SOLVED

Auto forwarding emails treating emails as spoofed

%3CLINGO-SUB%20id%3D%22lingo-sub-2530253%22%20slang%3D%22en-US%22%3EAuto%20forwarding%20emails%20treating%20emails%20as%20spoofed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2530253%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20company%20A%20has%20recently%20acquired%20company%20B%20and%20created%20mailboxes%20for%20them%20in%20company%20A%20and%20setup%20email%20forwarding%20from%20B%20to%20A%20so%20that%20they%20use%20a%20single%20mailbox.%20Now%20the%20issue%20is%20whenever%20users%20from%20A%20send%20emails%20to%20company%20B%20email%20address%2C%20its%20getting%20spoofed%20when%20it%20comes%20back%20to%20company%20A%20due%20to%20email%20forwarding.%20How%20can%20we%20prevent%20them%20from%20spoofing%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2530253%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2530371%22%20slang%3D%22en-US%22%3ERe%3A%20Auto%20forwarding%20emails%20treating%20emails%20as%20spoofed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2530371%22%20slang%3D%22en-US%22%3EAre%20these%20users%20receiving%20an%20NDR%3F%20Maybe%20the%20default%20antispam%20outbound%20filter%20policy%20setting%2C%20that%20recently%20changed%20to%20Off%20by%20default%20might%20be%20affecting%20you%2C%20have%20a%20look%20at%20this%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fconfigure-the-outbound-spam-policy%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fconfigure-the-outbound-spam-policy%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBetter%20than%20changing%20the%20default%20the%20best%20might%20be%20to%20create%20a%20custom%20policy%20with%20the%20automatic%20forwarding%20setting%20enabled%20and%20test.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2531932%22%20slang%3D%22en-US%22%3ERe%3A%20Auto%20forwarding%20emails%20treating%20emails%20as%20spoofed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2531932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F20390%22%20target%3D%22_blank%22%3E%40Andres%20Gorzelany%3C%2FA%3E%2C%20The%20forwarded%20emails%20are%20reaching%20well%20to%20on%20company%20A's%20EOP.%20However%20they%20are%20getting%20quarantined%20and%20being%20treated%20as%20spoofed%20on%20company%20A.%20(Since%20the%20sender%20is%20also%20from%20A%20and%20through%20email%20forwarding%20its%20routed%20back%20to%20A%20organization).%20Below%20diagram%20would%20explain%20it%20better.%20Is%20there%20any%20workaround%20of%20this.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22spoof.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294607i2EE2B5517999DF24%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22spoof.jpg%22%20alt%3D%22spoof.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Our company A has recently acquired company B and created mailboxes for them in company A and setup email forwarding from B to A so that they use a single mailbox. Now the issue is whenever users from A send emails to company B email address, its getting spoofed when it comes back to company A due to email forwarding. How can we prevent them from spoofing ?

5 Replies
Are these users receiving an NDR? Maybe the default antispam outbound filter policy setting, that recently changed to Off by default might be affecting you, have a look at this

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-s...

Better than changing the default the best might be to create a custom policy with the automatic forwarding setting enabled and test.

@Andres Gorzelany, The forwarded emails are reaching well to on company A's EOP. However they are getting quarantined and being treated as spoofed on company A. (Since the sender is also from A and through email forwarding its routed back to A organization). Below diagram would explain it better. Is there any workaround of this. spoof.jpg

I see,
Take a look at this https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list?... and see if this could apply to your scenario.
I'll try to do some tests too.
best response confirmed by vivekvardhan007 (New Contributor)
Solution

@Andres Gorzelany, On further research I found that all these auto-forwarded emails are stamped an attribute Authentication-Results-Original: CompamyB.com. I created a Transport rule to set the SCL value as -1 if this attribute is found in Email-Headers and its working now, however I don't think its an appropriate solution because we are skipping the spam filtering and ATP in this workaround. Other solutions would be appreciated.

Could you avoid forwarding by assigning the alias address bob@b.com to bob@a.com?