Forum Discussion

Grace Yin's avatar
Grace Yin
Iron Contributor
Jan 24, 2018

How to stop internal spam mail?

Hi,   In the past two days, we kept receiving spam mail from our internal (same domain) user account, but they were from different users and sent to different distribute groups in our company. W...
office 365
Grace Yin's avatar
Grace Yin
Iron Contributor
Jan 24, 2018

To block non domain IP addresses or non-domain joined devices will not work because my user will use mail from home or their phone. 

 

I don't understand why microsoft doesn't check emails exchanged internally, like what I mentioned, I noticed the exact the same phishing email was caught in Junk Mail folder if it was from external mailbox, however it went through if it's from internal mailbox.

 

Thanks,

Loryan Strant's avatar
Loryan Strant
MVP
Jan 24, 2018
Here are your actions:
1. Quarantine the user: format their work PC, disable their phone or home computer from connecting.
2. Create an Exchange Transport Rule to prevent them from sending emails to the entire staff (I've already said this twice before).

Microsoft *does* check emails internally, however they don't go through the same engines as external mail because they expect their clients to take a certain amount of responsibility for good Internet security practice.
Also they have a solution called Advanced Threat Protection that puts links into a "detonation" chamber so emails like phishing attacks don't get through.

Customers have the tools available - they need to use them.
  • Grace Yin's avatar
    Grace Yin
    Iron Contributor
    Jan 25, 2018

    Thank you Loryan! Can you confirm if ATP protects email internally? I can recommend it to my manager if it does. 

     

    Thanks,

  • Loryan Strant's avatar
    Loryan Strant
    MVP
    Jan 25, 2018
    Looks like you need everyone to do some mandatory training on phishing and malware in general.
    With the change in subject line - create another rule, and keep creating them. They don't cost you anything. You can also potentially look at trying to create a rule that prevents a single user from emailing every individual in the company.
    And yes you do need to pay for ATP - but it's a small cost given the pain you're currently going through, and that's *before* you lose money from a data breach or dropping customers who have lost faith in your competency.
  • Grace Yin's avatar
    Grace Yin
    Iron Contributor
    Jan 25, 2018

    Hi Loryan,

     

    Thank you for your reply. We did the two actions you mentioned right away after the phishing emails were sent out, however some users still open the bad link and entered their log in credentials because the page looks like the O365 web logon page. No matter how we send out the notice not to open the link, there are still some users not follow.  

     

    We received the phishing email again this morning from another different user. The hacker changed the subject line so the Transport Rule that we created to block the subject didn't work.

     

    I will look into  Advanced Threat Protection. It seems we need to pay for this feature. 

     

    Thanks,