cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Antispoofing

EASchmitt
Copper Contributor

‎Jul 31 2019 08:26 AM - last edited on ‎May 24 2021 02:07 PM by

‎Jul 31 2019 08:26 AM - last edited on ‎May 24 2021 02:07 PM by

Antispoofing

Recently we have been having a lot of issues with spoofed emails. The Return-Path address will normally be a gmail address and the From address will be example@mydomain.com asking for one of our users to do them a favor.

 

I looked through our anti-phishing settings, impersonation settings, antispoofing, etc. Everything looks like it's set correctly, but I would assume something in one of these policies should stop those emails from coming through without any sort of flag or intervention.

 

Is there anyway to setup a transport rule that will look at both the sender and from addresses and if they are different, insert a disclaimer to warn the recipient it's an impersonation? Or is there something within one of the policies I mentioned previously, that will already do this (or automatically route it to Junk Mail or Quarantine) and I have it configured incorrectly or not set to a high enough threshold?

1,066 Views
0 Likes
1 Reply
Reply
1 Reply
ankit shukla

‎Aug 12 2019 04:21 AM

‎Aug 12 2019 04:21 AM

Re: Antispoofing

@EASchmitt  Have you checked your SPF Records (if not already) . Spoofing generally happens when you have SPF Records setup incorrectly. 

 

To stop spoofing, the email filtering industry has developed email authentication protocols such as SPF, DKIM, and DMARC. DMARC prevents spoofing examining a message's sender - the one that the user sees in their email client (in the examples above, this is service.outlook.com, outlook.com, and accountprotection.microsoft.com) - with the domain that passed SPF or DKIM. That is, the domain that the user sees has been authenticated and is therefore not spoofed. For a more complete discussion, see the section "Understanding why email authentication is not always enough to stop spoofing" later on in this article.

However, the problem is that email authentication records are optional, not required. Therefore, while domains with strong authentication policies like microsoft.com and skype.com are protected from spoofing, domains that publish weaker authentication policies, or no policy at all, are targets for being spoofed.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection 

 

Pls see the article and compare your current settings to block these spoof emails.

 

Cheers !

Ankit Shukla

 

 

 

0 Likes
Reply