Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Schooling A Sea of Phish Part 2: Enhanced Anti-spoofing technology in Office 365
Published Mar 28 2018 10:35 AM 52.2K Views
Microsoft

A few weeks ago, we released new enhanced Anti-impersonation capabilities for Office 365 Advanced Threat Protection (ATP).  Today we’re excited to announce Office ATP’s enhanced anti-spoofing capability for protecting against spoofed emails from external domains.  We believe this new capability will help lead the industry in further securing email.  The new feature raises the required level of authentication checks for emails sent into Office 365, helping ensure greater protection for customers.  Spoofing occurs when an email message appears to originate from someone or somewhere other than the actual source and is a technique often used in phishing campaigns designed to obtain user credentials.  Microsoft’s anti-spoof technology specifically examines forgery in the ‘From: header’.  Attackers can spoof the domain of an organization and send a spoofed email back to the organization or spoof an external domain and send emails as that spoofed domain to an organization. Exchange Online Protection (EOP) has been securing Office 365 customers from internal domain spoof for many years.  Also, Office 365 admins are given tight control over their organization’s spoof filters from the Office 365 Security & Compliance Center.  We recommend that admins further improve their organization's spoof protection by appropriately configuring SPF, DKIM, and DMARC.

 

The newest anti-spoof features help protect organizations from external domain spoof.  Office 365 honors emails from external domains having proper SPF, DMARC, and DKIM authentication settings  enabling them to pass authentication, and junks messages that fail this authentication. The challenge occurs when external domains do not have these settings properly configured. For example, studies (ftc report, dmarc.org report) show enforcement of DMARC remains low. Without enforcement of these settings, domains have a greater potential to be maliciously spoofed, exposing customers to phishing or spam attacks. The new external domain anti-spoofing capabilities help detect and block emails from external domains that do not have

 

  • proper authentication configuration
  • an email infrastructure source with unknown history
  • a source which is anomalous to previous sending patterns from that domain.

 

Customers will see immediate effect from this enhancement as both email senders and recipients will notice more emails being junked.  Admins can whitelist domains that will not meet the tighter authentication requirements from the Office 365 Security and Compliance Center.  We also recommend admins of sender domains into Office 365 update SPF, DKIM, DMARC configurations so emails can pass the stricter authentication rules.

 

 

Anti-spoofing in Exchange Online Protection

For EOP customers, Office 365 honors emails from external domains which pass explicit authentication through proper SPF, DMARC, and DKIM configurations and enforcement.  Since inception, EOP has also leveraged implicit authentication to further protect customers from internal domain spoofing. It is designed to check if a message’s destination is to your organization and if the message comes from any of your provisioned domains, or subdomains of any of your provisioned domains.  To pass authentication, EOP checks the published DMARC/DKIM standards as well as the SPF framework, verifying the reputation of the sending domain, the reputation of the sender IP address, and also the recipient reputation (ie. how many messages do you receive from this sender?, how is your email routed through the EOP service?, etc).  If EOP determines that an email is spoof, it will mark the email as spam in the email header.  Additionally, EOP has provided safety tips in the message which serve as visual indicators letting end users know that a message is fraudulent or may be a phishing scam. Further details on EOP’s anti-spoofing are available here

 

 Figure 1.  Exchange Online Protection Anti-spoofing checksFigure 1. Exchange Online Protection Anti-spoofing checks

 

Anti-spoofing with Office 365 Advanced Threat Protection

In addition to the standard EOP filter protection, Office 365 ATP customers are now also protected from external domain spoof by default through a newly enhanced filter.   For external domains, ATP first checks if the email passes SPF, DKIM, and DMARC.  If it does not, ATP will check for historical sending patterns of that domain and associated infrastructure. If it detects anomalies and unknown patterns it will proceed to junk the message if the sender does not have good reputation. The filter constantly evolves and enhances itself based on mail flow patterns it observes.  ATP customers can access the spoof intelligence report in their Antispam Policy (figures 2, 3) which provides insights into domains being flagged as spoof mail and allows admins to take necessary actions.  As mentioned, determining legitimate or malicious spoof is made complicated because organization’s fail to publish SPF, DMARC, 

 

 Figure 2.  Spoof intelligence settings for Office 365 Advanced Threat ProtectionFigure 2. Spoof intelligence settings for Office 365 Advanced Threat Protection

 

Figure 3.  Spoof intelligence Report for Office 365 Advanced Threat ProtectionFigure 3. Spoof intelligence Report for Office 365 Advanced Threat Protection

 

or DKIM, yet have senders who are authorized to send for that domain.  Admins can review internal and external domains being spoofed and sending emails into their organization.    It is important to understand that there are scenarios (see figure 4) when email is legitimately spoofed and should be delivered. 

 

Figure 4.  Legitimate instances of internal and externally spoofed domainsFigure 4. Legitimate instances of internal and externally spoofed domains

 

Spoof intelligence enables admins to enhance spoof protection by specifying which senders are authorized to spoof their organization's domains and send email on its behalf.  The setting also enables designating external domains which are permitted to spoof.  Emails from unauthorized senders or domains are treated as spam by Office 365.  By effectively managing the spoof intelligence settings, admins can customize and enhance the spoof protection for their organization.

 

Enhanced Granular Anti-spoofing Policy Controls

With the new anti-spoofing enhancements, admins can now control the strength of the spoof filters, the action taken when an email is flagged as malicious spoof, and the ability to turn safety tips on/off.  The spoof filter threshold can be set to ‘default’ or ‘strict’ (figure 5).  When set to default, messages passing implicit or explicit authentication will be considered legitimate with regard to spoofing and allowed to enter the remaining email filtering stack marked as ‘normal’ email.  If the threshold is set to 'strict', only messages passing explicit authentication are marked ‘normal’.  Under the 'strict' setting, when an email passes implicit authentication but with medium or low confidence, it is considered a ‘soft pass’ and will be marked as a spoofed email.  Since the ‘strict’ setting is more aggressive it may lead to a small number of false positives.

 

 

Figure 5.  Spoof threshold admin control panelFigure 5. Spoof threshold admin control panel

 

Admins also have more control over actions taken when an email is flagged as a spoof.  Emails marked as spoof can either be sent to the recipient’s junk mail folder or the message can be directed to quarantine.  The new anti-spoof policy controls also allow for safety tips in emails failing authentication or which pass authentication but with medium or low confidence (soft-pass) as shown in figure 6.  It should be noted safety tips for soft-passes should only be enabled for a small group of users as many tips could be generated if a user receives email from legitimate yet unauthenticated sources.

 

 

Figure 6.  Spoof safety tip control panelFigure 6. Spoof safety tip control panel

 

Send Us Your Feedback 

For more details on the new Anti-spoof capabilities, read our full article which will help guide your through setting up the new feature. Here are some other helpful articles and videos on Office 365 and Office 365 ATP anti-phish, anti-spam capabilities:

 

 

We look forward to your feedback once you experience the new Anti-spoof capabilities for Office 365 Advanced Threat Protection.  The feedback helps us continue improving and adding features that will allow Office ATP to be the premiere advanced security service for Office 365.  If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.  Look for the final part of this series soon, where we will complete our overview of the enhanced anti-phishing capabilities for Office 365 ATP.  

16 Comments

Those are all awesome improvements, but please please please communicate things better/earlier from now on :) Same goes for the documentation, for example the Learn more about these threshold levels link points to an article which doesn't even mention "threshold".

Bronze Contributor

Yeah @Vasil Michev, agreed. I just happened to be in the middle of a transition to EOP/ATP from our onPrem (Barracuda) solution suddenly had an unexpected flurry of tools to review that I didn't know about :)

I'm having a little trouble with the UI and easy of use of the security and compliance center, especially with the new anti-spoof/phishing tools. Here a few questions after a couple of days of use:

 

  • how do I get a simple message list (chronological) of all incoming/outgoing messages and their corresponding spam actions (block/junked/...) and reasons for the action?
  • how do I review spoofed messages in detail? Sometimes I'm not sure if that spoof is really wanted or not, just by knowing the infrastructure and would need to see the full message know that. 
  • I still haven't quite figured out (even after reading this) what I'm looking at when reviewing external domains that are trying to spoof our users.
  • is there a reason why the anti-phishing policy is limited to 20 users and not the whole organization?

 

Copper Contributor
great article but the admin Panel from Figure 5 is not visible in our tenant.

Hi @Ivan Unger. The 20 limit for spoofing protection is not who you apply the list to, but the names you want to especially check for in a possible spoof email. For example you could add John.smith@domain.com, who is your CEO to the list and apply that list to everyone in the company. Then emails from John.smith@isp.com could be considered attempted spoof emails and so alerted as such (the rules will be more involved than that example, but as I understand it, that is the idea of the list)

Copper Contributor

Hello,

 

Is there any breakdown of exactly what the Advanced Phishing Threshold levels do? The article associated in the portal does not actually mention what these differing levels do.

ATP Phishing Thresholds.jpg

Copper Contributor

Great article. 

I would still like an answer for @Ivan Unger's question. is there a reason why the anti-phishing policy is limited to 20 users ? I have large clients asking for more than 1% percent of their total employees to be protected against impersonation attacks . 

Copper Contributor

How does ATP Anti-Phishing/Spoofing protect against Display Name spoofing?

Bronze Contributor

It checks for similar displaynames and email addresses. "How" Microsoft is doing it, is probably proprietary information, but I can confirm it works. 

We have a legitimate spoofing case in our environment where the display is similar to ours, but the mail address is first.lastname@othercompany.org and I get the spoofing notification. 

I also get notified when the endusers send messages from their personal email account (as in lastname@icloud.com) to the corporate account.

I have also seen a similar example. I was working through the settings on a remote session with a client of mine and we added the CEO to the list and I left them to add the remaining "important" users to the list. They did not! A few weeks later they got a phish, it was reported internally and the report made its way back to me. One email in the phish campaign was stopped and the other was not. On looking we saw that the one that was stopped came from a display name that matched the CEO and the second email came from a display name that matched the CFO. The email "from" the CFO made it into the users mailbox as ATP had not been configured to consider this display name a high risk account! We updated the policy and told the client to ensure that they added all the "important" mailboxes to the policy (and if over 20 mailboxes, create a second policy and carry on)


 

Gold Contributor

Is this the place to suggest that when the feature moves to the "Launched" category of the Office Roadmap that a "More Info" link be included there?

Copper Contributor

Agreed, this is all great stuff and there appears to be about 3 thousand options available.  For small business customers with a single domain, do you have any best practice recommendations?  Implementing everything is time consuming and expensive from a labor standpoint.  I would love to know what is deemed "the best bang for the buck" time wise.

Accept the default and be done with it. The defaults are good, they are not weak. Also, coming before the end of Sept will be the enhanced anti-spoof options that until now were only part of ATP/E5 licences (see MC146520 in the tenant Message Center). A default policy will be created automatically that will use machine learning to determine who your users communicate with and block emails from those domains that do not come from the servers that EOP knows it used to come from (i.e. when the domain is being spoofed).

 

Other than that, you might want to change junk email > junk email folder, so that junk goes to the quarantine, but then it becomes the responsibility of IT to manage the quarantine, and if you are like any other IT organization, you have better things to do that manage the quarantine. You can also optionally have a notification to the user that there is spam to check and they can manage their own quarantine.

 

The rest of the settings - unless you know you need them, dont change them

Brass Contributor

Do we know how to tackle or block PhishPoint phishing emails as they are being circulated using SharePoint URL's?

ATP failed to detect these things, so it there a way we can do something to protect our tenant.

Microsoft

Rishank, 

 

Thanks for your comment.  Do you have any actual samples that impacted your tenant where ATP is turned on and missed a PhishPoint threat?  If so, please create a support ticket we'll be happy to take a look.

 

If you are just basing your comment because of the recent article, you should note that they do not mention any of our services and simply make a blanket statement that we don't have protection for PhishPoint.

 

ATP is designed to stop PhishPoint and does.  The company that wrote that report has historically written blog posts to create Fear, Uncertainty, and Doubt (FUD) in Office 365 security to help market and sell their own products.  We see one of their blogs on something that they claim Office 365 misses almost every month.  It is nothing new, and it not true.

 

Please reach out to your account rep who can go into the details on how Office 365 ATP is designed to protect against PhishPoint.  You can also read our support article here:

 

https://support.office.com/en-us/article/office-365-atp-for-sharepoint-onedrive-and-microsoft-teams-...

 

Thanks.

Copper Contributor

What's the ETA on a feature that allows for hybrid mail flow tenants take advantage of DMARC such that the IP address of the upstream email security gateway isn't used in the SPF evaluation?

Iron Contributor

If we are using "PhishPoint" as a generic term to refer to that infernal combination of breached EXO mailboxes and OneDrive SPO pages then yes, we see a lot of that. ATP misses a number of them during the EXO screening, and remediation does not detect all of those that get through and are tested later. The false negative rate fluctuates by week, and some are better than others. I should stress that the content hosted in a typical compromised SPO page is not itself malign but merely encourages the recipient to click on a link leading on to the phishing site hosted elsewhere. SPO site pages are far less of a problem, and I cannot recollect the last time I saw a bad one.

 

@Rishank - we use a simple EOP rule to catch OneDrive links:

... and Includes these patterns in the message subject or body: 'http\S*-myfiles\.sharepoint\.com' or 'http\S*-my\.sharepoint\.com

 

This omits tenancy site URLs. A second rule is required to go after links in attachments, and of course not all attachment types are traversable. An exception is needed if the recipient organisation uses OneDrive itself.

 

The predicate is easy; the trickier question is what action to take. Rejection is only an option for organisations that prohibit their recipients from using other tenancies' storage. Regrettably EOP does not have a stripping action, and no system administrator is praised for creating additional administrative work. A pre-pended disclaimer is therefore possibly the best action, though familiarity with such warnings will often lead to recipient fatigue.

Version history
Last update:
‎May 11 2021 01:54 PM
Updated by: