An Office 365 user reports, that he gets E-mail that allegedly sent by the other organization recipient, but the mail is a spoofed E-mail message that was sent by a hostile element which seeks to present itself (impersonate himself) as an “original organization user”.
One of the undesirable but, a possible scenario that can accrue in mail based environment is the phenomenon of spoofing or Phishing.
In the current article, we will review a very effective way for dealing with spoofing and Phishing attacks in Office 365 environment using an Exchange Online transport rule.
What is the meaning of spoofing?
The meaning of spoofing is a scenario in which a non-legitimate entity (hostile element) tries to claim that he is a legitimate organization recipient.
For example the organization public domain name is: o365info.com
The Exchange Online server host the mailboxes of the following recipients:
John@o365info.com and Alice@o365info.com
John is the company Chief Executive Officer.
A hostile element wants to address organization users (recipients) and present himself as the company Chief Executive Officer.
The hostile element address Exchange Online server and “say” that the “MAIL FROM” value is: John@o365info.com
In addition, he says that the “RCPT TO” value is Alice@o365info.com
Let’s assume that in our scenario, there is no implemented other mechanism that should block spoofed communication (mechanism such as SPF, DKIM or DMARC), the outcome is that Alice thinks that the E-mail message was sent from John while the message was sent by another entity that impersonates himself to
John@o365info.com
Q1: What are the Difference between spoofing versus Phishing?
A1: We will not get into the specific technical details of spoofing versus Phishing but just say briefly that Phishing attack is based on spoofing.
The hostile element presents himself as a reliable or trustworthy element and tries to seduce organization users to provide personal details such as username and password, deposit money in some bank account and so on.
The good news and the less good news | Spoof email and Exchange Online environment
Let’s start with the less good news:
Q1: Is it possible to operate spoofing or Phishing attacks in Office 365 and Exchange Online-based environment?
A1: And the answer is: ”Yes”
Q2: Does it mean that the Office 365 and Exchange Online-based environment are especially exposed to this attack?
A2: The answer is that – every mail infrastructure is exposed to this attacks because the spoofing or Phishing attacks exploit existing vulnerabilities of the standard SMTP mail protocol.
Additional reading
The good news is that Office 365 and Exchange Online customers are not “helpless” and that there are Actions that we can implement that reduce significantly the chance of spoofing or Phishing attacks.
Q3: so, what are the available option that I can use for Deal and prevent spoofing or Phishing Attacks?
A3:
- Using an Exchange Online transport rule that will block most of the spoofing attacks.
- Report an E-mail message as a spoof mail message by using OWA interface.
- Create and publish SPF record in your pubic DNS server.
- Create and publish DMARC record in your pubic DNS server + create an Exchange Online transport rule.
Despite that there are a couple of operation that we can implement for mitigating the problem of spoofing or Phishing attacks, in the current article, we will review the “solution” that is implemented by using an Exchange Online transport rule.
Additional reading
Exchange Online transport rule for blocking spoof attack | Concept and logic.
The logic of the Exchange Online transport rule that we are going to create in the next section is built upon a logical rule in which we define a condition and the action that will be implemented when the condition is met.
Outside the organization
When using the Exchange Online transport rule for blocking the spoof attack, the way that we use for “identify” the hostile element that tries to impersonate and to present itself as a legitimate organization user is by using the option of outside the organization.
The formal description of the term outside the organization is:
[Source of information: Transport rule conditions (predicates)]A sender is considered to be outside the organization if the sender’s domain isn’t an accepted domain in the Exchange organization or is in an accepted domain that is configured as an ExternalRelay domain.
My opinion is that this description is not a full and comprehensive explanation because, in reality, the meaning of outside the organization has additional meanings.
The additional meaning is – an entity, that “claim” that he is an organizational recipient by present an E-mail address that include the organization domain name (an E-mail address that is a registered at Exchange Online as accepted domain) but this entity, doesn’t provide user credentials (anonymous session).
For example, the public domain that is registered at Exchange Online is o365info.com. An entity (hostile element) addresses the Exchange Online server and “claim” that his E-mail address is – John@o365info.com
Although there is such recipient, the specific entity that addresses the Exchange Online server, asking to send an E-mail message to Alice@o365info.com, did not provide user credentials.
The meaning is that Exchange Online cannot verify the identity of this entity.
For this reason, Exchange Online will relate to this “entity” as an outside the organization.
The Exchange Online transport rule – action (result).
Another thing that I would like to mention regarding the Exchange Online transport rule us the part of the “action”.
An Exchange Online transport rule is made of a condition and action.
In our specific scenario, we should decide what the “action” is that we want to implement in a scenario that some try to spoof our organization mail.
The Exchange Online transport rule enables us to choose from a variety of options such as – deleted the E-mail message, forward the E-mail message to inspection to another mailbox, “mark” the E-mail message as spam and so on.
At the end of the next section, we will review the possible options.
The Implications of creating Exchange Online transport rule for blocking spoof attack
Before we begin we the specific instructions that are required for creating the Exchange Online transport rule, that supposed to block spoofed attacks from non-authenticated elements that use our domain name as part of their E-mail address, it’s very important that we will verify, that there are no elements that use our organization domain name but not implement an authentication mechanize.
For example – a printer device or web application that addresses Exchange Online and use an organization E-mail address but without providing user credentials.
In this scenario, after we create the require Exchange Online transport rule, E-mail message from this host will be identified as a spoof E-mail message.
The solution for this problem could be:
- Configure the device \ web application to provide user credentials.
- Add to the Exchange Online transport rule and exception that will “exclude” the specific device \web application.
Creating an Exchange Online transport rule for blocking spoof attack
In the following section, we will provide step by step instruction for creating the require Exchange Online transport rule that will enable us to block spoof attack.
- Login to Exchange Online admin center
- On the left menu bar choose – Mail flow
- On the top menu bar choose – rules
- Click on the plus icon and choose – Create a new rule…
In the Name: box add the rule name that is suitable for your needs
In the *Apply this rule if…. Box, choose the option – The sender is….
In the option box that appear, choose the option – Outside the organization
To be able to define the “other part” of the condition, we will need to choose the More options… menu
In the following screenshot, we can see that after we “activate” the More options, a new button named add condition appears.
Click on the add condition
In the and box, choose the option The sender… and in the sub menu choose – domain is
In our specific scenario, to organization public domain name is o365info.com
We will add the domain name by clicking on the plus sign
Part 2 – define the required “response” (action)
In this phase, we configure the “action” meaning, the Exchange Online response in a scenario in which the “source recipient” is not a legitimate recipient.
One of the advantages of the Exchange Online transport rule is, that we can choose from a variety of options to optimally match our unique needs.
In the following section, we will display three different possible options that will defend “what to do” with the non-legitimate (spoof) E-mail message.
In the following screenshot, we can see the “logic” of the Exchange Online transport rule. The “top part” deal with the “condition”
The “bottom part” deal with the specific action that will be executed when the condition is met.
Option 1 – Delete the spoof E-mail message
In this scenario, we don’t wish to “deal” with the spoof E-mail message, but instead just to delete it.
In this specific scenario, in the *Do the following… section, we will choose the menu option of – Block the message… and in the submenu that appears, choose the option – delete the message without notifying anyone
Option 2 – “stamp” the spoof E-mail message as spam
In this scenario, we don’t wish to “destroy” the spoof E-mail message, but instead, stamp the spoof E-mail message as spam mail.
The process in which we “stamp” the E-mail message as spam mail is implemented by specifying the SCL (Spam Confidence Level).
The outcome depends on the specific Exchange Online configuration settings,
For example, the default setting of Exchange Online regarding spam mail is the “forward” the
E-mail message” to the destination recipient and let the recipient decide what to do with the E-mail message (delete, report as non-spam mail and so on).
In this specific scenario, in the *Do the following… section we will choose the menu option of – Modify the message properties… and in the submenu that appears, choose the option – set the spam confidence level (SCL)
In the following screenshot, we can see the option box that enables us to choose the specific SCL value.
Option 3 – forward the spoofed mail to “other mailbox”
The main character of this scenario is that we don’t wish to delete the spoofed mail, but in addition, we don’t wish to forward the E-mail message to the destination recipients.
Instead, we would like to save the spoof mail in a dedicated mailbox that will enable us to inspect the E-mail message that was classified as “spoof” and decide what to do with this E-mail message.
Additional reading
We really want to know what you think about the article
The post How to prevent spoof attack in an Office 365 based environment using Exchange Online transport rule appeared first on o365info.com.