question

tonitodux avatar image
0 Votes"
tonitodux asked tonitodux commented

Deactivate spoof intelligence?

Hi,

since we moved our mailboxes to Exchange Online, our quarantine is getting hammed with e-mails that are legit. I managed to calm the situation with adding certain domains to "Allowed to spoof". But there are so many exceptions that I am asking myself if this is worth having enabled.

The E-Mails are getting blocked from the default AntiPhish Policy because the way I understand it, some of my colleagues are included in a distribution list that is from another company, not ours. And every time an e-mail comes with this distribution group in cc where my colleagues reside - mail will land in quarantine.

From Message Header Anaylzer about this particular e-mail:

Spam Confidence Level 5
Spam Filtering Verdict SPM
IP Filter Verdict NLI
Protection Policy Category SPOOF

75853-analyzer.jpg

Cheers


office-exchange-server-mailflow
analyzer.jpg (44.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, @tonitodux
I am writing here to confirm with you how thing going now?
Did the issue get resolved?


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered tonitodux commented

Don't deactivate that :)
and dont add domains as allowed to spoof


Instead create Transport rules and allow those messages from those companies if the messages pass DMARC

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide#recommended-use-mail-flow-rules

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

does this mean I should add rule for every domain that is (not) getting spoofed?

Thanks

0 Votes 0 ·

No, you can use one rule :)

You can add multiple domains in that rule and use passing DMARC as the requirement. That way you ensure the messages are really coming from their servers.



0 Votes 0 ·

Thank you for your answer. I will do like you told me and will close the thread.

Have a great day!

0 Votes 0 ·