Share via

Email hunting for bad actors

Jeremy Stump 1 Reputation point
2020-10-28T16:39:18.1+00:00

From time to time the bad actors will send out o365 users emails asking them to perform a task for them and trying to be sneaky about it of course. Below are a few examples of what I am talking about and would like to know how I use powershell exchange cmdlets to hunt for them please. You see how they changed the reply-to? I understand some services on the internet may want to do that and I can weed those out after I get the data.

From: "Wayne Lee" <******@ufcg.edu.br>
To: "Kristen Zimmerman" <our internal email address here>
Subject: Re:
Date: Mon, 26 Oct 2020 15:58:31 -0500
Reply-To: "wl5631782@Stuff .com" <wl5631782@Stuff .com>

OR

From: "Raymond Chan" <raymondchan07@réalisations .com>
To: "Kristen Zimmerman" <our internal email address here>
Subject: Hi..
Date: Thu, 22 Oct 2020 16:32:46 -0500
Reply-To: "raymondchan556@Stuff .com" <raymondchan556@Stuff .com>

Exchange | Exchange Server | Management
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2020-10-28T16:51:33.823+00:00

    Honestly, you will never be able to keep with that, nor be able to identify the legit ones versus the scams unless you are spend all day doing it and even then, you will not be able to handle the load.
    Thats what the anti-spam and anti-phishing logic is for in 365. That's what you pay 365 to do and to use their mailbox intelligence to do all the heavy lifting.

    Are you licensed for all the ATP features and leveraging them? That's really needs the focus in my opinion :)

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide

    1 person found this answer helpful.
    0 comments
  2. Jeremy Stump 1 Reputation point
    2020-10-28T19:30:53.72+00:00

    I understand the load would be enormous but I want the ability anyways.
    We have a e1 and e3 and P1 licensing model so no e5 yet
    We do have the below enabled on anti-phishing rules
    Users to protectOff
    Protect all domains I ownOn
    Protect specific domainsOff
    Action > User impersonationQuarantine the message
    Action > Domain impersonationQuarantine the message
    Safety tips > User impersonationOn
    Safety tips > Domain impersonationOn
    Safety tips > Unusual charactersOn
    Mailbox intelligenceOn
    Mailbox Intelligence > ProtectionOn
    Mailbox Intelligence > ActionQuarantine the message

    0 comments
  3. KyleXu-MSFT 26,396 Reputation points
    2020-10-29T08:13:42.887+00:00

    @Jeremy Stump

    As AndyDavid said, you cannot prevent all spam email from your organization. This article may be helpful to you to improve the server security: Configure spoof intelligence in EOP

    When you receive a spam, you can report this email, it could anti-spam database to update, and further improve the security of Office365. You can also open a service request to Office 365, they may could help you analysis and improve the level of spam protection.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.