Our email is hosted within Exchange Online.
The latest waves of incoming phish and spam emails seem to be sent in batches with each incoming email sent to about 50-60 of our internal users within the To: field.
I can't think of a reason why my organization would ever accept an email from outside that is addressed to more than 10 recipients.
Looked in mail flow rules to see we could block an incoming email based on the number of internal recipients on the To: field
Did not find anything.
I have been working with SPAM issues for over 25 years. Don't need advice on reducing SPAM.
We have O365 ATP SPAM policies, Phish Policies SafeLinks, SafeAttachments.
None of the above will protect you when you receive a 0 hour 0 day targeted email based threat that is addressed to dozens of your internal users.
You try and hide your internal email addresses but over time, the crooks build inventories of your email addresses.
We have been receiving targeted emails addressed to 50+ internal valid recipients.
need a way to drop emails based on the number of recipients within X-MS-Exchange-Organization-OriginalEnvelopeRecipients: field or the length of that field.
Spam scores are usually 0 and the X-MS-Exchange-Organization-OriginalEnvelopeRecipients: looks something like this:
X-MS-Exchange-Organization-SpamScore: 0
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-Organization-OriginalEnvelopeRecipients: =?us-ascii?Q?jswea@iai.com;jbyv@iai?=
=?us-ascii?Q?.com;?=