Spoofing and distribution groups

New Contributor

I have a customer with distribution groups set up to allow external emails however they are not wide open to the world. They are limited by groups in Office 365. We are having a major issue with internal users being spoofed and Office 365 allowing the email to go into the distribution list and be delivered. To the internal people, ATP is catching the spoofs and sending them to junk. The external people are all getting the spoofs delivered to them.


I need a way to be able to stop those spoofs from being able to enter the distribution group but so far have found no way to accomplish this. Im hoping someone else has run into this and come up with some kind of clever workaround.


Anyone run into this or have any ideas how I can address this?

2 Replies

Several options to explore here. You can change the spam policy action to quarantine or remove, you can create a transport rule to detect/reject such messages, report it as false negative and work with support to identify why exactly this is happening. My guess would be that the messages are still being marked as spam but some setting on recipient's end is causing them to end up in Inbox, for example headers being stripped, trusted senders list, etc.

ATP is catching them for internal users but they are still going out to external users. What I would like to do is stop them from going out at all but I dont know how to determine these emails are fake given what I have to work with in the portal for rule creation. They appear to authenticate so I cant check if they are external and use that. Im kind of at a loss. 


I have a ticket open with Microsoft regarding this but no one has reached out to me yet. The last 3 Office 365 tickets Ive opened, support has been abysmal on them so Im not really expecting a lot on MS's side.