Stop Email Spoofing in Exchange Online

By default, you can easily perform Email Spoofing in Exchange Online using the following steps (it applied to Exchange on premise servers as well) and we will see how to stop Email Spoofing in Exchange Online
  1. Check the MX Record for the Email Domain – this can be easily obtained via mxtoolboxor nslookup
  1. Get a “clean” public IP Address – you can verify your whether your public IP Address is blocked by Spamhaus via mxtoolbox
    1. Enter “blacklist:121.121.43.x” to confirm that the public IP is NOT blocked by Office 365EmailSpoofing-02
  2. Send a Spoof Email using the following PowerShell Script
$EmailFrom = "" 
$EmailTo = "" 
$Subject = "Testing of Email Spoofing" 
$Body = "Email Body " 
$SMTPServer = "" 
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) 
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body) is a non-existence Email address in (you can use any valid email address if you know it) , and yet the email can be successfully delivered to my inbox

It is hard to notice at first glance, and we did encounter a case for one of our client, that the Finance Manager received a mail from his boss (Email Spoofing) and  ask him to transfer money to other account for project payment. The Finance Manager did follow the instruction as the Email is really like from his boss.


You can still tell the different if you really look at the Message Header
  1. Open the Message Header and paste it to and select Message Analyzer
  1. Search for X-MS-Exchange-Organization-AuthAs
    1. Internal – It was send by internal valid users with authentication
    2. Anonymous –  it was send by Anonymous users – Need to pay special attention, as most likely, this is the sign of Email Spoofing
So, what how to stop Email Spoofing in Exchange Online / On Premise?
The easier ways is to use either Sender Policy Framework (SPF) or Exchange Online Rule to block it
What is Sender Policy Framework (SPF) 
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchanges to check that incoming mail from a domain comes from an  authorized IP Address / Host name defined in Public DNS Server


You can use spfwizard to generate the SPF record for your domain, like  IN TXT “v=spf1 mx a ip4: -all”

Only the IP Address / Host Name defined in SPF record above is authorized to send outgoing email for , and -all (Mean Email sending from other IP / Host Name will be rejected) – if your SMTP Gateway or Email Server support SPF filtering

Login to Exchange Admin Center > Protection > Spam Filter > Default > Advance Options 


Turn on SPF Record Hard Fail, to move all Spoofing Email detected to users’ junk folders


Using Exchange Online Rule

Login to Exchange Admin Center > Mail Flow > Rules > + (Create a new Rule) > More Option (Click on it)


Apply this rule if (Conditions)
  1. The sender is located “Outside the organization”
  2. The Sender’s domain is “”
Do the Following (Actions)
  1. Generate incident report and send it to
  2. Set the spam confidence level (SCL) to 5 – To stamp it as spam mail
  3. other actions that you would like to defined here
Except if (Exception)
  1. Sender IP Address is in the range of (this is particular useful if you have local SMTP Server which will send email to Office 365 via Port 25 for local printer / scanner /Application Server), and you do NOT want the rule stamp it as Spoofing Email)

An incident Email will be delivered to your mailbox once Email Spoofing is detected


With the above steps implemented, it can minimize the risk of having Email Spoofing Attack in Exchange Online.

Additional Reading 

Envelope Headers vs Message Header

Just like physical letters, SMTP email has two different sets of address information: the envelope headers, like the addresses on the outside of an envelope, which are used by mail transport software to route and deliver the email, and the normal headers, which are part of the mail message and which are only read and interpreted by the user and his software, just like the address attached to a salutation at the start of a physical letter. Unlike the post office, SMTP usually throws away most of the envelope before it hands the message to the user, so many users are not aware of the envelope headers.

Using the following PowerShell Script to Alter the from:<> in Message Header

$Port = "25"
$WaitTime = "1000"
$MailFrom = ""
$subject = "Email Testing $dateTime"
$body = "Email Content in Body"
$commands = @("ehlo","Mail from:$MailFrom","rcpt to:$Rcpt","data","","subject:$subject",$body,"~", ".", "~")

#Clear the Value assigned to the variable 
Clear-Variable errorOccurence

try { ## Open the socket, and connect to the computer on the specified port
	write-host -ForegroundColor Green "Connecting to $remoteHost on port $port"
    $socket = new-object System.Net.Sockets.TcpClient($remoteHost, $port)

	if($socket -eq $null) {
		throw ("Could Not Connect")

    $stream = $socket.GetStream() 
    $writer = new-object System.IO.StreamWriter($stream)

	$buffer = new-object System.Byte[] 1024
	$encoding = new-object System.Text.AsciiEncoding

	#Loop through $commands and execute one at a time.

	for($i=0; $i -lt $commands.Count; $i++) { ## Allow data to buffer for a bit start-sleep -m 500

            Start-Sleep -Milliseconds $WaitTime

		## Read all the data available from the stream, writing it to the ## screen when done.
		while($stream.DataAvailable) {
			$read = $stream.Read($buffer, 0, 1024)
			write-host -n ($encoding.GetString($buffer, 0, $read))

		write-host $commands[$i]
		## Write the command to the remote host


catch {

	#When an exception is thrown catch it and output the error.
	#this is also where you would send an email or perform the code you want when its classed as down.

	write-host $error[0]

	$dateTime = get-date

	$errorOccurence = "Error occurred connecting to $remoteHost on $port at $dateTime"

	write-host $errorOccurence

finally {
	## Close the streams
	## Cleans everything up.


#	stop-transcript

Even with Altering the Message Header “”, the above solution can still be able to detect it as Email Spoofing and stop it.