How to review and mitigate the impact of phishing attacks in Office 365

As we mentioned in our one of our previous posts, many of the security support escalations we receive start with somebody falling victim to a phishing attack. In this blog post we would like to share how you (Office 365 Admins) can review and mitigate phishing attacks targeting your Office 365 tenant.

Step 1: What did the targeted user do?

The first step is to understand what the user did and what was the immediate impact of the attack. A good few questions to start with include:

  • Did the user open the email?
  • Did the user click a malicious email?
  • Did the user open an attachment?
  • Did the user reply to the email?
  • Did the email provide the attacker with sensitive information?
  • Did the user provide or enter their credentials?
  • Did the user perform a wire transfer as instructed by the attacker?

Answering these questions will help you determine the impact of the phishing attack and give you an idea on the likelihood of future ones. Furthermore, it will help you determine the urgency of the remediation and how quickly you will need to act to mitigate subsequent attacks.

Step 2: What did the attacker try to do?

"Know thy enemy…"; In this step, you want to understand the nature of the attack and what the attacker was trying to achieve. Consider these questions:

  • Does this look like a sophisticated attacker?
  • Did the attacker use malware?
  • Is it likely that this attacker will target this person or somebody else in my organization?
  • Did the attacker use valid information to phish the victim?
  • Is the information used publically available? (e.g. Social Networking websites, Job Posts, news, etc...)
  • Did the attacker use malware?
  • Is this the first time we see this type of attack?
  • Did the attacker try to spoof or use a similar domain name to lure the victim?
  • Did the attacker use a fake login website?
  • Why did the attacker use that type of file extension?

Always consider what you can do to prevent this in the future. Keep in mind that you might not know the answer and we hope that when you finish this blog you will.

Step 3: How can I validate that this is a phishing attack?

In this step you will be able to determine if the message was a real phishing email. Not every single report you will receive will be a phishing email. In fact, you will likely get reports about unwanted email, newsletters, or spam that are not phishing. While many of these are a problem for the user, it will not necessarily be a security risk or impact to your organization. We have a few suggestions on how to analyze and determine if an email is a phishing email. Important note: The messages you will be analyzing can be malicious and therefore you should not trust or open attachments, links or images.

Does it look like a typical phishing email?

If the email looks like a typical phishing or spear phishing email, it very likely is one. The three most common ones are:

  • Spoofing - This is when the attacker sends an email using a domain looks identical to your domain (e.g. From:
  • Lookalike spoofing - This is when the attacker uses a domain that looks very similar to your domain. In many cases it contains lookalike non-Roman characters (e.g. From: ceo@cö
  • 'Display From' attacks - This is when the attacker sends an email using a free email provider (e.g. From: pretending to be the CEO/CFO using his personal account

Please take a look at the "The common types of spear phish we see today" blog post, it will go into details about these three common spear phishing attacks.

What should I look in the anti-spam message headers?

Analyzing the antispam message headers will help you determine why it was not captured by Office 365 protection mechanisms. You will want to carefully look at the Spam Confidence Level (SCL) to determine if the message was not detected by the O365 Protection system or if it was able to bypass the O365 protection because it was whitelisted. If the SCL was "-1", it indicates that it was whitelisted and you should follow the guidance provided in this section of this blog post on how to review and fix whitelists.

Was the message spoofed?

The most typical spoofed phishing email we see is an attacker impersonating the executive/CEO and asking the CFO for a wire transfer. We do our best to detect and mitigate spoofed messages and are constantly working in new functionalities to fight spoofing, in fact we are in the process of rolling out a new anti-spoofing protection. If you would like to know more about it, you should read the How antispoofing protection works in Office 365 blog post. By end of the second quarter of 2016 EOP will add a visual indicator to help users easily identify a fraudulent email. In the meantime, you can review the message headers listed below to determine if the email was spoofed or not. Please note that if the message was in the junk folder it is very likely that it was moved there by our protections mechanisms.

Reviewing the message headers to confirm spoofing

The new anti-spoofing feature modifies the safety level in the 'X-Microsoft-Antispam' message header to a value of "…;SFTY:9.5" . This is the best way to confirm the email was identified as a spoofed message by EOP. That been said, there are other email headers that can also help you:

  • 'Reply-to' - Is the 'reply-to' header different of the 'from' header in the email headers? If that is the case and it looks suspicious (usually outside the tenant), it could be a good indicator that the message could be a spoofed message.
  • 'Received' – To review the 'Received:' headers you should read it from bottom to top, where the bottom value will be the one the message originated from the sender. You can compare the IP(s) listed at the bottom with another known valid message from that user. If you see something suspicious, like an odd SMTP message, this will be another good indicator it is a spoofed message.
  • 'X-MS-Exchange-Organization-AuthAs' - If you see "X-MS-Exchange-Organization-AuthAs: Anonymous" , it means it was not authenticated and therefore it can be a fraudulent email. An authenticated (valid) message will look something like "X-MS-Exchange-Organization-AuthSource: *"

How can I do an email trace?

You can find out how to do a message trace by reading "Run a Message Trace and View Results" and the "Message Trace FAQ". A few things you want to look in the trace is:

  • The message was authenticated; this will help you identify if the message was spoofed.
  • IP where the message originated makes sense. In other words, if you live in India and haven't traveled outside the country and the message trace list that the IP of the sender originated from Puerto Rico, this is a good indicator (red flag) that the senders account could be compromised. To know the IPs origin, you can use the whois command line tool. There are online tools available like that you can use for free.
  • Blacklisted IPs, look if any suspicious IPs is blacklisted. I usually use and

Is the sender whitelisted?

You want to make sure the attacker has not been whitelisted. If it is whitelisted, emails will be able to bypass the protection rules that will protect your tenant against phishing and spam. To do this:

  • Review mailflow rules by going to: Admin -> Exchange -> Mail Flow -> Rules. Review any rules that "bypass spam filtering" (SCL = -1) or is a forwarding rule. Forwarding rules can be created by attackers if the account was compromised.

  • Review your Spam filter rules by going to: Admin -> Exchange -> Protection -> Spam filter and look through the rules. Spam filter rules will allow you to whitelist and blacklist entire domains.

  • If you have an E3/E5, go to: Admin -> Exchange -> Protection -> Connection Filtering -> Review the IP allow list

Does it contain a malicious attachment?

You should never open an attachment if you are not certain it is safe. Please scan the file using your antivirus/antimalware software to determine if the attachment is malicious. If you do not have one, you can get a free security software in the Microsoft Malware Protection Center. Please keep in mind that even if the antivirus did not detect any malware, it does not guarantee the file is not infected.

Step 4: Remediate…let's fix it!

Did the user opened a file or was the users account compromised?

If the user opened an attachment, it is very likely that the users machine is compromised. If you believe the users machine or users office 365 account is compromised, you can find how to fix this in our previous blog post How to fix a compromised (hacked) Microsoft Office 365 account.

How to use Office 365 Exchange Online Protection (EOP) to protect your email?

Below is a list of things you can do to mitigate the phishing attacks using the Office 365 EOP functionalities and protect your mail:

If you would like to learn more about anti-spam protection in Office 365 take a look at the Office 365 email anti-spam protection article.

How to deal with spoofed emails?

In step two we provided details on how to determine if an email was spoofed. Microsoft is adding new protections in Office 365 that will mitigate these types of attacks and hopefully you will no longer need to worry about spoofed messages, you can read more about it in the "How antispoofing protection works in Office 365" blog post.

If you are still seeing this problem and need an immediate solution, you can create an exchange transport rule to track or block spoofing messages. Before you create the rule, please keep in mind this is not an appropriate solution if you have third party companies sending mail in behalf of you. That been said this is how you can do it:

  • Go to your Admin Portal, from there navigate to your 'Exchange admin center' under Admin | Exchange

  • In the Exchange Admin Center go to 'mail flow' and under rules create a new rule by clicking the '+' button and selecting create new rule

  • Under the '*Apply this rule if…' select 'The sender is located…' in the drop down list and under 'select sender location' click the 'Outside the organization' option

  • Then click more options

  • Add condition

  • And in the second condition select 'The Sender…', 'domain is'

  • 'specify domain', enter your domain (EG and press the '+' button. Then press OK

  • Then under '*Do the following…' select block the message and include an explanation. Please note if you use delegated people to send email on your behalf we do not recommend blocking emails instead

  • Under the explanation you can either provide something like "'Your message was Blocked because it was detected as a spoofing message." or select a code instead like spoof

    • In the case you want to do something less definite you can select something like specify confidence level to '9'

  • Then click 'Add action'

  • Select 'Generate incident report and send it to' and select your tenant admin account.

  • Select all content to be added to the incident report

  • Then Click Save

Step 5: Report phishing to Microsoft, law enforcement or scam reporting websites

How to report to Microsoft?

Phishing attacks, specially targeted ones like spear phishing or whaling, are very popular and effective. As Terry mentions in his blog we are working very hard on this problem, but some of them still get through. You can help Microsoft by reporting any phishing email to us by sending an email to '' or following the "Submit spam, non-spam, and phishing scam messages to Microsoft for analysis" article.

What are the law enforcement agencies or scam reporting websites to report it?

You should also report it to the appropriate law enforcement or scam reporting agencies in your country. I listed below some countries:

Did you lose money of where heavily impacted?

You should contact your local law enforcement agencies if you lost money. For instance, if you live in the United States you should contact the FBI local field office or the Secret Service.

Step 6: Investigate the impact by leveraging your Office 365 activity data

After stopping the bleeding, you can investigate the impact of the phishing attack in your tenant. To learn more about how to do this please take a look at our previous blog post: "Using Office 365 activity data to improve your Cybersecurity stance and capability"

If you would like to take the investigation one step further, we recommend that you take a look at one of the tools used by our Incident and Response team named Kansa to investigate any impact in your network or on-premise infrastructure.

Step 7: Invest in phishing awareness & education

A long term remediation we always recommend is to invest in phishing awareness and education in your company. Below are some suggestions:

  • Provide users with formal phishing training. It is up to you and your business if you would prefer creating your own content, contact a third party on your behalf or just use existing material on the web. Below are some helpful links:
  • Run internal anti-phishing awareness/education campaigns. There are several solutions in the market that will allow you to create and run anti phishing campaigns to test your users.
  • Send a notification or memo if you are aware that somebody in your company is been targeted by an attacker.