SOLVED

Block Display Name Spoof in EAC

%3CLINGO-SUB%20id%3D%22lingo-sub-1614519%22%20slang%3D%22en-US%22%3EBlock%20Display%20Name%20Spoof%20in%20EAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1614519%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20sure%20we%20are%20all%20dealing%20with%20a%20tremendous%20uptick%20in%20spam%2Fspoof%20since%20Covid%20so%20what%20I%20am%20looking%20to%20do%20is%20combat%20the%20Display%20Name%20spoof.%26nbsp%3B%20The%20typical%20scenario%20is%20a%20bad%20actor%20sends%20from%20a%20gmail%20account%20but%20changes%20the%20display%20name%20to%20one%20of%20our%20execs.%26nbsp%3B%20Even%20though%20we%20train%20users%20on%20this%20and%20have%20the%20%22Caution%2C%20external%20email%22%20flag%20it%20still%20eats%20up%20time%20with%20chaos%20depending%20on%20how%20many%20are%20received.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20would%20like%20to%20do%20is%20this%3A%20tell%20exchange%20to%20look%20at%20the%20display%20name%20and%20if%20it%20is%20one%20that%20I%20have%20flagged%20(one%20of%20the%20execs%20who%20gets%20spoofed%20a%20lot)%20it%20will%20only%20allow%20the%20email%20if%20it%20has%20our%20domain%20in%20the%20email%20id%20-%20all%20other%20domains%20will%20be%20blocked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20possible%3F%26nbsp%3B%20Thanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1614519%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1615796%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Display%20Name%20Spoof%20in%20EAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1615796%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20try%20a%20mail%20flow%20rule%2C%20although%20there%20is%20no%20%22display%20name%22%20condition%20available%2C%20so%20you'll%20have%20to%20go%20with%20%22header%20matches%22%20or%20similar.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617431%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Display%20Name%20Spoof%20in%20EAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106222%22%20target%3D%22_blank%22%3E%40Derek%20Gillespie%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BI%20have%20had%20success%20with%20the%20Impersonation%20policy%20under%20phishing%20wherein%20we%20tested%20with%20%3CMYNAME%3E%26nbsp%3B%3CA%20href%3D%22mailto%3Amyname%40domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emyname%40domain.com%3C%2FA%3E%26nbsp%3Badded%20to%20the%20list%20of%20users%20to%20protect%20and%20send%20an%20email%20from%26nbsp%3B%20%3CMYNAME%3E%20xyz%40somedomain.com%20.%20The%20policy%20detected%20it%20to%20be%20impersonation.%26nbsp%3B%3C%2FMYNAME%3E%3C%2FMYNAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wanted%20to%20test%20this%20safely%20with%20the%20Senior%20management%20email%20address%20and%20trying%20figure%20out%20a%20safe%20way%20to%20do%20that.%26nbsp%3B%20documentation%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spoofing-protection%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617129%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Display%20Name%20Spoof%20in%20EAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617129%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20-%20so%20I%20made%20a%20rule%20that%20looks%20like%20this%20and%20it%20works!%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22derek-block-rule.png%22%20style%3D%22width%3A%20754px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F215130iF74210A55413EF0C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22derek-block-rule.png%22%20alt%3D%22derek-block-rule.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I'm sure we are all dealing with a tremendous uptick in spam/spoof since Covid so what I am looking to do is combat the Display Name spoof.  The typical scenario is a bad actor sends from a gmail account but changes the display name to one of our execs.  Even though we train users on this and have the "Caution, external email" flag it still eats up time with chaos depending on how many are received.

 

What I would like to do is this: tell exchange to look at the display name and if it is one that I have flagged (one of the execs who gets spoofed a lot) it will only allow the email if it has our domain in the email id - all other domains will be blocked.

 

Is this possible?  Thanks in advance!

3 Replies
Highlighted
Best Response confirmed by Derek Gillespie (Contributor)
Solution

You can try a mail flow rule, although there is no "display name" condition available, so you'll have to go with "header matches" or similar. 

Highlighted

Thanks for the reply @Vasil Michev  - so I made a rule that looks like this and it works!

derek-block-rule.png

 

Highlighted

@Derek Gillespie   I have had success with the Impersonation policy under phishing wherein we tested with <Myname> myname@domain.com added to the list of users to protect and send an email from  <Myname> xyz@somedomain.com . The policy detected it to be impersonation. 

 

I wanted to test this safely with the Senior management email address and trying figure out a safe way to do that.  documentation is here