Walkthrough: spoof intelligence insight
By using the Spoof Intelligence insight, you can quickly determine which senders are legitimately sending you unauthenticated email. By permitting them to send spoofed messages, you can reduce the risk of any false positives going to your users.
In addition, you can also use Spoof Intelligence monitor and manage permitted domain-pairs to provide an additional layer of security and prevent unsafe messages from arriving in your organization.
You can use the spoof intelligence insight in the Security & Compliance Center if your work or school account has been given Office 365 global administrator, security administrator, or security reader permissions. For more information, see Permissions in the Office 365 Security & Compliance Center.
If you're new to reports and insights in the Office 365 Security & Compliance Center, it might help to see how you can easily navigate from a dashboard to an insight and recommended actions.
You can view the spoof intelligence insight from more than one dashboard in the Security & Compliance Center. Regardless of which dashboard you're looking at, the insight provides the same details and allows you to quickly perform the same tasks.
This is one of several walkthroughs for the Security & Compliance Center. To about navigating reports and insights, see the walkthroughs in the Related topics section.
Getting to the spoof intelligence insight in the Security & Compliance Center
To get started, you'll need go to the Security & Compliance Center.
In the Security & Compliance Center, go to Threat Management > Dashboard.
In the Insights row, look for the spoof intelligence insight. If you have enabled spoof intelligence, then the insight is entitled Spoofed domains that failed authentication of the past 30 days. If you haven't enabled spoof protection, then the insight will prompt you to do so by using the title Enable Spoof Protection.
About the insight on the dashboard
The insight on the dashboard shows you information like this.
This insight has two modes:
Insight mode. If you have any spoof policy enabled, then the insight shows you how many mails were impacted by our spoof intelligence capabilities over the past 30 days.
What if mode. If you do not have any spoof policy enabled, then the insight shows you how many mails would have been impacted by our spoof intelligence capabilities over the past 30 days.
Either way, the spoofed domains displayed in the insight are separated into two categories; suspicious domain pairs and non-suspicious domain pairs. These categories are further subdivided into three different buckets for you to review.
A domain pair is a combination of the "From:" address and the sending infrastructure.
The "From" address is the address displayed as the From address by your mail application. This address identifies the author of the email. That is, the mailbox of the person or system responsible for writing the message. This is sometimes called the 5322.From address.
The sending infrastructure, or sender, is the organizational domain of the PTR record of the sending IP address. If the sending IP address has no PTR record, then the sender is identified by the sending IP with the 255.255.255.0 subnet mask in CIDR notation (/24). For example, if the IP address is 192.168.100.100 then the complete IP address of the sender is 192.168.100.100/24.
Suspicious domain pairs include:
High-confidence spoof. Office 365 received strong signals that these domains are suspicious, based on the historical sending patterns and the reputation score of the domains. Office 365 is highly confident that the domains are spoofing and that messages sent from these domains are less likely to be legitimate.
Moderate confidence spoof. Office 365 received moderate signals that these domains are suspicious, based on historical sending patterns and the reputation score of the domains. Office 365 is moderately confident that the domains are spoofing and that messages sent from these domains are legitimate. This bucket has a greater chance of containing false positives (FPs) than the high-confidence spoof bucket.
Non-suspicious domain pairs include rescued spoof. Rescued spoof are domains that have failed the explicit authentication checks ( SPF, DKIM, DMARC) but passed our extended authentication checks. As a result of this, Office 365 rescued the mail on your behalf and no anti-spoofing action was taken on the mail.
View detailed information about suspicious domain pairs from the spoof intelligence insight
- On the spoof intelligence insight, click any of the domain pairs (high, moderate, or rescued).
The Spoof Intelligence Insight page appears showing you a list of senders that are sending unauthenticated mail into your organization. The information on this page helps you determine whether spoofed messages are authorized or not or if you need to take further action. You can sort the information by message count, the date the spoof was last detected, and more. (Click column headings, such as Message count or Last seen, for example.)
- Select an item in the table to open a details pane that contains rich information about the domain pair, including why we caught this, what you need to do, a domain summary, WhoIs data about the sender, and similar emails we have seen in your tenant from the same sender. From here, you can also choose to add or remove the domain pair from the AllowedToSpoof safe sender list.
Add or remove a domain from the AllowedToSpoof safe sender list
You add or remove a domain from the AllowedToSpoof safe sender list while reviewing the domain pair in the details pane of the spoof intelligence insight. Simply set the toggle accordingly.
This modifies the unique domain pair combination of the spoofed domain and the sending infrastructure and does not provide coverage for the entire spoofed domain or the sending infrastructure in isolation. For example, if you add the following domain pair to the 'AllowedToSpoof' sender allow list: Spoofed Domain "gmail.com" and Sending Infrastructure "tms .mx.com", then only mail from that domain pair will be allowed to spoof. Other senders attempting to spoof "gmail.com", and other domains that "tms.mx.com" attempt to spoof will continue to be protected by spoof intelligence.