Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP

Applies to

Important

Spoofed sender management in the Microsoft 365 Defender portal is now available only on the Spoofing tab in the Tenant Allow/Block List. For current procedures in the Microsoft 365 Defender portal, see Spoof intelligence insight in EOP.

Spoofed sender management in Exchange Online PowerShell or Standalone EOP PowerShell is in the process of being migrated exclusively to the related *-TenantAllowBlockListSpoofItems, Get-SpoofIntelligenceInsight, and Get-SpoofMailReport cmdlets. For procedures using these cmdlets, see the following articles:

The older spoofed sender management experience using the Get-PhishFilterPolicy and Set-PhishFilterPolicy cmdlets is in the process of being deprecated, but is still presented in this article for completeness until the cmdlets are removed everywhere.

What do you need to know before you begin?

Use PowerShell to manage spoofed senders

To view allowed and blocked senders in spoof intelligence, use the following syntax:

Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-Detailed] [-SpoofType <Internal | External>]

This example returns detailed information about all senders that are allowed to spoof users in your domains.

Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal

For detailed syntax and parameter information, see Get-PhishFilterPolicy.

To configure allowed and blocked senders in spoof intelligence, follow these steps:

  1. Capture the current list of detected spoofed senders by writing the output of the Get-PhishFilterPolicy cmdlet to a CSV file by running the following command:

    Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
    
  2. Edit the CSV file to add or modify the following values:

    • Sender (domain in source server's PTR record, IP/24 address, or verified DKIM domain)
    • SpoofedUser: One of the following values:
      • The internal user's email address.
      • The external user's email domain.
      • A blank value that indicates you want to block or allow any and all spoofed messages from the specified Sender, regardless of the spoofed email address.
    • AllowedToSpoof (Yes or No)
    • SpoofType (Internal or External)

    Save the file, read the file, and store the contents as a variable named $UpdateSpoofedSenders by running the following command:

    $UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed Senders.csv"
    
  3. Use the $UpdateSpoofedSenders variable to configure the spoof intelligence policy by running the following command:

    Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSpoofedSenders
    

For detailed syntax and parameter information, see Set-PhishFilterPolicy.

How do you know these procedures worked?

To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, run the following commands in PowerShell to view the senders who are allowed and not allowed to spoof:

Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External
  • In PowerShell, run the following command to export the list of all spoofed senders to a CSV file:

    Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"