What to check with spoofed email in Microsoft 365

If you find that a spoofed email is reaching users inboxes in Microsoft 365 (say something like managing.director@gmail.com pretending to be managing.director@yourdomain.com) then here are some initial suggestions and things to check.

Firstly, ensure you have SPF, DKIM DMARC configured for your domain. They all help reduce spoofed emails getting to the inbox. 

Set up SPF to help prevent spoofing

Support for validation of DKIM signed messages

Use DMARC to validate email

Next, run the analyzer that is built into the Microsoft 365 Security Center to see where your policies may deviate from best practices.

Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

and you’ll find those best practice settings here:

Recommended settings for EOP and Microsoft Defender for Office 365 security

I’d be checking against the strict rather than the standard settings if it was me.

image

In the settings for your spam policy in Exchange Online there are a few additional settings you can enable as shown above. Even though the Microsoft best practices doesn’t recommend it, I still have most of these set and at a minimum recommend that the SPF hard fail option be enabled.

image

In your Anti-phishing policies ensure the option for Show first contact safety tip is enabled as shown above. Microsoft Best Practice policies don’t set this. In general make sure all the above settings are all enabled as shown.

Another good indicator to configure is

Set-ExternalInOutlook -Enabled $true

using PowerShell, that will let you know about

Native external sender callouts on email in Outlook

Another custom adjustment you can consider is changing the Spam Confidence Level (SCL)

Spam Confidence level (SCL) in EOP

A further option you may wish to tweak beyond Microsoft’s recommended best practices is the phishing thresholds in anti-phishing policies:

Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365 

When you get emails that are confirmed as trying to trick users, make sure you report them to Microsoft

How do I report a suspicious email or file to Microsoft?

Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft

Probably the best way to do that is to use the free add-in that works with Outlook.

Enable the Report Message or the Report Phishing add-ins

doing so helps build the intelligence for Exchange Online as well as helping others who may see similar insecure emails.

The final option available to you is always to reach out to Microsoft for assistance.

Get help or support for Microsoft 365 for business

I would also suggest you check any white listing options you may have in Exchange Online as these are easily forgotten over time. Best practice is not to white list any domain or specific email address but always check when you see repeated emails get through filtering. I can’t tell you how many times I find this as the cause of any issue. Keep in mind, there are few places that you can white list emails:

Create safe sender lists in EOP

You can of course also block the insecure sender:

Create blocked sender lists in EOP

Remember that if you tighten your email security the result will probably be an increase in false positives, at least initially, as Exchange Online learns to evaluate the changes and user behaviours based on the updated settings. Email security is not an exact science. The bad operators are working just as hard to bypass all these settings so it is always going to be a game of cat and mouse. However, hopefully, using the Microsoft recommended best practices and some additional tweaks as suggested above, you can prevent the vast majority of insecure emails out of your users email boxes.

Checking Microsoft 365 Email Forwarding using PowerShell

A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:

Use rules in Outlook Web App to automatically forward messages to another account

Client rules

Sweep

It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.

I have created a free PowerShell script exactly for this purpose, which you can find here:

Office365/o365-exo-fwd-chk.ps1 at master · directorcia/Office365 · GitHub

and the video:

https://www.youtube.com/watch?v=Oqk_yd6U3bk&t=16s

will provide a walk through of its execution.

Providing feedback on user reported messages

Hopefully, you are aware that Microsoft 365 provides users the ability to report a suspected email. I have spoken about this here:

Improved security is a shared responsibility

image

What you may not be aware of is that these submissions can viewed and action in the Microsoft Security Center:

https://security.microsoft.com

under the Submissions menu option as shown above.

You may also not be aware that there are further actions you can take in here:

image

You can provide feedback directly to the user about their submission using the Mark as an notify option as shown above.

image

Doing so will send the user an email, like that shown above, to provide feedback about that submission for the user. Doing provides important reinforcement of users remaining vigilant as well as helping them better identify threats.

image

 You’ll also find actions you can take on that message that will provide feedback directly to Microsoft, as shown above.

image

Even better, if you go into Policies & rules | Threat Policies | User submissions you are able to customise what is sent to the user, both before and after reporting as shown above.

For more information on these capabilities visit:

Admin review for reported messages

Getting users involved in security is important. Part of that is providing them feedback and recognition of their contribution, no matter how small. Using these capabilities for reported messages, you are able to do that quickly and easily.

A little bit more security

Security is never an absolute and is largely about defence in depth. That is, adding more layers of protection. With this in mind, I was recently made aware of this little gem that can help provide just a little more protection for inbound emails, especially against inbound malicious attachments.

image

Exchange Online has a Malware policy that you can configure. You’ll find it in the Microsoft 365 security center under policies. When you edit that policy, as shown above, you’ll see an option for Common attachment types filter. You should ensure that this is set to On. If so, you can then select the Choose type button to select which attachment types will be blocked.

image

You’ll see there are about ten default file types that will be blocked. What you may not be aware of is that if you press the Add button at the top of the page, as shown above,

image

There are an additional 86 file types that Microsoft allows you to directly add.

image

Just select them all and Add them.

image

You should then see a total of 96 file types listed in the policy as shown.

I was a little puzzled why Microsoft wouldn’t have added more of the 86 optional files types to the standard 10? Most of the option 86 seem to be developer focused so maybe that is why? Many of the optional 86 are quite antiquated but that doesn’t mean they couldn’t be used somehow to compromise an environment. Thus, it is therefore probably a very good idea to block all these 86 option file types on top of the default 10 it seems.

I also had a quick look at what all these filetype typically refer to and provide this summary for you:

– ade https://www.file-extensions.org/gadget-file-extension

– adp https://www.file-extensions.org/adp-file-extension

– asp https://www.file-extensions.org/asp-file-extension

– bas https://www.file-extensions.org/bas-file-extension

– bat https://www.file-extensions.org/bat-file-extension

– cer https://www.file-extensions.org/cer-file-extension-internet-security-certificate

– chm https://www.file-extensions.org/chm-file-extension

– cmd https://www.file-extensions.org/cmd-file-extension

– com https://www.file-extensions.org/com-file-extension

– cpl https://www.file-extensions.org/cpl-file-extension

– crt https://www.file-extensions.org/crt-file-extension

– csh https://www.file-extensions.org/csh-file-extension-csh-script

– der https://www.file-extensions.org/der-file-extension

– dll https://www.file-extensions.org/dll-file-extension

– dos https://www.file-extensions.org/dos-file-extension

– fxp https://www.file-extensions.org/fxp-file-extension-adobe-flash-builder-project

– gadget https://www.file-extensions.org/gadget-file-extension

– hlp https://www.file-extensions.org/hlp-file-extension

– Hta https://www.file-extensions.org/hta-file-extension

– Inf https://www.file-extensions.org/inf-file-extension

– Ins https://www.file-extensions.org/ins-file-extension

– Isp https://www.file-extensions.org/lsp-file-extension-autolisp-language-source-code

– Its https://www.file-extensions.org/its-file-extension-internet-document

– js https://www.file-extensions.org/js-file-extension

– Jse https://www.file-extensions.org/jse-file-extension

– Ksh https://www.file-extensions.org/ksh-file-extension

– Lnk https://www.file-extensions.org/lnk-file-extension

– mad https://www.file-extensions.org/mad-file-extension

– maf https://www.file-extensions.org/maf-file-extension

– mag https://www.file-extensions.org/mag-file-extension-microsoft-access-diagram-shortcut

– mam https://www.file-extensions.org/mam-file-extension

– maq https://www.file-extensions.org/maq-file-extension

– mar https://www.file-extensions.org/mar-file-extension

– mas https://www.file-extensions.org/mas-file-extension

– mat https://www.file-extensions.org/mat-file-extension

– mau https://www.file-extensions.org/mau-file-extension

– mav https://www.file-extensions.org/mav-file-extension

– maw https://www.file-extensions.org/maw-file-extension

– mda https://www.file-extensions.org/mda-file-extension

– mdb https://www.file-extensions.org/mdb-file-extension

– mde https://www.file-extensions.org/mde-file-extension

– mdt https://www.file-extensions.org/mdt-file-extension

– mdw https://www.file-extensions.org/mdw-file-extension

– mdz https://www.file-extensions.org/mdz-file-extension

– msc https://www.file-extensions.org/msc-file-extension

– msh https://www.file-extensions.org/msh-file-extension

– msh1 https://www.file-extensions.org/msh1-file-extension

– msh1xml https://www.file-extensions.org/msh1xml-file-extension

– msh2 https://www.file-extensions.org/msh2-file-extension

– msh2xml https://www.file-extensions.org/msh2xml-file-extension

– mshxml https://www.file-extensions.org/mshxml-file-extension

– msi https://www.file-extensions.org/msi-file-extension

– msp https://www.file-extensions.org/msp-file-extension

– mst https://www.file-extensions.org/msstyles-file-extension

– obj https://www.file-extensions.org/obj-file-extension-microsoft-visual-studio-object

– ops https://www.file-extensions.org/oxps-file-extension

– os2 https://www.file-extensions.org/os2-file-extension

– pcd https://www.file-extensions.org/pcd-file-extension-microsoft-visual-test-data

– pif https://www.file-extensions.org/pif-file-extension

– plg https://www.file-extensions.org/plg-file-extension

– prf https://www.file-extensions.org/prf-file-extension-microsoft-outlook-profile

– prg https://www.file-extensions.org/prg-file-extension-program

– ps1 https://www.file-extensions.org/ps1-file-extension

– ps1xml https://www.file-extensions.org/ps1xml-file-extension

– ps2 https://www.file-extensions.org/ps2-file-extension

– ps2xml https://www.file-extensions.org/ps2xml-file-extension

– psc1 https://www.file-extensions.org/psc1-file-extension

– psc2 https://www.file-extensions.org/psc2-file-extension

– pst https://www.file-extensions.org/pst-file-extension

– rar https://www.file-extensions.org/library-ms-file-extension

– scf https://www.file-extensions.org/scf-file-extension

– sct https://www.file-extensions.org/sct-file-extension

– shb https://www.file-extensions.org/shb-file-extension

– shs https://www.file-extensions.org/shs-file-extension-microsoft-windows-shell-scrap-object

– tmp https://www.file-extensions.org/tmp-file-extension

– url https://www.file-extensions.org/url-file-extension

– vb https://www.file-extensions.org/vb-file-extension

– vsmacros https://www.file-extensions.org/vsmacros-file-extension

– vsw – https://www.file-extensions.org/vsw-file-extension

– vxd – https://www.file-extensions.org/vxd-file-extension

– w16 – https://www.file-extensions.org/w16-file-extension

– ws – https://www.file-extensions.org/ws-file-extension

– wsc – https://www.file-extensions.org/wsc-file-extension

– wsf – https://www.file-extensions.org/wsf-file-extension

– wsh – https://www.file-extensions.org/wsh-file-extension

– xnk – https://www.file-extensions.org/xnk-file-extension

Thus, I’d recommend you update your Exchange Online policy to include the complete of file types that Microsoft provides protection for, even if most aren’t enabled.