Stop Email Spoofing in Exchange Online

By default, you can easily perform Email Spoofing in Exchange Online using the following steps (it applied to Exchange on premise servers as well) and we will see how to stop Email Spoofing in Exchange Online
  1. Check the MX Record for the Email Domain – this can be easily obtained via mxtoolboxor nslookup
EmailSpoofing-01
  1. Get a “clean” public IP Address – you can verify your whether your public IP Address is blocked by Spamhaus via mxtoolbox
    1. Enter “blacklist:121.121.43.x” to confirm that the public IP is NOT blocked by Office 365EmailSpoofing-02
  2. Send a Spoof Email using the following PowerShell Script

test@aventistech.com is a non-existence Email address in AventisTech.com (you can use any valid email address if you know it) , and yet the email can be successfully delivered to my inbox

It is hard to notice at first glance, and we did encounter a case for one of our client, that the Finance Manager received a mail from his boss (Email Spoofing) and  ask him to transfer money to other account for project payment. The Finance Manager did follow the instruction as the Email is really like from his boss.

EmailSpoofing-03

You can still tell the different if you really look at the Message Header
  1. Open the Message Header and paste it to https://testconnectivity.microsoft.com/ and select Message Analyzer
  1. Search for X-MS-Exchange-Organization-AuthAs
    1. Internal – It was send by internal valid users with authentication
    2. Anonymous –  it was send by Anonymous users – Need to pay special attention, as most likely, this is the sign of Email Spoofing
So, what how to stop Email Spoofing in Exchange Online / On Premise?
The easier ways is to use either Sender Policy Framework (SPF) or Exchange Online Rule to block it
What is Sender Policy Framework (SPF) 
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchanges to check that incoming mail from a domain comes from an  authorized IP Address / Host name defined in Public DNS Server

EmailSpoofing-04

You can use spfwizard to generate the SPF record for your domain, like AventisTech.com

AventisTech.com.  IN TXT “v=spf1 mx a ip4:121.121.43.49 a:aventistech-com.mail.protection.outlook.com -all”

Only the IP Address / Host Name defined in SPF record above is authorized to send outgoing email for AventisTech.com , and -all (Mean Email sending from other IP / Host Name will be rejected) – if your SMTP Gateway or Email Server support SPF filtering

Login to Exchange Admin Center > Protection > Spam Filter > Default > Advance Options 

EmailSpoofing-05

Turn on SPF Record Hard Fail, to move all Spoofing Email detected to users’ junk folders

EmailSpoofing-06

Using Exchange Online Rule

Login to Exchange Admin Center > Mail Flow > Rules > + (Create a new Rule) > More Option (Click on it)

EmailSpoofing-07

Apply this rule if (Conditions)
  1. The sender is located “Outside the organization”
  2. The Sender’s domain is “AventisTech.com”
Do the Following (Actions)
  1. Generate incident report and send it to
  2. Set the spam confidence level (SCL) to 5 – To stamp it as spam mail
  3. other actions that you would like to defined here
Except if (Exception)
  1. Sender IP Address is in the range of (this is particular useful if you have local SMTP Server which will send email to Office 365 via Port 25 for local printer / scanner /Application Server), and you do NOT want the rule stamp it as Spoofing Email)

An incident Email will be delivered to your mailbox once Email Spoofing is detected

EmailSpoofing-08

With the above steps implemented, it can minimize the risk of having Email Spoofing Attack in Exchange Online.

Additional Reading 

Envelope Headers vs Message Header

Just like physical letters, SMTP email has two different sets of address information: the envelope headers, like the addresses on the outside of an envelope, which are used by mail transport software to route and deliver the email, and the normal headers, which are part of the mail message and which are only read and interpreted by the user and his software, just like the address attached to a salutation at the start of a physical letter. Unlike the post office, SMTP usually throws away most of the envelope before it hands the message to the user, so many users are not aware of the envelope headers.

Using the following PowerShell Script to Alter the from:<> in Message Header

Even with Altering the Message Header “from:test@aventistech.com”, the above solution can still be able to detect it as Email Spoofing and stop it.

EmailSpoofing-09

Share This