Transport rules help trap and mitigating possible damages of a malicious inbound email from reaching your internal user’s inbox. Using them is one way to prevent outsider from spoofing your domain internally.
Bad actor normally design this kind of unsolicited campaign by using non-standard SMTP application. Moreover, it eases ways to spoof your domain and act as if it was coming in as an internal email.
Access Exchange Admin Center > Mail Flow > rules > Create a new rule > click more option (to show all conditions and actions below).
SMPT Relay used for Spoofing
Firstly, SMTP relay don’t use hand-shakes just like office 365 portals or application login and for as long as the credentials of the authenticated user is accurate on the application server the smtp.office365.com will be triggered to send the email.
In addition, the Office 365 Audit logs and AD sign-in features only capture activity on the platform for instance, access to online service. Moreover, you will find inbound email authenticity by checking your message trace and the first hop of the email headers.
Lastly, if the email communication is within or (sender and receiver has domain.com) message will not go out of Office 365 or will not be send from the internet
Headers below are one of most common indication of a spoofed email and the information you can take advantage to prevent outsider from spoofing your domain internally.
If authentication results is showing softfail