Configure spoof intelligence in EOP

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing by EOP as of October 2018. EOP uses spoof intelligence as part of your organization's overall defense against phishing. For more information, see Anti-spoofing protection in EOP.

When a sender spoofs an email address, they appear to be a user in one of your organization's domains, or a user in an external domain that sends email to your organization. Attackers who spoof senders to send spam or phishing email need to be blocked. But there are scenarios where legitimate senders are spoofing. For example:

  • Legitimate scenarios for spoofing internal domains:

    • Third-party senders use your domain to send bulk mail to your own employees for company polls.

    • An external company generates and sends advertising or product updates on your behalf.

    • An assistant regularly needs to send email for another person within your organization.

    • An internal application sends email notifications.

  • Legitimate scenarios for spoofing external domains:

    • The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list.

    • An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company).

Spoof intelligence, and specifically the default (and only) spoof intelligence policy, helps ensure that the spoofed email sent by legitimate senders doesn't get caught up in EOP spam filters or external email systems, while protecting your users from spam or phishing attacks.

You can manage spoof intelligence in the Security & Compliance Center, or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

Use the Security & Compliance Center to manage spoofed senders

Note

If you have an Microsoft 365 Enterprise E5 subscription or have separately purchased an Office 365 Advanced Threat Protection (Office 365 ATP) add-on, you can also manage senders who are spoofing your domain through the Spoof Intelligence insight.

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand Spoof intelligence policy.

    Select the spoof intelligence policy

  3. Make one of the following selections:

    • Review new senders
    • Show me senders I already reviewed
  4. In the Decide if these senders are allowed to spoof your users flyout that appears, select one of the following tabs:

    • Your Domains: Senders spoofing users in your internal domains.
    • External Domains: Senders spoofing users in external domains.
  5. Click Expand icon in the Allowed to spoof? column. Choose Yes to allow the spoofed sender, or choose No to mark the message as spoofed. The action is controlled by the default anti-phishing policy or custom ATP anti-phishing policies (the default value is Move message to Junk Email folder). For more information, see Spoof settings in anti-phishing policies.

    Screenshot showing the spoofed senders flyout, and whether the sender is allowed to spoof

    The columns and values that you see are explained in the following list:

    • Spoofed user: The user account that's being spoofed. This is the message sender in the From address (also known as the 5322.From address) that's shown in email clients. The validity of this address is not checked by SPF.

      • On the Your Domains tab, the value contains a single email address, or if the source email server is spoofing multiple user accounts, it contains More than one.

      • On the External Domains tab, the value contains the domain of the spoofed user, not the full email address.

    • Sending Infrastructure: The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address, or the IP address if the source has no PTR record.

      For more information about message sources and message senders, see An overview of email message standards.

    • # of messages: The number of messages from the sending infrastructure to your organization that contain the specified spoofed sender or senders within the last 30 days.

    • # of user complaints: Complaints filed by your users against this sender within the last 30 days. Complaints are usually in the form of junk submissions to Microsoft.

    • Authentication result: One of the following values:

      • Passed: The sender passed sender email authentication checks (SPF or DKIM).
      • Failed: The sender failed EOP sender authentication checks.
      • Unknown: The result of these checks isn't known.
    • Decision set by: Shows who determined if the sending infrastructure is allowed to spoof the user:

      • Spoof intelligence policy (automatic)
      • Admin (manual)
    • Last seen: The last date when a message was received from the sending infrastructure that contains the spoofed user.

    • Allowed to spoof?: The values that you see here are:

      • Yes: Messages from the combination of spoofed user and sending infrastructure are allowed and not treated as spoofed email.

      • No: Messages from the combination of spoofed user and sending infrastructure are marked as spoofed. The action is controlled by the default anti-phishing policy or custom ATP anti-phishing policies (the default value is Move message to Junk Email folder). See the next section for more information.

      • Some users (Your Domains tab only): A sending infrastructure is spoofing multiple users, where some spoofed users are allowed and others are not. Use the Detailed tab to see the specific addresses.

  6. At the bottom of the page, click Save.

Use PowerShell to manage spoofed senders

To view allowed and blocked senders in spoof intelligence, use the following syntax:

Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-Detailed] [-SpoofType <Internal | External>]

This example returns detailed information about all senders that are allowed to spoof users in your domains.

Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal

For detailed syntax and parameter information, see Get-PhishFilterPolicy.

To configure allowed and blocked senders in spoof intelligence, follow these steps:

  1. Capture the current list of detected spoofed senders by writing the output of the Get-PhishFilterPolicy cmdlet to a CSV file:

    Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
    
  2. Edit the CSV file to add or modify the SpoofedUser (email address) and AllowedToSpoof (Yes or No) values. Save the file, read the file, and store the contents as a variable named $UpdateSpoofedSenders:

    $UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed Senders.csv"
    
  3. Use the $UpdateSpoofedSenders variable to configure the spoof intelligence policy:

    Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSpoofedSenders
    

For detailed syntax and parameter information, see Set-PhishFilterPolicy.

Use the Security & Compliance Center to configure spoof intelligence

The configuration options for spoof intelligence are described in Spoof settings in anti-phishing policies.

You can configure spoof intelligence settings in the default anti-phishing policy, and also in custom policies. For instructions based on your subscription, see one of the following topics:

How do you know these procedures worked?

To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, and that you've configured the spoof intelligence settings, use any of the following steps:

  • In the Security & Compliance Center, go to Threat management > Policy > Anti-spam > expand Spoof intelligence policy > select Show me senders I already reviewed > select the Your Domains or External Domains tab, and verify the Allowed to spoof? value for the sender.

  • In PowerShell, run the following commands to view the senders who are allowed and not allowed to spoof:

    Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
    Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
    Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
    Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External
    
  • In PowerShell, run the following command to export the list of all spoofed senders to a CSV file:

    Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
    
  • In the Security & Compliance Center, go to Threat management > Policy > Anti-phishing or ATP anti-phishing, and do either of the following steps:

    • Select a policy from the list. In the flyout that appears, verify the values in the Spoof section.
    • Click Default policy. In the flyout that appears, verify the values in the Spoof section.
  • In Exchange Online PowerShell, replace <Name> with Office365 AntiPhish Default or the name of a custom policy, and run the following command to verify the settings:

    Get-AntiPhishPolicy -Identity "<Name>" | Format-List EnableAntiSpoofEnforcement,EnableUnauthenticatedSender,AuthenticationFailAction
    

Other ways to manage spoofing and phishing

Be diligent about spoofing and phishing protection. Here are related ways to check on senders spoofing your domain and help prevent them from damaging your organization:

  • Check the Spoof Mail Report. You can use this report often to view and help manage spoofed senders. For information, see Spoof Detections report.

  • Review your Sender Policy Framework (SPF) configuration. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Microsoft 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.

  • Review your DomainKeys Identified Mail (DKIM) configuration. You should use DKIM in addition to SPF and DMARC to help prevent attackers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see Use DKIM to validate outbound email sent from your custom domain in Office 365.

  • Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see Use DMARC to validate email in Office 365.