Nov 27 2018 03:56 AM
Dear community,
sometimes we receive Emails pretending to be from our own Exchange colleagues, what is obviously not true. The mails are not DKIM signed and the return path is different. What’s the easiest way to to sort them out in Exchange 365? I cannot identify one single sending server’s IP or return email, it’s always a different one… Further, I don’t want to setup for each user one individual rule...
Thanks in advance!
Markus
Nov 27 2018 04:51 AM
Nov 27 2018 06:15 AM - edited Nov 27 2018 06:15 AM
Thanks Chris,
I'll find out, how to enable this correctly. ATP is already licenced. I'll revert. MS Supporties never mentioned this possibility - though I've explained my issue in length!! :(
Best regards,
Markus
Nov 27 2018 06:18 AM
Nov 27 2018 09:25 AM
If you already have ATP, you should be covered by the "Impersonation intelligence" feature. You can get a list of senders/impersonated users here:https://protection.office.com/#/impersonationinsight?type=User&status=3
There is also the Spoof intelligence feature: https://docs.microsoft.com/en-us/office365/securitycompliance/learn-about-spoof-intelligence?redirec...
and the corresponding "insights": https://protection.office.com/#/spoofintelligence?confidence=2&type=External&decision=0&allow=No&ins...
Note that all of this are still subject to any whitelisting rules, so if such messages are still getting through, check your transport rules, whitelists and safe senders.