Recently, I’ve come across a lot of customers who are looking to understand what’s happening with the freely available (to all Exchange Online Protection SKUs) Anti-Spoof features in Office 365. This feature is also known as Spoof Intelligence. This article on docs.microsoft.com is an excellent read, but for the purposes of this post, we’re gonna focus on Spoof Intelligence.
First – what exactly is Spoof Intelligence? Well, it’s Microsoft’s way of trying to make sense of the crazy sender authentication landscape that’s out in the wild these days. While the situation has improved over time in general, there are still a lot of senders out there who don’t know how to properly configure SPF, DKIM, and DMARC. This puts the burden on the recipient to figure out exactly whether or not to trust incoming emails. Enter Spoof Intelligence. Based on various signals in a message, Microsoft now does what is called implicit authentication. In other words, Microsoft is trying to pick up the “sender auth slack”, so to speak. The secret sauce that goes into how Microsoft determines whether or not to allow a sender email through is a proprietary (you guessed it) secret, but in general, the Authentication-Results header is used. The signals contained therein are all part of the method used to set a “Yes” or a “No” to the AllowedToSpoof property on the sender.
As an administrator, you’re likely thinking, “Hey this is great and all, but how the heck do I know what messages are being seen and what verdicts are rendered on these messages?” The answer lies in the Get-PhishFilterPolicy cmdlet! Now, there is a way to see this list in the GUI via Security & Compliance Center (Threat Management–>Policy–>Anti-Spam Policy–>Spoof Intelligence), but the list isn’t sort-able and it isn’t easy to traverse (see image below)
Excel, on the other hand, is purpose-built for this job! Let’s dive in.
- Connect to Exchange Online via the EXO PowerShell module. There are various ways to get it if you don’t have it, but I prefer the short URL http://aka.ms/EXOPSPreview.
- Once connected, use the following command to grab Internal (your domain) spoofing, but replacing the file path in the $file variable to one that makes sense for you (you can use the same command below for viewing external domain spoofing as well by replacing the SpoofType parameter value below with ‘External’):
#This creates an empty CSV file $file = 'C:\My Documents\SpoofedInternal.csv' #This will generate the report for internal domain spoofs and then export it to the previously created file Get-PhishFilterPolicy -Detailed -SpoofAllowBlockList -SpoofType Internal | Export-CSV $file -NoTypeInformation
From Excel, you can then insert a table (in the Insert tab, click Table and make sure that “My table has headers” is checked) and more easily sort this information. I recommend sorting by NumberOfMessages, largest to smallest. This will give you a very good idea of who is trying to spoof your domain the most:
With the information in that spreadsheet, you can better determine who is spoofing your domain from the outside coming in (think of this as a sort of reverse DMARC reporting!)
Now, here is the really cool part – if there are any changes you want to make to the AllowedToSpoof verdict, simply toggle from Yes to No, or vice-versa, and save the CSV. That file can be used by the Set-PhishFilterPolicy command to make your changes committed to the tenant.
To sum up, Exchange Online Protection is an amazing product, but it is far from a “set it and forget it” solution. As an EXO admin, you need to ensure that valid email is getting to its intended recipient and having a good understanding of how mail flows through each filter and how those filters work, such as Spoof Intelligence, is key to making that happen.<div class='sharedaddy sd-block sd-like jetpack-likes-widget-wrapper jetpack-likes-widget-unloaded' id='like-post-wrapper-127276047-26-5e26baa9bac3b' data-src='https://widgets.wp.com/likes/#blog_id=127276047&post_id=26&origin=pragmaticadmin.com&obj_id=127276047-26-5e26baa9bac3b' data-name='like-post-frame-127276047-26-5e26baa9bac3b'><h3 class="sd-title">Like this:</h3><div class='likes-widget-placeholder post-likes-widget-placeholder' style='height: 55px;'><span class='button'><span>Like</span></span> <span class="loading">Loading...</span></div><span class='sd-text-color'></span><a class='sd-link-color'></a></div>