Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

Schooling A Sea of Phish Part 2: Enhanced Anti-spoofing technology in Office 365

Debraj Ghosh's avatar
Debraj Ghosh
Icon for Microsoft rankMicrosoft
Mar 28, 2018

A few weeks ago, we released new enhanced Anti-impersonation capabilities for Office 365 Advanced Threat Protection (ATP).  Today we’re excited to announce Office ATP’s enhanced anti-spoofing capability for protecting against spoofed emails from external domains.  We believe this new capability will help lead the industry in further securing email.  The new feature raises the required level of authentication checks for emails sent into Office 365, helping ensure greater protection for customers.  Spoofing occurs when an email message appears to originate from someone or somewhere other than the actual source and is a technique often used in phishing campaigns designed to obtain user credentials.  Microsoft’s anti-spoof technology specifically examines forgery in the ‘From: header’.  Attackers can spoof the domain of an organization and send a spoofed email back to the organization or spoof an external domain and send emails as that spoofed domain to an organization. Exchange Online Protection (EOP) has been securing Office 365 customers from internal domain spoof for many years.  Also, Office 365 admins are given tight control over their organization’s spoof filters from the Office 365 Security & Compliance Center.  We recommend that admins further improve their organization's spoof protection by appropriately configuring SPF, DKIM, and DMARC.

 

The newest anti-spoof features help protect organizations from external domain spoof.  Office 365 honors emails from external domains having proper SPF, DMARC, and DKIM authentication settings  enabling them to pass authentication, and junks messages that fail this authentication. The challenge occurs when external domains do not have these settings properly configured. For example, studies (ftc report, dmarc.org report) show enforcement of DMARC remains low. Without enforcement of these settings, domains have a greater potential to be maliciously spoofed, exposing customers to phishing or spam attacks. The new external domain anti-spoofing capabilities help detect and block emails from external domains that do not have

 

  • proper authentication configuration
  • an email infrastructure source with unknown history
  • a source which is anomalous to previous sending patterns from that domain.

 

Customers will see immediate effect from this enhancement as both email senders and recipients will notice more emails being junked.  Admins can whitelist domains that will not meet the tighter authentication requirements from the Office 365 Security and Compliance Center.  We also recommend admins of sender domains into Office 365 update SPF, DKIM, DMARC configurations so emails can pass the stricter authentication rules.

 

 

Anti-spoofing in Exchange Online Protection

For EOP customers, Office 365 honors emails from external domains which pass explicit authentication through proper SPF, DMARC, and DKIM configurations and enforcement.  Since inception, EOP has also leveraged implicit authentication to further protect customers from internal domain spoofing. It is designed to check if a message’s destination is to your organization and if the message comes from any of your provisioned domains, or subdomains of any of your provisioned domains.  To pass authentication, EOP checks the published DMARC/DKIM standards as well as the SPF framework, verifying the reputation of the sending domain, the reputation of the sender IP address, and also the recipient reputation (ie. how many messages do you receive from this sender?, how is your email routed through the EOP service?, etc).  If EOP determines that an email is spoof, it will mark the email as spam in the email header.  Additionally, EOP has provided safety tips in the message which serve as visual indicators letting end users know that a message is fraudulent or may be a phishing scam. Further details on EOP’s anti-spoofing are available here

 

 Figure 1. Exchange Online Protection Anti-spoofing checks

 

Anti-spoofing with Office 365 Advanced Threat Protection

In addition to the standard EOP filter protection, Office 365 ATP customers are now also protected from external domain spoof by default through a newly enhanced filter.   For external domains, ATP first checks if the email passes SPF, DKIM, and DMARC.  If it does not, ATP will check for historical sending patterns of that domain and associated infrastructure. If it detects anomalies and unknown patterns it will proceed to junk the message if the sender does not have good reputation. The filter constantly evolves and enhances itself based on mail flow patterns it observes.  ATP customers can access the spoof intelligence report in their Antispam Policy (figures 2, 3) which provides insights into domains being flagged as spoof mail and allows admins to take necessary actions.  As mentioned, determining legitimate or malicious spoof is made complicated because organization’s fail to publish SPF, DMARC, 

 

 Figure 2. Spoof intelligence settings for Office 365 Advanced Threat Protection

 

Figure 3. Spoof intelligence Report for Office 365 Advanced Threat Protection

 

or DKIM, yet have senders who are authorized to send for that domain.  Admins can review internal and external domains being spoofed and sending emails into their organization.    It is important to understand that there are scenarios (see figure 4) when email is legitimately spoofed and should be delivered. 

 

Figure 4. Legitimate instances of internal and externally spoofed domains

 

Spoof intelligence enables admins to enhance spoof protection by specifying which senders are authorized to spoof their organization's domains and send email on its behalf.  The setting also enables designating external domains which are permitted to spoof.  Emails from unauthorized senders or domains are treated as spam by Office 365.  By effectively managing the spoof intelligence settings, admins can customize and enhance the spoof protection for their organization.

 

Enhanced Granular Anti-spoofing Policy Controls

With the new anti-spoofing enhancements, admins can now control the strength of the spoof filters, the action taken when an email is flagged as malicious spoof, and the ability to turn safety tips on/off.  The spoof filter threshold can be set to ‘default’ or ‘strict’ (figure 5).  When set to default, messages passing implicit or explicit authentication will be considered legitimate with regard to spoofing and allowed to enter the remaining email filtering stack marked as ‘normal’ email.  If the threshold is set to 'strict', only messages passing explicit authentication are marked ‘normal’.  Under the 'strict' setting, when an email passes implicit authentication but with medium or low confidence, it is considered a ‘soft pass’ and will be marked as a spoofed email.  Since the ‘strict’ setting is more aggressive it may lead to a small number of false positives.

 

 

Figure 5. Spoof threshold admin control panel

 

Admins also have more control over actions taken when an email is flagged as a spoof.  Emails marked as spoof can either be sent to the recipient’s junk mail folder or the message can be directed to quarantine.  The new anti-spoof policy controls also allow for safety tips in emails failing authentication or which pass authentication but with medium or low confidence (soft-pass) as shown in figure 6.  It should be noted safety tips for soft-passes should only be enabled for a small group of users as many tips could be generated if a user receives email from legitimate yet unauthenticated sources.

 

 

Figure 6. Spoof safety tip control panel

 

Send Us Your Feedback 

For more details on the new Anti-spoof capabilities, read our full article which will help guide your through setting up the new feature. Here are some other helpful articles and videos on Office 365 and Office 365 ATP anti-phish, anti-spam capabilities:

 

 

We look forward to your feedback once you experience the new Anti-spoof capabilities for Office 365 Advanced Threat Protection.  The feedback helps us continue improving and adding features that will allow Office ATP to be the premiere advanced security service for Office 365.  If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.  Look for the final part of this series soon, where we will complete our overview of the enhanced anti-phishing capabilities for Office 365 ATP.  

Updated May 11, 2021
Version 6.0
  • Ivan54's avatar
    Ivan54
    Bronze Contributor

    It checks for similar displaynames and email addresses. "How" Microsoft is doing it, is probably proprietary information, but I can confirm it works. 

    We have a legitimate spoofing case in our environment where the display is similar to ours, but the mail address is first.lastname@othercompany.org and I get the spoofing notification. 

    I also get notified when the endusers send messages from their personal email account (as in lastname@icloud.com) to the corporate account.

  • I have also seen a similar example. I was working through the settings on a remote session with a client of mine and we added the CEO to the list and I left them to add the remaining "important" users to the list. They did not! A few weeks later they got a phish, it was reported internally and the report made its way back to me. One email in the phish campaign was stopped and the other was not. On looking we saw that the one that was stopped came from a display name that matched the CEO and the second email came from a display name that matched the CFO. The email "from" the CFO made it into the users mailbox as ATP had not been configured to consider this display name a high risk account! We updated the policy and told the client to ensure that they added all the "important" mailboxes to the policy (and if over 20 mailboxes, create a second policy and carry on)


     

  • Is this the place to suggest that when the feature moves to the "Launched" category of the Office Roadmap that a "More Info" link be included there?

  • Mike Farlow's avatar
    Mike Farlow
    Copper Contributor

    Agreed, this is all great stuff and there appears to be about 3 thousand options available.  For small business customers with a single domain, do you have any best practice recommendations?  Implementing everything is time consuming and expensive from a labor standpoint.  I would love to know what is deemed "the best bang for the buck" time wise.

  • Do we know how to tackle or block PhishPoint phishing emails as they are being circulated using SharePoint URL's?

    ATP failed to detect these things, so it there a way we can do something to protect our tenant.

  • ExMSW4319's avatar
    ExMSW4319
    Iron Contributor

    If we are using "PhishPoint" as a generic term to refer to that infernal combination of breached EXO mailboxes and OneDrive SPO pages then yes, we see a lot of that. ATP misses a number of them during the EXO screening, and remediation does not detect all of those that get through and are tested later. The false negative rate fluctuates by week, and some are better than others. I should stress that the content hosted in a typical compromised SPO page is not itself malign but merely encourages the recipient to click on a link leading on to the phishing site hosted elsewhere. SPO site pages are far less of a problem, and I cannot recollect the last time I saw a bad one.

     

    @Rishank - we use a simple EOP rule to catch OneDrive links:

    ... and Includes these patterns in the message subject or body: 'http\S*-myfiles\.sharepoint\.com' or 'http\S*-my\.sharepoint\.com

     

    This omits tenancy site URLs. A second rule is required to go after links in attachments, and of course not all attachment types are traversable. An exception is needed if the recipient organisation uses OneDrive itself.

     

    The predicate is easy; the trickier question is what action to take. Rejection is only an option for organisations that prohibit their recipients from using other tenancies' storage. Regrettably EOP does not have a stripping action, and no system administrator is praised for creating additional administrative work. A pre-pended disclaimer is therefore possibly the best action, though familiarity with such warnings will often lead to recipient fatigue.