Apr 25 2022 04:41 AM
Hello,
we recently got phishing mails for DocuSign and Office.com which passed our Defender for Office 365 protection.
They looked something like that:
FROM: contoso <random@randomdomain.ph>
Subject: Your document has been completed.
I understand that mailbox intelligence protects against impersonating our domain names (like: Office <office@cont0so.org>) and our internal users (like: John Doe <john.doe@random.org>) however nothing seems to protect against using the domain name as DisplayName like in my example above.
I was already thinking of creating a mail transport rule in order to block messages from outside of our organisation which contain our company names in the display name. However this can be easily circumvented by using slightly different variants of our company names which I can not all think of.
Therefore, is there any possibility to utilize Defender for Office 365 / Mailbox Intelligence to prevent the usage of our domain names (or in general any specific terms and their similar words) from being used as Display Names?
Thanks!
Apr 25 2022 07:15 AM
SolutionApr 26 2022 02:26 AM
Apr 30 2022 11:43 AM
Sep 05 2023 04:10 PM
@burningice Post is quite old. But I thought I'd add my rough solution in case it helps anyone. I setup a transport rule to:
If message header "Authentication-Results" matches "smtp.mailfrom=amazonses.com" "dmarc=bestguesspass" then prepend email with disclaimer to to tell recipient user to to be careful, email may be phishing. +And generate incident report to myself so I can learn more how rule is being applied.
I'll see how rule works out before I make any further actions. I noticed all the docu-sign phishing emails I had always were sent using some random amazon server when you look at email header results. The email envelope sender domain and subject line always changes. Everything in the email is nothing but a linked picture, so it's not like I can make a rule to check if a email is really from docu-sign. The subject lines are always nonsensical and usually but not always include some variation of our company name. This is a tough one. I wish we would have some OCR capability in transport rules. There will undoubtedly be legitimate services that are using amazon email servers that I will soon find out about.
If anybody else has a better solution please let me know. Reporting the emails with office365 admin hunting or explorer or in desktop outlook has not had the best success for me. These phishing email keep finding a way to users mailboxes somehow. If 10 of these docusign emails gets stopped, at least 4 of them pass through.
Apr 25 2022 07:15 AM
Solution