshot, we can view the available options:

  • Part A – relates to the info that will appear in the incident report summary.
  • Part B – relates to the option of “attaching” copy of the original E-mail message to the incident report.
Detect Spoof E-mail & Send to user Quarantine - action -C08

In the following screenshot, we can see the “final result” – the Exchange Online Spoof email that includes the two parts:

  • The condition part
  • The action part
Detect Spoof E-mail & Send to user Quarantine - action -C09

Verifying That The Exchange Online Spoofed E-Mail Rule Is Working Properly

In this phase, we would like to test the Exchange Online Spoof E-mail rule created in the previous step and verify that the rule is working properly.

The required results from the Exchange Online Spoofed E-mail rule

Our desired expectations are – when Exchange Online identifies events in which E-mail messages that sent to our organization recipient have a high chance of being spoofed E-mail (spoofed sender), the Exchange Online Spoof E-mail rule will execute that following sequence of actions:

  1. Identify the event of – incoming E-mail messages that have the characters of
    spoof E-mail.
  2. Stamp the E-mail message using the SCL value of “9”.
  3. Send a custom E-mail notification message to the destination recipient (Bob in our specific scenario) notifying him that a Spoof E-mail sent to him. The E-mail message will include a link to the Exchange Online user quarantine.
  4. Generate an incident report, that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to a designated recipient (shared mailbox named – Spoof E-mail mailbox).

Simulate a Spoof E-mail attack | Scenario characters

To be able to ensure that the Exchange Online Spoof E-mail rule is working properly, we will simulate a spoof E-mail attack that has the following characters:

  • A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –Suzan using the E-mail address – Suzan@o365pilot.com
  • The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – Bob@o365pilot.com

If you like to learn about the way that we use for simulating the E-mail spoof attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12

1#6 – Verifying that a custom E-mail notification message to the destination recipient

In the following screenshot, we can see an example of the custom E-mail notification that sent to the destination recipient by the Exchange Online rule.

Image coming soon

The custom E-mail notification includes a couple of “parts.”

  1. The upper part (part A) includes the “warning notification” which informs the recipient that an E-mail message that was sent to him is probably Spoof E-mail.
  2. The second part (part B) includes a link to the “personal quarantine” so it would be easier for the recipient to access their personal quarantine. The URL address of the personal quarantine is: https://admin.protection.outlook.com/quarantine
  3. The third part (part C) includes a report summary of the E-mail message.
  4. The bottom part (part D) includes information about the “contact persons” that the recipient can contact in case he needs more information about the specific event.

Image coming soon

2#6 – verifying that the spoofed E-mail sent to user quarantine and the recipient can access the user quarantine.

To be able to view the content of the Exchange Online user quarantine, the user can use the following link: https://admin.protection.outlook.com/quarantine

The recipient can decide on a particular E-mail consider as a legitimate E-mail and sends the E-mail to his mailbox or leave the E-mail in the quarantine.

Image coming soon

3#6 – Verifying that Exchange Online spam filter sent an E-mail notification to the recipient

In case that the E-mail sent to the Exchange Online quarantine by the Exchange Online spam filter, the Exchange Online spam filter is responsible for generating and send an E-mail notification to the recipient that include links to the E-mail items stored in the Exchange Online user quarantine.

In the following screenshot, we can see an example of such E-mail message.

Image coming soon

4#6 – Verifying that the spoofed E-mail sent to the quarantine and the Exchange Online administrator can view the E-mail.

To be able to view the content of the Exchange Online quarantine, we will login to the Exchange Online administrative portal.

  • On the left sidebar menu, choose the menu – protection
  • On the top bar menu, choose the menu – quarantine

In the following screenshot, we can see the content of the Exchange Online administrative quarantine.

We can see that the E-mail message that sent from Suzan@o365pilot.com (the recipient, we use for simulating the spoofed E-mail attack) was “captured by the Exchange Online Spoofed E-mail rule and sent to the Exchange Online administrative quarantine.

Image coming soon

The Exchange Online administrator can view the E-mail message that was sent to the administrative quarantine and decide if he wants to send the E-mail to his “original destination” meaning the recipient mailbox.

Image coming soon

5#6 – verifying that Exchange Online rule stamps the E-mail message using the SCL value of “9.”

In case that we want to check the process in which Exchange Online rule stamp the E-mail message using an SCL value of “9,” we can analyze the content of the E-mail header.

In the following section, we will see how to access the information in the E-mail header, and then we will analyze the data by using the ExRCA (Exchange remote connectivity analyzer) tool.

  • Open the specific E-mail message that you want to check her SCL value

Image coming soon

  • Choose the File menu
  • Choose the property option

Image coming soon

In the section named- internet headers, we can see the content of the E-mail header.

To be able to analyze the data, we will copy the information.

  • Select all the information by using the Keyboard key combination – CTRL + A
  • Copy the information by using the Keyboard key combination – CTRL + C

Image coming soon

Now, we will access the ExRCA (Exchange remote connectivity analyzer) tool.

  • Choose the tab – Message Analyzer
  • In the white space, paste the information that was copied in the previous step by using the Keyboard key combination – CTRL + V
  • Choose the option – Analyze headers

Image coming soon

In the following screenshot, we can see the results.

The value of the information field named- X-MS-Exchange-Organization-SCL is “9”.
In other words, the SCL value is equal to “9”.

Image coming soon

6#6 – verifying that an incident report was sent to the designated recipient.

We can see that Exchange Online rule “capture” an event of Spoof E-mail.

As a result, an incident report was sent to the recipient name (Spoof E-mails mailbox) that configured in the Exchange Online rule.

Image coming soon

In the following screenshot, we can see an example of the incident report E-mail.

When we look into the incident report, we can see that the incident report includes two parts:

  • The copy of the original E-mail message (A).
  • The incident report summary (B).

The incident report summary includes details such as:

  • Information about the generator of the incident report E-mail message – “This email was automatically generated by the Generate Incident Report action” (number 1).
  • The sender (the “source recipient”) that claim to be a legitimate organization recipient named –Suzan@o365pilot.com (number 2).
  • The recipients (the destination recipient) is – Bob@o365pilot.com (number 3)
  • Rule Hit – the Exchange Online rule the “capture” the spoof E-mail event, and the action that was executed by the Exchange Online rule – ”Detect Spoof E-mail & Send to user Quarantine, Action: SetHeader, GenerateNotification, GenerateIncidentReport” (number 4).

Image coming soon

Watch our YouTube video: Detect spoof E-mail and send E-mail to User Quarantine using Exchange Online rule | 6#7

The next article in the current article series

In the next article – Analyzing The Results Of The Exchange Spoof E-mail rule |Part 9#12, we will review how to analyze the results of the Exchange Spoof E-mail rule by exporting the information about the Exchange Online mail flow to CSV file using the Exchange message trace.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.