Announcement: Need a free practice exam or an interactive mocks material for a Microsoft certification? Click here to use the MS Forms I've created previously.

Prevent outsider from spoofing your domain internally

November 14, 2018 | by iaur | posted as Exchange Online, Protection


  • You received an email from someone in your organization (internally) but confirmed no action done from the sender
  • There’s a suspicious email coming from your colleagues (any member of your organization) asking for sensitive information
  • If you have analyzed the header and saw a suspicious originating host (SMTP relay or anything not from your own email hosting)


Transport rules help trap and mitigating possible damages of a malicious inbound email from reaching your internal user’s inbox. Using them is one way to prevent outsider from spoofing your domain internally.

Bad actor normally design this kind of unsolicited campaign by using non-standard SMTP application. Moreover, it eases ways to spoof your domain and act as if it was coming in as an internal email.

Access Exchange Admin Center > Mail Flow > rules > Create a new rule > click more option (to show all conditions and actions below).

Prevent outsider from spoofing your domain internally


SMPT Relay used for Spoofing

Firstly, SMTP relay don’t use hand-shakes just like office 365 portals or application login and for as long as the credentials of the authenticated user is accurate on the application server the will be triggered to send the email.

In addition, the Office 365 Audit logs and AD sign-in features only capture activity on the platform for instance, access to online service. Moreover, you will find inbound email authenticity by checking your message trace and the first hop of the email headers.

Lastly, if the email communication is within or (sender and receiver has message will not go out of Office 365 or will not be send from the internet

In conclusion,

Headers below are one of most common indication of a spoofed email and the information you can take advantage to prevent outsider from spoofing your domain internally.



If authentication results is showing softfail


Moreover in EXOL Protection

Feedback or Help?

Should you have one, click here

Feeling grateful?

Boring Ads. Pardon me :)