Forum Discussion
How to stop internal spam mail?
Hi Stephen,
We had exact the same case. It started with one user who used his home PC. His user name and password got hacked and the hacker sent email to all people in his contact. We reset his password and he seems not sending phishing email anymore. However the second user opened the email and entered user name password in the link, then phishing email was sent out from the second user again.
We did the same thing. Had all users who opened the link to change password immediately. The situation seems being controlled right now.
I want to know how to prevent this from happening in the future. We did virus scan and found nothing on the second user's PC. Since Office 365 can block the same phishing email from outside sender, I wonder if there is a way for inside sender?
Thanks,
We are reviewing with our vendor, at the moment they are suggesting to block non domain IP addresses or non-domain joined devices.
Potentially another option is to use multi-factor authentication for anything external to the domain.
To block non domain IP addresses or non-domain joined devices will not work because my user will use mail from home or their phone.
I don't understand why microsoft doesn't check emails exchanged internally, like what I mentioned, I noticed the exact the same phishing email was caught in Junk Mail folder if it was from external mailbox, however it went through if it's from internal mailbox.
Thanks,
- Here are your actions:
1. Quarantine the user: format their work PC, disable their phone or home computer from connecting.
2. Create an Exchange Transport Rule to prevent them from sending emails to the entire staff (I've already said this twice before).
Microsoft *does* check emails internally, however they don't go through the same engines as external mail because they expect their clients to take a certain amount of responsibility for good Internet security practice.
Also they have a solution called Advanced Threat Protection that puts links into a "detonation" chamber so emails like phishing attacks don't get through.
Customers have the tools available - they need to use them.Hi Loryan,
Thank you for your reply. We did the two actions you mentioned right away after the phishing emails were sent out, however some users still open the bad link and entered their log in credentials because the page looks like the O365 web logon page. No matter how we send out the notice not to open the link, there are still some users not follow.
We received the phishing email again this morning from another different user. The hacker changed the subject line so the Transport Rule that we created to block the subject didn't work.
I will look into Advanced Threat Protection. It seems we need to pay for this feature.
Thanks,
In the Security & Compliance site for 365, Spam policy, you can filter by country or region or language ... could that work for you?
Also in here you can treat an email as Bulk and take an action like quarantine or pre-pend the message with "Potential Malware" or some other text or redirect it.
If you have access to the security & Compliance site, have a look at the policies and see whats applicable.
We are also looking at passing our mail through Sophos cloud solution to have an extra level of security.
Hi Stephen,
Thank you for your info. How will the email flow if you add Sophos cloud solution? Will you put it in front of O365 or behind? If you put in front of O365 before email reach O365, it still won't filter the email internally.
Thanks,
