I'm really frustrated with this constant issue in Office 365. Every day, I receive an email with the subject line "Incoming messages suspended!!!" that seems to be spoofing my own company's email address, [email protected]. This email gets sent to over 200 recipients at once. I checked the SPF and DMARC settings, and it's a fail in the header. Unfortunately, I can't fully block all SPF failures because a portion of our customers and vendors have incorrect setups, so I need to keep them accessible.
I attempted to block it by creating a rule that filters based on the subject line, since it doesn't change, but it hasn't worked at all. I even tried to set up specific rules based on sender IP and the 'helo' header, but I'm not sure if that's a viable method. Does anyone have suggestions on how to prevent these spoofed emails from hitting our inboxes? I would also love a way to notify users about SPF or DMARC failures without stopping email delivery altogether.
5 Answers
It's frustrating dealing with those spoofed emails! It sounds like you have the right idea with creating rules, but remember to set a rule for all external emails that look like they're from your domain to go straight to quarantine. It won't stop every impersonation attempt, but it should help a lot.
As for your specific blocking rule, try simplifying it by searching for just "Incoming message suspended" without the special characters like exclamation points. I think that might yield better results.
Definitely keep it simple! Sometimes those regex characters can cause issues.
Quick question - what exactly didn't work with your rule? Did it fail to detect the email, or did it not execute the actions you wanted? Also, be patient after creating rules; it can take several hours before they kick in. Just something to keep in mind while you're troubleshooting!
Yeah, their systems can be sluggish. Check if there are any logs showing if your rule was triggered.
I should have anticipated delays with Microsoft! It's been about 14 hours since I set it up, but emails are still coming through.
Have you considered setting up a mail flow rule to catch any emails with a high recipient count? You could also temporarily block that subject for some time. Personally, any email with SPF or DKIM failures goes into quarantine first. This way, it gives your recipients a heads-up without outright blocking the email.
Indeed, creating a thorough policy for handling those failures is key!
That's a solid approach! Have you encountered any limits with that rule?
It sounds like your DMARC is set too lenient. If possible, try switching it to reject or quarantine mode. It should help filter out suspicious emails much more effectively. As for the banner, that can actually be appended using a mail flow rule too! Just add an HTML snippet for a warning banner on your emails.
Thanks for the tip! I'll look into changing the DMARC policy.
Great idea! A banner could really help in raising awareness without blocking emails outright.
I've been in your shoes. The Exchange Online rules can be tricky, especially when trying to filter based on headers like 'helo' or SPF failures. You might have better luck with Microsoft’s Defender for Office 365 if you have that option, as it has more robust protections against spoofing. Also, instead of focusing on headers, try blocking by sender IP—it tends to yield better results than string matches.
Good suggestion! I might set that up today. What do you think are the drawbacks of doing it this way?