Office 365 anti-spoof email protection: Insider spoofing or faking the email address of the CEO or the Managing Director to trick the CFO or the Finance Director into transferring tens of thousands of Pounds to criminal bank accounts is really big business. Microsoft, with Office 365 anti-spoof email protection, is quashing the threat.
Spoof, phishing and fake emails are probably one of the most low-tech attacks which are still extremely lucrative for fraudsters. The email from the boss looked kosher. He said a new supplier needed paying urgently, it was £50,000 to secure a really important contract. He wanted it done now because he was on holiday and didn’t want to concern himself with work. Apparently, this seemed perfectly normal to the finance director, because his boss had already posted a photo on his boat during his Greek island getaway on Instagram. The email address looked genuine too. You can read the full story here: BBC Technology News: Bogus boss scam
Obviously it wasn’t genuine. Why else would we be here reading about such a simple scam that cost the small manufacturing firm £150,000. I won’t go into the social engineering tactics employed, and how they can be mitigated as we don’t do commentary on organisational structure and process adherence. Thankfully Exchange Online Protection (EOP), the email filtering component of Office 365, has already rolled out full anti-spoof email protection for all of its users late in 2016.
What is the spoofing problem Office 365 anti-spoof email protection (EOP) is solving?
Over the past couple of years the industry has seen a massive increase in targeted spear phishing attacks where the attacker spoofs an employee high up in the organisation such as the CEO, and emails another high ranking employee such as the CFO, asking them to perform a bank transfer, or similar behavior. There are no attachments or links in the message, only regular language instructions asking the target to comply with the demands. These types of messages are sent in low volumes, they are grammatically correct and do not contain any spelling mistakes. They’re still fraudulent.
Amrit, this needs doing now as it jeopardises the contract. I’m on holiday so transfer £50,000 to them. Details below. We need to get this taken care of today.
Sent from Outlook for iPhone
Exchange Online Protection already has anti-spoofing email technology including SPF, DKIM, and DMARC. However, most organisations have neither the expertise nor resources needed to set these up and to maintain them. All organisations still need anti-spoofing protection as these types of messages must be detected and users protected. Domain Spear Phishing Protection or, Business Email Compromise, is the new feature that Exchange Online Protection has rolled out. This detects spoofing for your domain even without SPF, DKIM, or DMARC records.
You don’t have to do anything to receive this protection, you get it for free automatically. Email protection can be customised to make it more or less strict by permitting others to send on your behalf.
How is Office 365 anti-spoof email protection (EOP) solving it?
First, Exchange Online Protection checks to see if the message is destined to your organization and comes from any of your provisioned domains, or a subdomain of any of your provisioned domains. For example, any of these may be potential spoofs:
If the From and To domains are the same, Exchange Online Protection checks the message to see if it is legitimate. Is it a message that originated inside the organisation? Are they authorised to send email on your behalf? Is it a known good bulk sender? Exchange Online Protection also uses the sending domain reputation, sending IP reputation, recipient reputation, such as how many messages do you receive from this sender, how is your email routed through the EOP service? There is also extensive use of machine learning.
- Does it look like a spoof email?
- Does it authenticate?
- Does it have good sender reputation?
- Is there any other, positive or negative, intelligence on the sender?
Office 365 anti-spoof email protection EOP uses of all of this data to make sure that the service marks malicious email as spoofs, and not any legitimate email.
How to tell if Office 365 anti-spoof email protection (EOP) thinks a message is a spoof.
When EOP thinks a message “from” your domain to any of your domains is a spoof, it marks it as spam and adds the following header:
The X-Microsoft-Antispam header is already used by Office 365 anti-spoof email protection to indicate various other spam filtering components. The SFTY:9.5 or SFTY:9.11 refers to the Safety Level of a message. This header property has other values but are reserved for internal use by EOP.
You can double check this by looking at the From: address and the To: address. Both domains will be the same, subdomains of each other, or part of your Accepted-Domains. From early 2017, EOP will start adding Safety Tips to the message. Safety Tips are visual indicators letting you know that the message is fraudulent or may be a phishing scam. These Safety Tips are viewable when using Outlook on the web to view your email.
Report your suspicious emails
It’s enormously useful to the community if you report any suspicious emails back to Microsoft in order for them to add the details of the sender and the metrics of the contents of the email. In doing so you are not only helping to protect yourself but the tens of millions of Office 365 users across the globe. Watch the short video below to see how you can submit emails you suspect are spam, phishing, spoof or malicious:
And Finally . . .
There are far more extensive options available using SPF, DKIM, or DMARC records. Perhaps I can cover those in some future post. In the meantime please feel free to leave a comment or get in touch if you require additional guidance regarding implementing SPF, DKIM, or DMARC records via PowerShell.