Dec 04 2018 10:23 AM
Dear,
Our users (Echange Online) experience phishing emails in their mailboxes, coming from their own email address. The header info states:
...
From: Patrick <patrick@xxxxx.be>
To: Patrick <patrick@xxxxx.be>
Subject: Fwd: New ORDER
...
received-spf: Fail (protection.outlook.com: domain of xxxxx.be does not
designate 173.12.213.89 as permitted sender) receiver=protection.outlook.com;
client-ip=173.12.213.89; helo=LPCC-DC.lpcc.local;
But still they receive those emails. I thought spf would block any emails coming from servers that are not allowed? Our sfp record in DNS is configured correctly:
TXT v=spf1 include:spf.protection.outlook.com -all
So how can we stop these spamming emails from entering our boxes?
Dec 04 2018 10:37 AM
Dec 04 2018 10:56 AM
SPF fail on its own might not be enough for a message to be quarantined, you can fine tune this behavior with the Advanced Spam Filtering options' Hard-fail toggle: https://docs.microsoft.com/en-us/office365/securitycompliance/advanced-spam-filtering-asf-options
Or via custom transport rules, such as the example here: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/
Or using the additional tools that are part of ATP/E5, if you are paying for this, as suggested by Christopher :)