What should I look out for?

In our previous Office 365 post we covered how to close the authentication security gap (LINK) due to malicious attackers using known good credentials which could have been scraped from spoofed emails attacks. Commonly, successful attacks come from messages that appear to be coming from an internal source like HR asking for a performance review, or the CFO asking for wiring instructions. To combat this, we’ll create a rather simple mail rule that will append the subject line of emails coming from external sources but have a display name that matches that of a pre-populated VIP list. Your VIP list should contain proper names for those selected along with known short names/nicknames (Ex: Mike & Michael or Beth & Bethany).

Configuring Mail Routing Rule

  1. Log into Office 365 Admin Center (https://admin.microsoft.com)
  2. Expand “Admin Centers” -> Click “Exchange”
  3. Under “Mail Flow” -> click “rules”
  4. Click “+” icon -> “Create a new rule…”
    1. Click blue “more options…”
    2. Name: VIP Spoof Warning
    3. Apply this rule if…
      1. “The Sender…” -> “is external/internal” -> “Outside the organization” -> Click “OK”
    4. Click “Add Condition”
    5. A Message header -> “matches these text patterns”
      1. Click “Enter text…” -> type From -> click “OK”
      2. Click “Enter text patterns” -> type out each VIP name identified clicking the “+” icon between each name -> click “OK”
    6. Under “*Do the following…” -> “Prepend the subject of the message with…” -> Type out desired warning (Ex: Spoof Warning!)
    7. Click “Save” button

At this point you should give this rule about 5 – 10 minutes before testing. But you can also add an exception to this rule if you have known external senders that spoof VIP accounts, like a bulk mailing service or if you have VIP that insists on using an external email account for some communications.