In the current article, we will review how to deal with the phenomenon of spoofed E-mail in Office 365 environment by using an Exchange Online rule that will identify and prepend the Subject of the Spoof E-mail.The main characters of our specific scenario are:
- We want that Exchange Online will scan incoming E-mail message and, identify
E-mails that look like spoofed E-mail. - We don’t want to delete the E-mail messages that was identified as spoofed E-mail and instead, we want the add to the E-mail subject a warning message (prepend) + add a warning message to the E-mail message body (disclaimer).
Spoofed E-mail Article Series - table of content
Dealing with spoofed E-mail office 365 | Article Series
- Dealing with an E-mail spoof attack | general introduction | Office 365 based environment | Part 1#12
- Detect Spoof E-mail And Send An Incident Report Using Exchange Online Rule |Part 2#12
- Configuring exceptions for the Exchange Online Spoof E-mail rule |Part 3#12
- Detect Spoof E-mail And Mark The E-mail as spam Using Exchange Online Rule |Part 4#12
- Detect Spoof E-mail And Delete The Spoof E-mail Using Exchange Online Rule |Part 5#12
- Detect Spoof E-mail – Prepend The Subject Of The Spoof E-mail + Add Disclaimer Using Exchange Online Rule |Part 6#12
- Detect Spoof E-mail And Send The Spoof E-mail To Administrative Quarantine Using Exchange Online Rule |Part 7#12
- Detect Spoof E-mail And Raise the SCL value to “9” – Send E-mail To Quarantine Using Exchange Online Rule |Part 8#12
- Analyzing The Results Of The Exchange Spoof E-mail rule |Part 9#12
- How to Simulate E-mail Spoof Attack |Part 10#12
- How to Simulate E-mail Spoof Attack |Part 11#12
- Report Spoof E-mail And Send E-mail For Inspection In Office 365|Part 12#12
The purpose of the “warning message” is to enable organization recipients to “decide” by themselves, what to do with the E-mail message.
In the same time, raise the user awareness to the fact that the specific E-mail message could be a dangerous E-mail message.
The specific characters of our spoofed E-mail scenario
The business need and the goals that we need to accomplish are as follows:
- We want to be able to identify E-mail messages that look like a spoofed E-mail.
- We don’t want to intervene with the incoming mail flow. In other words, we don’t want to block the E-mail message that has a good chance of being “spoofed E-mail” from reaching the organization user mailbox. The user himself could decide what to do with the specific mail item.
- We want to warn the destination recipient regarding the fact that the E-mail message that was sent to him has a good chance of being “spoofed E-mail”.
- We want to send a sample of the spoofed E-mail to the designated user, so he will be able to analyze the E-mail message.
The Exchange Online Spoofed E-mail rule structure and logic
The “trigger” that will activate the Exchange Online “Spoofed E-mail rule” will be based on the following two conditions (a combination of condition 1 + condition 2):
- An incoming email message that is sent by a non-authenticated recipient (recipient who doesn’t provide user credentials).
- The recipient present himself by using an E-mail address that includes our public domain name. In our specific scenario and E-mail address that include the domain name – o365pilot.com
The “action” that will be executed by our “Spoofed E-mail rule” will include the following “blocks”:
- Action 1#3 – prepend the subject of the E-mail message.
- Action 2#3 – add a disclaimer to the E-mail message body.
- Action 3#3 – generate + send an incident report to the designated destination recipient (the incident report will include a summary report + the original E-mail message).
In the following diagram, we can see the sequence of actions, that will be implemented by the Exchange Online Spoofed E-mail rule:
When Exchange Online identifies E-mail messages that answer the conditions of “spoofed E-mail”, the Exchange rule will activate the following sequence:
The E-mail message will be sent to the destination recipient mailbox but, the Exchange Online rule will prepend the subject of the original E-mail message + add a disclaimer to the E-mail message body.
In our specific scenario, the additional text that will be added to the subject of the E-mail message is –
This E-mail is probably spoofed!
In addition, the Exchange Online rule will add a disclaimer to the original E-mail message.
In our specific scenario, the disclaimer will be:
There is a high chance that the E-mail that you have received is a spoofed E-mail.
Please report this E-mail message to the security team!
Exchange Online will generate an incident report, that will be sent to the E-mail address of the designated recipient\s. In our specific scenario, we ask to send the incident report to Brad (Brad is our Exchange Online administrator).
Creating rule that will identify spoofed E-mail rule | prepend the E-mail subject |Add disclaimer | Generate an incident report
Part 1#3 – configuring the “condition part” of the Exchange Online Spoofed E-mail rule
- Login to Office 365 admin portal
- Click on the “three stripes” icon (described as a hamburger icon)
- Expand the Admin centers menu
- Log in to the Exchange admin portal by choosing the Exchange menu
- On the left menu bar, choose –mail flow
- On the top menu bar, choose – rules
- Click on the plus sign
- Choose – Create a new rule…
- In the Name: box, add a descriptive name for the new rule. In our specific scenario, we will name the rule – Spoof E-mail – Prepend subject + Disclaimer + Incident report
- Click on the – More Options… link (by default, the interface of the Exchange Online rule includes only a limited set of options. To be able to display the additional options, we will need to “activate” the More Options…).
In the following screenshot, we can see that after we “activate” the More options… link, an additional option is added to the Exchange Online rule wizard.
- In the section named – Apply this rule if… click on the small black arrow
- Choose the menu – The sender…
- In the submenu, choose the menu – Is external/internal
- In the select sender location window, choose the option – Outside the organization. The meaning of the term “outside the organization” relates to an un-authenticated recipient, meaning a recipient that doesn’t provide user credentials.
Now, we will add an additional part of the “rule condition”, in which we relate to
the un-authenticated recipient who uses an E-mail address that includes our domain name
(o365pilot.com in our specific scenario).
- Click one the – add condition option
- In the section named – and click on the small black arrow
- Choose the menu – The sender…
- In the submenu, choose the menu – domain is
In the specify domain window, add the required domain name that represents your organization. In our specific scenario, the public domain name is – o365pilot.com
Part 2#3 – Configuring the “action part” of the Exchange Online Spoofed E-mail rule
In this phase, we will configure the “second part” of the Exchange Online rule, in which we define the required Exchange response (action) to a scenario of spoofed E-mail that is sent to our organization recipients.
As mentioned, in our specific scenario, we wish to instruct Exchange Online to respond the Spoof email with three different “actions”:
- Prepend E-mail message subject.
- Add a disclaimer to the E-mail message body.
- Create an incident report and send it to a designated recipient.
Action 1#3 – Prepend E-mail message subject.
- In the section named – Do the following… click on the small black arrow
- Choose the menu option – Prepend the subject of the message with…
In the text box – specify subject prefix, add the required prefix.
In our specific scenario, we will add the prefix –
This E-mail is probably spoofed!
The estimation is 32~ characters
Action 2#3 – Add a disclaimer to the E-mail message.
In this phase, we will add the “second action” in which we add a disclaimer to the E-mail message that was identified as Spoof email.
- Click on the add action option
- In the section named – and click on the small black arrow
- Choose the menu option of – Apply a disclaimer to the message…
- In the submenu, choose the option – append to disclaimer
The configuration of the disclaimer includes two elements:
- The disclaimer text
- The fallback action
- To add the required disclaimer message, click on the Enter text… link
In our specific scenario, the disclaimer text is:
There is a high chance that the E-mail that you have received is a spoofed E-mail.
Please report this E-mail message to the security team!
- To select the required fallback action, click on the link named – *Select one…
In our specific scenario, we choose the option of – wrap
Action 3#3 – Create an incident report and send it to a designated recipient.
In this step, we will define the “last action”, in which we instruct Exchange Online to generate + send an incident report to a designated recipient. In our specific example, the designated is Bob, the Exchange Online administrator.
- Click on the option – add action
- Choose the menu option – Generate incident report and send it to…
The settings of the incident report include two parameters:
- The name of the “destination recipient” which will get the incident report.
- The information fields that will be included in the incident report.
- To add the required “destination recipient” name, click on the link – Select one…
- In our specific scenario, the recipient who will get the incident report is Brad.
To select the information fields that will appear in the incident report, click on the link named- *include message properties
In our specific scenario, we will choose to include all the available message properties in the summary report.
In the following screenshot, we can see he “end result” – the Exchange Online Spoof E-mail rule, includes the two parts:
- The condition part
- The action part
Verifying that the Exchange Online Spoofed E-mail rule is working properly
In this step, we would like to test the Exchange Online Spoof email rule that was created in the former step and verify that the rule is working properly.
The required results from the Exchange Online Spoofed E-mail rule
Our desired expectations are – that the Exchange Online Spoof E-mail rule will execute that following sequence of actions:
- Identify the event of – incoming E-mail messages that have the characters of spoof E-mail.
- Prepend the subject of the E-mail message.
- Add a disclaimer to the body of the Spoof E-mail message.
- Generate and send an incident report to the designated recipient. In our scenario, we ask to send the incident report to Bard, our Exchange Online administrator.
Simulate a Spoof E-mail attack | Scenario characters
To be able to ensure that the Exchange Online Spoofed E-mail rule is working properly, we will simulate a Spoof email attack, that has the following characters:
A “hostile element” is trying to spoof the identity of a legitimate organization recipient named –
- A “hostile element” is trying to spoof the identity of a legitimate organization recipient named – Suzan using the E-mail address – Suzan@o365pilot.com
- The spoofed E-mail message will be sent to a legitimate organization user named Bob, which uses the E-mail address – Bob@o365pilot.com
Step 1#2 – Verifying that the spoofed E-mail subject was prepended + include disclaimer
In the following screenshot, we can see an example to a Spoof email that was sent to Bob by “Suzan”.
The prepended text that we define is added at the begging of the E-mail message subject.
When using the default view of OWA, the organization recipient will notice only the prepend text which warn him that the E-mail message is dangerous.
When looking at the E-mail message content, we can the E-mail message subject that include the “original subject text” in our specific exam – Hello Bob, it’s me, the company CEO, send me your bank account and the prepend text – This E-mail is probably spoofed!
The E-mail message body include the disclaimer that was configured in the Exchange Online Spoof email rule.
2#2 – Verifying that an incident report was sent to the designated recipient (Brad)
In the following screenshot, we can see an example of the incident report E-mail that was sent to Exchange administrator – Brad.
When we look at the incident report, we can see that the incident report includes two parts:
- The incident report summary.
- The copy of the original E-mail message.
The incident report summary includes details such as:
- The “source recipient” (number 1) that claim to be a legitimate organization recipient named – Suzan@o365pilot.com
- The E-mail message subject (number 2)
- The destination recipient (number 3) is – Bob@o365pilot.com
- The Exchange Online rule (number 4) the was “activated” and was used for generating and sending the incident report
The next article in the current article series
In the next article – Detect Spoof E-mail And Send The Spoof E-mail To Administrative Quarantine Using Exchange Online Rule |Part 7#11, we will review how to create an Exchange Online rule that will identify events of spoofed E-mail and as a response, will – send the spoof E-mail to administrative quarantine.
Dealing with spoof E-mail – Office 365 | Article series index
We really want to know what you think about the article
The post Detect spoof E-mail – prepend the subject of the Spoof E-mail + add Disclaimer using Exchange Online rule |Part 6#12 appeared first on o365info.com.
