Home
Microsoft

Schooling A Sea of Phish Part 2: Enhanced Anti-spoofing technology in Office 365

A few weeks ago, we released new enhanced Anti-impersonation capabilities for Office 365 Advanced Threat Protection (ATP).  Today we’re excited to announce Office ATP’s enhanced anti-spoofing capability for protecting against spoofed emails from external domains.  We believe this new capability will help lead the industry in further securing email.  The new feature raises the required level of authentication checks for emails sent into Office 365, helping ensure greater protection for customers.  Spoofing occurs when an email message appears to originate from someone or somewhere other than the actual source and is a technique often used in phishing campaigns designed to obtain user credentials.  Microsoft’s anti-spoof technology specifically examines forgery in the ‘From: header’.  Attackers can spoof the domain of an organization and send a spoofed email back to the organization or spoof an external domain and send emails as that spoofed domain to an organization. Exchange Online Protection (EOP) has been securing Office 365 customers from internal domain spoof for many years.  Also, Office 365 admins are given tight control over their organization’s spoof filters from the Office 365 Security & Compliance Center.  We recommend that admins further improve their organization's spoof protection by appropriately configuring SPF, DKIM, and DMARC.

 

The newest anti-spoof features help protect organizations from external domain spoof.  Office 365 honors emails from external domains having proper SPF, DMARC, and DKIM authentication settings  enabling them to pass authentication, and junks messages that fail this authentication. The challenge occurs when external domains do not have these settings properly configured. For example, studies (ftc report, dmarc.org report) show enforcement of DMARC remains low. Without enforcement of these settings, domains have a greater potential to be maliciously spoofed, exposing customers to phishing or spam attacks. The new external domain anti-spoofing capabilities help detect and block emails from external domains that do not have

 

  • proper authentication configuration
  • an email infrastructure source with unknown history
  • a source which is anomalous to previous sending patterns from that domain.

 

Customers will see immediate effect from this enhancement as both email senders and recipients will notice more emails being junked.  Admins can whitelist domains that will not meet the tighter authentication requirements from the Office 365 Security and Compliance Center.  We also recommend admins of sender domains into Office 365 update SPF, DKIM, DMARC configurations so emails can pass the stricter authentication rules.

 

 

Anti-spoofing in Exchange Online Protection

For EOP customers, Office 365 honors emails from external domains which pass explicit authentication through proper SPF, DMARC, and DKIM configurations and enforcement.  Since inception, EOP has also leveraged implicit authentication to further protect customers from internal domain spoofing. It is designed to check if a message’s destination is to your organization and if the message comes from any of your provisioned domains, or subdomains of any of your provisioned domains.  To pass authentication, EOP checks the published DMARC/DKIM standards as well as the SPF framework, verifying the reputation of the sending domain, the reputation of the sender IP address, and also the recipient reputation (ie. how many messages do you receive from this sender?, how is your email routed through the EOP service?, etc).  If EOP determines that an email is spoof, it will mark the email as spam in the email header.  Additionally, EOP has provided safety tips in the message which serve as visual indicators letting end users know that a message is fraudulent or may be a phishing scam. Further details on EOP’s anti-spoofing are available here

 

 EOP_Anti-spoof.pngFigure 1. Exchange Online Protection Anti-spoofing checks

 

Anti-spoofing with Office 365 Advanced Threat Protection

In addition to the standard EOP filter protection, Office 365 ATP customers are now also protected from external domain spoof by default through a newly enhanced filter.   For external domains, ATP first checks if the email passes SPF, DKIM, and DMARC.  If it does not, ATP will check for historical sending patterns of that domain and associated infrastructure. If it detects anomalies and unknown patterns it will proceed to junk the message if the sender does not have good reputation. The filter constantly evolves and enhances itself based on mail flow patterns it observes.  ATP customers can access the spoof intelligence report in their Antispam Policy (figures 2, 3) which provides insights into domains being flagged as spoof mail and allows admins to take necessary actions.  As mentioned, determining legitimate or malicious spoof is made complicated because organization’s fail to publish SPF, DMARC, 

 

 spoof_intelligence.jpgFigure 2. Spoof intelligence settings for Office 365 Advanced Threat Protection

 

spoof_intelligence_report.pngFigure 3. Spoof intelligence Report for Office 365 Advanced Threat Protection

 

or DKIM, yet have senders who are authorized to send for that domain.  Admins can review internal and external domains being spoofed and sending emails into their organization.    It is important to understand that there are scenarios (see figure 4) when email is legitimately spoofed and should be delivered. 

 

good_spoof.pngFigure 4. Legitimate instances of internal and externally spoofed domains

 

Spoof intelligence enables admins to enhance spoof protection by specifying which senders are authorized to spoof their organization's domains and send email on its behalf.  The setting also enables designating external domains which are permitted to spoof.  Emails from unauthorized senders or domains are treated as spam by Office 365.  By effectively managing the spoof intelligence settings, admins can customize and enhance the spoof protection for their organization.

 

Enhanced Granular Anti-spoofing Policy Controls

With the new anti-spoofing enhancements, admins can now control the strength of the spoof filters, the action taken when an email is flagged as malicious spoof, and the ability to turn safety tips on/off.  The spoof filter threshold can be set to ‘default’ or ‘strict’ (figure 5).  When set to default, messages passing implicit or explicit authentication will be considered legitimate with regard to spoofing and allowed to enter the remaining email filtering stack marked as ‘normal’ email.  If the threshold is set to 'strict', only messages passing explicit authentication are marked ‘normal’.  Under the 'strict' setting, when an email passes implicit authentication but with medium or low confidence, it is considered a ‘soft pass’ and will be marked as a spoofed email.  Since the ‘strict’ setting is more aggressive it may lead to a small number of false positives.

 

 

spoof_threshold.jpgFigure 5. Spoof threshold admin control panel

 

Admins also have more control over actions taken when an email is flagged as a spoof.  Emails marked as spoof can either be sent to the recipient’s junk mail folder or the message can be directed to quarantine.  The new anti-spoof policy controls also allow for safety tips in emails failing authentication or which pass authentication but with medium or low confidence (soft-pass) as shown in figure 6.  It should be noted safety tips for soft-passes should only be enabled for a small group of users as many tips could be generated if a user receives email from legitimate yet unauthenticated sources.

 

 

spoof_saftey_tips.jpgFigure 6. Spoof safety tip control panel

 

Send Us Your Feedback 

For more details on the new Anti-spoof capabilities, read our full article which will help guide your through setting up the new feature. Here are some other helpful articles and videos on Office 365 and Office 365 ATP anti-phish, anti-spam capabilities:

 

 

We look forward to your feedback once you experience the new Anti-spoof capabilities for Office 365 Advanced Threat Protection.  The feedback helps us continue improving and adding features that will allow Office ATP to be the premiere advanced security service for Office 365.  If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.  Look for the final part of this series soon, where we will complete our overview of the enhanced anti-phishing capabilities for Office 365 ATP.  

6 Comments

Those are all awesome improvements, but please please please communicate things better/earlier from now on :) Same goes for the documentation, for example the Learn more about these threshold levels link points to an article which doesn't even mention "threshold".

Valued Contributor

Yeah @Vasil Michev, agreed. I just happened to be in the middle of a transition to EOP/ATP from our onPrem (Barracuda) solution suddenly had an unexpected flurry of tools to review that I didn't know about :)

I'm having a little trouble with the UI and easy of use of the security and compliance center, especially with the new anti-spoof/phishing tools. Here a few questions after a couple of days of use:

 

  • how do I get a simple message list (chronological) of all incoming/outgoing messages and their corresponding spam actions (block/junked/...) and reasons for the action?
  • how do I review spoofed messages in detail? Sometimes I'm not sure if that spoof is really wanted or not, just by knowing the infrastructure and would need to see the full message know that. 
  • I still haven't quite figured out (even after reading this) what I'm looking at when reviewing external domains that are trying to spoof our users.
  • is there a reason why the anti-phishing policy is limited to 20 users and not the whole organization?

 

Senior Member
great article but the admin Panel from Figure 5 is not visible in our tenant.

Hi @Ivan Unger. The 20 limit for spoofing protection is not who you apply the list to, but the names you want to especially check for in a possible spoof email. For example you could add John.smith@domain.com, who is your CEO to the list and apply that list to everyone in the company. Then emails from John.smith@isp.com could be considered attempted spoof emails and so alerted as such (the rules will be more involved than that example, but as I understand it, that is the idea of the list)

Occasional Visitor

Hello,

 

Is there any breakdown of exactly what the Advanced Phishing Threshold levels do? The article associated in the portal does not actually mention what these differing levels do.

ATP Phishing Thresholds.jpg

Occasional Visitor

Great article. 

I would still like an answer for @Ivan Unger's question. is there a reason why the anti-phishing policy is limited to 20 users ? I have large clients asking for more than 1% percent of their total employees to be protected against impersonation attacks .