Manage spoof intelligence

  • 5 minutes

When a sender spoofs an email address, they appear to be sending mail for one or more user accounts within one of your organization's domains, or an external domain sending to your organization. The attacker’s goal is to masquerade as a trusted sender to avoid being targeted as a potential threat, which in turn allows the attacker’s malicious email to be delivered.

As previously discussed, spoofing is controlled by the built-in protection provided by Exchange Online Protection (EOP) and by implementing authentication techniques such as SPF, DKIM, and DMARC. The Spoof Intelligence feature provides extra control and insight into senders who are spoofing your domain. You can review senders who are spoofing your domain and then choose to either allow the sender to continue or to block the sender.

Spoof intelligence is available as part of Office 365 E5, or separately as part of Microsoft Defender for Office 365 and Exchange Online Protection (EOP).

Plan for spoof intelligence

For domains that you own, you can review senders who are spoofing your domain and then choose to either allow the sender to continue or block the sender. For external domains, you can allow the sender domain combined with the sending infrastructure, although not an individual sending email address.

Surprisingly, there are some legitimate business reasons for spoofing. For example, in these cases, you would NOT block the sender from spoofing your domain:

  • Third-party senders use your domain to send bulk mail to your own employees for company polls.
  • You've hired an external company to generate and send out advertising or product updates on your behalf.
  • An assistant who must regularly send email for another person within your organization.
  • An application that's configured to spoof its own organization to send internal notifications by email.

External domains frequently send spoofed email, and many of these reasons are legitimate. For example, here are some legitimate cases when external senders send spoofed email:

  • The sender is on a discussion mailing list, and the mailing list is relaying the email from the original sender to all the participants on the mailing list.
  • An external company is sending email for another company (for example, an automated report, or a software-as-a-service company).

You need a way to ensure the mail sent by senders who are legitimately spoofing your system doesn't get caught up in spam filters in Microsoft 365 or external email systems. Normally, Microsoft 365 treats these email messages as spam. As a Microsoft 365 admin, you can prevent this situation by setting up spoof filters in the Microsoft Defender portal. If you own the domain, you can configure SPF, DKIM, and DMARC to allow for these senders.

Spoof intelligence insight

On the Spoof intelligence insight page you can review the senders who are spoofing your domain, or external domains, and then decide whether each sender should be allowed to do so. For each spoofed user account that a sender spoofs from your domain or an external domain, you can view the information in the following table.

Parameter

Description

Spoofed user

The domain of the spoofed user that's displayed in the From box in email clients. The From address is also known as the 5322.From address.

Sending infrastructure

Also known as the infrastructure. The sending infrastructure will be one of the following values:

  • The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address.
  • If the source IP address has no PTR record, then the sending infrastructure is identified as source IP/24 (for example, 192.168.100.100/24).
  • A verified DKIM domain.

Message count

The number of messages from the combination of the spoofed domain and the sending infrastructure to your organization within the last seven days.

Last seen

The number of messages from the combination of the spoofed domain and the sending infrastructure to your organization within the last seven days.

Spoof type

One of the following values:

  • Internal: The spoofed sender is in a domain that belongs to your organization (an accepted domain).
  • External: The spoofed sender is in an external domain.

Action

This value is Allowed or Blocked:

  • Allowed: The domain failed explicit email authentication checks SPF, DKIM, and DMARC. However, the domain passed our implicit email authentication checks (composite authentication). As a result, no anti-spoofing action was taken on the message.
  • Blocked: Messages from the combination of the spoofed domain and sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is Move message to Junk Email folder).