The current article is a continuation of the former article in which we learn how to create an Exchange Online transport rule that will “identify” spoof E-mail attack.
The second part of the spoof rule configuration is the part in which we need to decide about – what to do with an E-mail message that is “captured” by the Exchange Online spoof rule that we have created.
Table of content
Dealing with spoof E-mail in Exchange Online | The article series
The article series include the following articles:
- How to prevent E-mail spoof attack in Office 365 using Exchange Online transport rule | Part 1#4
- Define what to do with a spoof E-mail using the Exchange online E-mail spoof rule |Part 2#4
- Define what to do with a spoof E-mail using the Exchange online E-mail spoof rule |Part 3#4
- Simulating E-mail spoof attack and checking the Exchange Online spoof transport rule |Part 4#4
The answer for “what to do with a mail that was captured” seems to be simple and obvious such as – delete the spoofed E-mail message!
However, before we rush to “destroy” these E-mail items it’s important that we will consider few factors that are not so clear in the first look.
For example
- What about a scenario in which the Exchange spoof rule capture a legitimate E-mail and classify these E-mails as a spoofed E-mail?
- What about a scenario, in which we use complicated Exchange Online infrastructure and the spoof rule that we have created include some logical failure, which leads to a scenario in which a legitimate E-mail is identified as a spoofed E-mail?
Lets assume that the Exchange spoof rule manages to capture a spoof E-mail, and the E-mail is indeed spoofed E-mail, what do we want to do with these E-mail items?
- Do we want to automatically “destroyed” (delete) this spoofed E-mail items?
- Do we want to automatically “destroyed” (delete) this spoofed E-mail items and information our Exchange Online administrator?
- Do we deliver the E-mail message that was identified as a spoofed to the recipient with a warning?
- Do we deliver the E-mail message that was identified as a spoofed to the recipient and send the E-mail message to the junk folder?
- Maybe we would like just to “test” the Exchange spoof transport rule with Outlook performing any action?
My main purpose is not to confuse you or to start a philosophical debate about what to do with an E-mail message that is “suspected” as spoof E-mail but instead review the advanced capabilities of the Exchange Online transport rule, that can provide an answer for any of the scenarios mentions above and for many other desired scenarios.
In other words, how to use Exchange Online transport rule for implement the required The decision that will best fit the specific scenario.
Quick reminder regarding the logic of Exchange transport rule
In the current article and the next article, we will “dive inside” the Exchange Online transport rule that is responsible for implementing or executing the rule.
Before we start we that “step by step” instructions just a quick reminder for the logic of a standard Exchange transport rule.
Each transport rule is comprised of two parts:
- The “upper part” (A in the screenshot) is that part which define a specific condensation that needs to be meet.
- The “bottom part” (B in the screenshot) is that part which define the “action” that will be enforced or executed by the transport rule.
The flow of Exchange transport rule is implemented as follows –
When an E-mail message is accepted by Exchange server, Exchange checks his “rule pool”, trying to find a match to a specific rule.
In case that he finds a “match”, Exchange checks what are the exact “instructions” in the rule.
The rule “instructions” could be – do “something” + write the information to a log file or – don’t do anything but write the information to a log file. This scenario described as test mode or audit mode.
Note – we will review the option of test mode in the next article.
Define the action that the Exchange E-mail spoof rule will perform | Seven Possible scenarios
In the following section, we will demonstrate seven different optional scenarios that related to the “action part” of the Exchange Online spoof transport rule.
The Exchange transport rule is a very powerful feature that can enable us to define and implemented almost an unlimited number of scenarios.
The scenarios that will be demonstrated are just a sample for the variety of options that you can choose based on your specific requirements.
The scenarios that we will review are:
Scenario 1 – Block and delete the spoofed E-mail message
The business needs are:
- We want to block all the E-mail message that considers as a spoof E-mail without saving the original message and without notifying the destination recipient (the recipient who was to receive the e-mail).
Scenario 2 – Delete the spoof E-mail message + send notification (NDR) to the destination recipient
The business needs are:
- We want to – block all the E-mail message that considers as a spoof E-mail.
- We want to – inform the destination recipient (the recipient who was to receive the e-mail) that a spoof E-mail was sent to him.
Scenario 3 – Prepend the subject of E-mail message
The business needs:
- We don’t want to block E-mail messages that considered as a spoofed
E-mail. - The “spoofed E-mail” will be sent to the destination recipient mailbox, but we will add a “prefix” to the mail subject (a text string) which will inform the recipient that the specific mail is “Dangerous” and can be considered as spoof E-mail.
Scenario 4 – Create an incident report and sent it to the Exchange Online administrator + Delete the spoofed E-mail message.
The business needs are:
- We don’t want to block E-mail message that considers as a spoof
E-mail. - We want to create an incident report for each “event” in which the Exchange rule identifies a specific E-mail message as – “spoofed E-mail”.
- The incident report will be sent to Exchange Online administrator + will include the original E-mail message.
Scenario 5 – “Stamp” the spoofed E-mail message as spam.
The business needs are:
- We don’t want to block E-mail message that considers as a spoof
E-mail. - We want to update the SCL value and set it to “5”. The E-mail message will be sent to the destination recipient mailbox and by default, the E-mail will be sent to the Junk mail folder.
Scenario 6 – Set the Exchange Online spoof rule to use “audit mode”.
The business needs are:
- We don’t want to block E-mail message that considers as a spoof
E-mail. - We don’t want to implement any “action” by using the Exchange rule
- We want to activate the Exchange rule in a “learning mode”
Scenario 7 – view Office 365 rules report.
This scenario is the continuation of scenario 6 but in addition, we will review how to use the Exchange Online report option, to view a report about the mail flow that is related to the spoof rule that was created.
Scenario 1 – Block and delete the spoofed E-mail message
The main character of this scenario is – that we don’t want to “deal” (keep or save) with mail items that identified as a spoof E-mail.
We are willing to take the risk of false-positive meaning a scenario in which a legitimate message mistakenly marked as spoofed E-mail.
We don’t wish to inform the “hostile element” that we have blocked + deleted his E-mail and, we don’t wish to bother the “destination recipient” with information about the scenario in which hostile try to send him a spoof E-mail
To be able to implement this action, we need to implement the following steps:
- Go the section named – *Do the following…
- Select the option – block the message…
- On the sub-menu options choose – delete the message without notify anyone
In the following screenshot, we can see the result.
Each mail that will be identified as a spoofed E-mail by the Exchange rule will be automatically deleted.
It’s important to mention that the “event” will be recorded in the Exchange Online log file. Although the fact that the E-mail was deleted, we can find information about the “deletion” but we cannot recover the original E-mail item.
Scenario 2 – Delete the spoof E-mail message + send notification (NDR) to the destination recipient
The main character of this scenario is – that we don’t want to “deal” (keep or save) with mail items that identified as a spoofed E-mail but, we want to inform the “destination recipient” that someone tries to send him a spoofed E-mail.
The “recipient notification” is implemented via an NDR (non-delivery report) message that includes a very detailed information about the “event”.
The “explanation” is a text string that we add that enhanced the information that appears in the NDR and. provide a friendlier description of the problem.
To be able to implement this action, we need to implement the following steps:
- Go the section named – *Do the following…
- Select the option – block the message… and on the submenu options choose – reject the message and include explanation
In the next window, we will add our custom text message.
For example:
It looks like that the E-mail message that you have sent to the organization recipient is a spoofed E-mail
In the following screenshot, we can see the result.
This is an example to the NDR that was sent to the organization recipient in the event in which mail that was sent to him was classified as spoofed E-mail.
The NDR message is “loaded” with information about the specific scenario.
We can see a clear indication for the fact the E-mail was blocked by an Exchange rule.
We can the custom text message that was added in the former step in which we create the rule.
The is a screenshot of the reset NDR message.
We can see a clear information about the mail flow, the cause for the NDR and so on.
Note – the original NDR includes even additional infrastructure such as the E-mail header and more.
Scenario 3 – Prepend the subject of the message
The main characters of this scenario are – we don’t wish to block and delete the E-mail message that considers as a spoofed E-mail.
Instead, we want to deliver the ” suspected E-mail” to the user mailbox and let him decide by himself, what to do with the mail that has a high chance of being spoofed E-mail.
Although we don’t want to intervene, we would like to notify our organization user that the E-mail message is probably a non-legitimate E-mail message and that he should be aware.
The “element” that we use is the option of “Prepend the subject”. The meaning is that we add a custom prefix to the E-mail subject that could warn the recipient and let him know that the specific E-mail could be dangerous or suspicious E-mail.
To be able to implement this action, we need to implement the following steps:
- Go the section named – *Do the following…
- Select the option – Prepend the subject of message with…
- In the windows that appear, add the custom text that will be addressed to the E-mail subject. In our specific scenario, we will add the text – This E-mail is a spoof E-mail!!
In the next screenshot, we can see the text that we have added for the Prepend subject
In the following screenshot, we can see an example to an E-mail message that was identified as spoofed E-mail by the Exchange rule and the “Prepend text” in the E-mail message.
In the next article, we will continue to review different options scenario for the “action” that will be executed by the Exchange Online spoof transport rule.
Dealing with spoof E-mail – Office 365 | Article series index
We really want to know what you think about the article
The post Define what to do with a spoof E-mail using the Exchange online E-mail spoof rule |Part 2#4 appeared first on o365info.com.