Prevent outsider from spoofing your domain internally

November 14, 2018 | by iaur | posted as Exchange Online, Protection

Scenario

  • You received an email from someone in your organization (internally) but confirmed no action done from the sender
  • There’s a suspicious email coming from your colleagues (any member of your organization) asking for sensitive information
  • If you have analyzed the header and saw a suspicious originating host (SMTP relay or anything not from your own email hosting)

Steps

Transport rules help trap and mitigating possible damages of a malicious inbound email from reaching your internal user’s inbox. Using them is one way to prevent outsider from spoofing your domain internally.

Bad actor normally design this kind of unsolicited campaign by using non-standard SMTP application. Moreover, it eases ways to spoof your domain and act as if it was coming in as an internal email.

Access Exchange Admin Center > Mail Flow > rules > Create a new rule > click more option (to show all conditions and actions below).

Prevent outsider from spoofing your domain internally

Misc

SMPT Relay used for Spoofing

Firstly, SMTP relay don’t use hand-shakes just like office 365 portals or application login and for as long as the credentials of the authenticated user is accurate on the application server the smtp.office365.com will be triggered to send the email.

In addition, the Office 365 Audit logs and AD sign-in features only capture activity on the platform for instance, access to online service. Moreover, you will find inbound email authenticity by checking your message trace and the first hop of the email headers.

Lastly, if the email communication is within or (sender and receiver has domain.com) message will not go out of Office 365 or will not be send from the internet

In conclusion,

Headers below are one of most common indication of a spoofed email and the information you can take advantage to prevent outsider from spoofing your domain internally.

SMTP

Anonymous

If authentication results is showing softfail

Reference

Moreover in EXOL Protection

Feedback or Help?

Should you have one, click here

Boring Ads. Pardon me :)