Exchange Online receiving "received-spf: Fail" spam from own domain

Occasional Visitor

Dear,

 

Our users (Echange Online) experience phishing emails in their mailboxes, coming from their own email address. The header info states:

 

...

From: Patrick  <patrick@xxxxx.be>
To: Patrick  <patrick@xxxxx.be>
Subject: Fwd: New ORDER

...

received-spf: Fail (protection.outlook.com: domain of xxxxx.be does not
designate 173.12.213.89 as permitted sender) receiver=protection.outlook.com;
client-ip=173.12.213.89; helo=LPCC-DC.lpcc.local;

 

But still they receive those emails. I thought spf would block any emails coming from servers that are not allowed? Our sfp record in DNS is configured correctly:

 

TXT v=spf1 include:spf.protection.outlook.com -all

 

So how can we stop these spamming emails from entering our boxes?

2 Replies
Enable impersonation protection in Office365 on your domain in the security and compliance centre.

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-phishing-protection

Best, Chris

SPF fail on its own might not be enough for a message to be quarantined, you can fine tune this behavior with the Advanced Spam Filtering options' Hard-fail toggle: https://docs.microsoft.com/en-us/office365/securitycompliance/advanced-spam-filtering-asf-options

 

Or via custom transport rules, such as the example here: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

 

Or using the additional tools that are part of ATP/E5, if you are paying for this, as suggested by Christopher :)