Block Spoofing in Office365

Over the last few months, the companies I work for have been getting hammered with spoofed e-mails. We have had people claiming to be vice presidents. People asking for wire transfers and direct deposit changes. We even had one spoofer requesting copies of social security numbers. We also have spoofers who claim to have hacked an account then demand a bitcoin ransom.

I am not sure what has happened all the sudden to make this so bad but I found a simple fix in Office 365 and I wanted to share.

Block Spoofing In Office 365 With Mail Flow Rules

The first thing to do is to go into the admin center in office 365. Then go into the exchange settings.

The thing we are looking for is mail flow rules.

Office 365 Mail Flow

Ones in there you can setup a new rule to block spoofing. Make sure you click the More Options link because we will need that to add more then one condition.

More Options for new spoof rule.

What The Mail Flow Rule Looks Like

For my rule, I decided to only prepend a warning message to the e-mail so the users could decide if it is legit or not. I wanted to start with a warning to make sure we were not catching any good e-mails. But instead of the warning, you can change the rule to block the message.

You can also add an exception by IP address. This is good if a legitimate service is sending e-mails with your domain on your behalf. I put in here to show how the rule would look but you would want to put the public IP of the server sending the mail.

Office 365 Spoofing Rule

It may take a few minutes for the new spoofing rule to kick in. Ones it is working users will start getting warnings added to any internal messages that do not come from your Office 365 mail server. I used a simple PHP mail script to test a spoofing attempt to make sure the rule was working. Since then I have had lots of people tell me they got the warning.

Customize The Disclaimer Message

You may also notice I had put the <hr /> in there. That is HTML code to draw a line between the warning and the rest of the message. The disclaimer accepts HTML code so you can do some styling to it if you would like.

Leave a Reply

Your email address will not be published. Required fields are marked *