Exchange Online – Preventing Domain Spoofing

To totally unlock this section you need to Log-in


Login

In many business environments domain spoofing can be a real threat: this is a common form of phishing and usually occurs when an attacker appears to use a company’s domain to impersonate a company or one of its employees.

This approach of attack can be done by sending emails with false domain names which appear legitimate, or by setting up websites with slightly altered characters that read as correct.

Commonly, a spoof email will use logos, or any other kind of accurate visual design to effectively imitate the styling and branding of a legitimate enterprise or business.

Users will commonly be prompted to enter financial details or other sensitive data or sending money, trusting that they are being sent to the right place.

Said this, on Exchange Online (Office 365) platform this kind of threat can be mitigated, along with a proper configuration of SPF and DKIM records, using the following instructions that will show you how to create a rule, also in Exchange 2013, Exchange 2016, that will prevent your domain from being spoofed from outside your environment (so public IP addresses).

Important

In this rule, we recommend setting up a rule to automatically delete messages that spoof your domain. This specific step can be modified to suit your organization’s network and specific requirements (for example, quarantining or forwarding the message).

To test this rule before implementing it you can always redirect to a monitoring e-mail mailbox (remember to delete all of these e-mails after you have checked the rule).

The procedure

This rule will accomplish the following;

  • Delete any inbound emails that originate from Outside your organization which appear as if they are coming from your domain/inside your organization: usually this is done by checking the source IP address from which the false e-mail has been sent.
  • Allow emails from your SMTP servers (especially the public ones) to bypass this rule (so phishing tests can be conducted that look like they are coming from internal email accounts).

Note: this rule will only protect your users from outsiders who are trying to spoof your domain. It will not affect an external email from being sent using your domain to another email address (not to your organization).

In other words, it will prevent emails from being sent to your users from outside your organization that look like they are originating from within your organization, and at the same time it will not prevent a person from sending someone else outside your organization an email that looks like it comes from your organization. That is typically handled with SPF record management that will show from which hosts or IP addresses those e-mails will be legit.

To begin the creation of this rule, just log into your Exchange or Office 365 portal and go into the Admin > Exchange area. In the following screenshot we are displaying an Office 365 environment:

Exchange Online - Preventing Domain Spoofing

Next, you’ll start creating the new rule by clicking on the Mail Flow, then clicking the + sign on the right-hand area and selecting Create a new rule… link:

Exchange Online - Preventing Domain Spoofing

  • Give the rule a relevant name, such as Domain Spoof Prevention, or anything else. Click on More Options.
  • Choose “Apply this rule if…” and select “The sender is internal/external”. Then select the location of “Outside the organization” (this will prevent you internal e-mails to be blocked or deleted by the following specifications).
  • Add a condition and then choose “The sender’s domain is” and input your organization’s email domain(s).
  • Then choose a reaction. In our case, we chose to delete the message, however if you wish you can choose other options based on your security policies. To automatically delete the messages which spoof your domain, choose “Block the message” and then “Delete the message without notifying anyone“; use this approach only after you have done some tests.
  • Now, add an exception for all your SMTP servers (or any other external organization who may need to send an email as if it is coming from your domain to your users).
  • Choose “Sender’s IP address is in any of these ranges or exactly matches…“, under the and fill in the IP Addresses of the external organization’s SMTP mail server.
  • Lastly, choose to Match sender address in message and select “Header or envelope“.

Exchange Online - Preventing Domain Spoofing

Once you are satisfied with your settings, make sure to save your new rule. The rule will begins to work within seconds.

NOTE: remember that if you do not want to directly “Delete the message without notifying anyone“, you can always set the action like “Redirect the message to…“, but do not abuse of this approach.