cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Anti-phishing: protect against company domain name usage in From DisplayName

burningice
Occasional Contributor

‎Apr 25 2022 04:41 AM

‎Apr 25 2022 04:41 AM

Anti-phishing: protect against company domain name usage in From DisplayName

Hello, 

we recently got phishing mails for DocuSign and Office.com which passed our Defender for Office 365 protection. 

They looked something like that: 
FROM: contoso <random@randomdomain.ph>

Subject: Your document has been completed. 

 

I understand that mailbox intelligence protects against impersonating our domain names (like: Office <office@cont0so.org>) and our internal users (like: John Doe <john.doe@random.org>) however nothing seems to protect against using the domain name as DisplayName like in my example above. 

 

I was already thinking of creating a mail transport rule in order to block messages from outside of our organisation which contain our company names in the display name. However this can be easily circumvented by using slightly different variants of our company names which I can not all think of. 

Therefore, is there any possibility to utilize Defender for Office 365 / Mailbox Intelligence to prevent the usage of our domain names (or in general any specific terms and their similar words) from being used as Display Names? 

Thanks! 

572 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by Ben_Harris (Microsoft)
Reza_Ameri

‎Apr 25 2022 07:15 AM

‎Apr 25 2022 07:15 AM

Solution

Re: Anti-phishing: protect against company domain name usage in From DisplayName

The Microsoft Anti-Phishing system should be smart enough to detect and protect such emails. Ask end users to mark such email as phishing or junk.
I advise you to send the email for analyze, take a look at:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission
0 Likes
Reply
Ben_Harris

‎Apr 26 2022 02:26 AM

‎Apr 26 2022 02:26 AM

Re: Anti-phishing: protect against company domain name usage in From DisplayName

Hi there - I can indeed confirm the best way forward here is to perform an admin submission to us so we can look at this. - Thanks in advance!
0 Likes
Reply
ExMSW4319

‎Apr 30 2022 11:43 AM

‎Apr 30 2022 11:43 AM

Re: Anti-phishing: protect against company domain name usage in From DisplayName

It is relatively easy to construct a mail flow rule to take action (which can be a block, a quarantine or a pre-pended disclaimer acting as a warning) on a From line that contains words approximating your organisation name, but be prepared for a high false positive rate. Before taking any of the actions I have suggested, start with something non-intrusive that merely records the number of hits you would obtain were the rule more active. Exempt until your FP rate is low or you have reached the point where the concept has no remaining validity.

Your anti-phishing training should include variations and obfuscations of your organisation name, in order to inculcate due diligence by your recipients.

As other posters have suggested, keep feeding the kitty with admin and user submissions but do not assume that EOP / MDO is always going to save your organisation's collective posterior. Layer your defences.
0 Likes
Reply