How can I effectively block malicious spoofed emails in Office 365?

0
8
Asked By FrustratedTechie92 On

I'm really frustrated with these spoofed emails we're receiving every day in Office 365. They come from our own [email protected] address with the subject 'Incoming messages suspended!!!', and there are 200+ recipients on each email. It's a total mess because even though the SPF and DMARC checks fail, I can't block them entirely without also blocking legitimate emails from customers and vendors who have their setups wrong.

I've tried blocking them with a rule based on the subject line, but it doesn't seem to work at all despite following Microsoft's documentation. I also tried putting the suspected IP address in our deny policy and creating a new rule to catch mails coming from that domain ('kagoya.net') in the 'helo' header, but I'm unsure if this is even a valid header to use.

Are there any other effective strategies for stopping these spoofed emails? I would also like to know if there's a way to send warnings for SPF or DMARC failures to alert users without blocking the emails entirely.

5 Answers

Answered By EmailNinja2023 On

Spoofing your own address is tricky! Instead of just trying to block that specific email, how about setting up a rule to quarantine any external mail coming from your own domain? You can try using this setting:

- Apply rule if: sender's address domain belongs to mycompany.com
- Do the following: Send to quarantine
- Except if: Is received from inside the organization.

This won't stop all impersonation, but it can help reduce them significantly. For your specific subject line, try just using 'Incoming message suspended' without the special characters—it might perform better!

CleverAdmin34 -

This is a solid idea! Are there any potential drawbacks to this approach?

TechieWhisperer -

Good point about the '!'. It might indeed be a regex operator messing things up. You should definitely test this!

Answered By SecurityGuru88 On

You mentioned your rule didn't trigger properly—did you check how long after activation you waited to test? Sometimes there can be delays with mail flow rules, so just give it a little time. If you're still not seeing results, there might be something in the rule configuration that's off.

FrustratedTechie92 -

Haha, I totally forgot about that! I think I waited about 14 hours. It's just frustrating how convoluted it can get.

Answered By QuarantineQueen On

I set up a mail flow rule that catches any external emails masquerading as internal ones by including our domain. This has kept most spoofed emails in quarantine. Also, I append a banner for all external emails that alerts users to potential risks. You might want to consider that for the SPF and DMARC failures too!

CleverAdmin34 -

Make sure you set a clear deadline for the rule unless it's just defaulting to some invisible limit! Also, check if there's anything weird about scanning emails with over 100 recipients.

Answered By NetworkSavant On

You might want to look into your DMARC policy. Is it set to 'none'? If you can, change it to 'reject' or 'quarantine'—that could help with filtering out unwanted messages more effectively.

FrustratedTechie92 -

Our DMARC is more focused on outgoing emails right now, but I see your point.

Answered By FedUpTechie On

Honestly, the capabilities in Exchange Online for blocking spoofed emails may not be as robust as you'd hope. It’s often more effective to enable spoof protection and add domain impersonation rules if you have Defender for Office 365. This should handle SPF, DKIM, and DMARC checks more reliably. Additionally, IP-based blocking could be more effective than regex or header matching.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.