netcomp
asked on
Spoofed emails to contacts in our domain
We are on Office 365 . Lately, we we are getting emails from our CEO going to random people in our company on the same domain , but emails are not from him . They normally ask re recipients a response “ are you available today ? “
We know it’s not from him be use when we go in and look at the email address it’s not him . It just has his name . We do have spf records in place .
We know it’s not from him be use when we go in and look at the email address it’s not him . It just has his name . We do have spf records in place .
Amit
You need to ask or open a ticket with Microsoft EOP team, why you are getting spoofed. EOP should filter such mails by default.
Create a mail rule (Transport) saying if the sender is outside the org AND sender email address is the ceo@domain.com, delete the email.
If the CEO mailbox is in the same org as everyone else, then it should never come from outside the org, so exchange will discard the email. The rule should look something like this:
CEO Rule
If the message...
Is received from 'ceo@yourdomain.com'
and Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
This will delete those fake emails coming from the spoofed CEO email address, and reach out to O365 support about this.
You can also enable SPF filter in EOP.
If the CEO mailbox is in the same org as everyone else, then it should never come from outside the org, so exchange will discard the email. The rule should look something like this:
CEO Rule
If the message...
Is received from 'ceo@yourdomain.com'
and Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
This will delete those fake emails coming from the spoofed CEO email address, and reach out to O365 support about this.
You can also enable SPF filter in EOP.
Yes, the from address has been "Spoofed" and is not really from him. Do not reply or you will be talking to the "bad guys". Educate your users about these types of scams and if it is suspicious, they should use another form of contact than email, such as phone, in person, etc. for confirmation.
Through internet searches and social engineering the emails came seem believable. They will learn who has the power and authority within the company and try to exploit that. Do not post email addresses on your website, use a contact form.
Through internet searches and social engineering the emails came seem believable. They will learn who has the power and authority within the company and try to exploit that. Do not post email addresses on your website, use a contact form.
The OP writes “We know it’s not from him be use when we go in and look at the email address it’s not him”
So no use in creating transport rules or opening tickets as the label of sender address can be easily forges and there’s no way to block such emails with static rules. You have to examine email headers and eventually block ips but that’s not feasible if, for instance, sender ip is on a office 365 tenant (which is fully free for 30 days for 25 different mailboxes).
Since the sender email label matches with yr org ceo name, an internal or otherwise limitrophe help to the spammer is to be expected.
So it sums up to blocking the particular sender email and monitor the incoming spam so that you can update your blocking rule asap - an approach which does not scale horizontally. And this is the cause we still have spam : because it costs nothing and has a percentage of success.
My 2 philosophical cents :)
So no use in creating transport rules or opening tickets as the label of sender address can be easily forges and there’s no way to block such emails with static rules. You have to examine email headers and eventually block ips but that’s not feasible if, for instance, sender ip is on a office 365 tenant (which is fully free for 30 days for 25 different mailboxes).
Since the sender email label matches with yr org ceo name, an internal or otherwise limitrophe help to the spammer is to be expected.
So it sums up to blocking the particular sender email and monitor the incoming spam so that you can update your blocking rule asap - an approach which does not scale horizontally. And this is the cause we still have spam : because it costs nothing and has a percentage of success.
My 2 philosophical cents :)
Use “Have I Been Pwned” to Check Breach Status.
Check and lock down accounts.
Check your mail settings to make sure nothing has been changed.
Two Factor is also going to be a must with his account.
Check and lock down accounts.
Check your mail settings to make sure nothing has been changed.
Two Factor is also going to be a must with his account.
Since you know it's purely a spoof, you should create some additional rules. In our case, we took the names of executives, and created a rule that would strip the name out of the from field. This way, only the email address would show to the users and ideally make them pay more attention. (We're using Cisco for filtering though, not MS)
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.