Forum Discussion
Solved
Anti-phishing: protect against company domain name usage in From DisplayName
Hello, we recently got phishing mails for DocuSign and Office.com which passed our Defender for Office 365 protection. They looked something like that: FROM: contoso <random@randomdomain.ph> S...
- The Microsoft Anti-Phishing system should be smart enough to detect and protect such emails. Ask end users to mark such email as phishing or junk.
I advise you to send the email for analyze, take a look at:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission
It is relatively easy to construct a mail flow rule to take action (which can be a block, a quarantine or a pre-pended disclaimer acting as a warning) on a From line that contains words approximating your organisation name, but be prepared for a high false positive rate. Before taking any of the actions I have suggested, start with something non-intrusive that merely records the number of hits you would obtain were the rule more active. Exempt until your FP rate is low or you have reached the point where the concept has no remaining validity.
Your anti-phishing training should include variations and obfuscations of your organisation name, in order to inculcate due diligence by your recipients.
As other posters have suggested, keep feeding the kitty with admin and user submissions but do not assume that EOP / MDO is always going to save your organisation's collective posterior. Layer your defences.
Your anti-phishing training should include variations and obfuscations of your organisation name, in order to inculcate due diligence by your recipients.
As other posters have suggested, keep feeding the kitty with admin and user submissions but do not assume that EOP / MDO is always going to save your organisation's collective posterior. Layer your defences.