General Guidance on combating spoofing
As an Escalation Engineer for Exchange Online we get lots of questions on how to stop email spoofing. It is a very broad topic and there are a number of things that can be done. Below is sone general guidance I provide to my customers when this topic comes up.
Last updated January 6th 2016
=================================================================
Combating email spoofing can be tricky, what is right for another organization may not necessarily be right for your organization; moreover, it’s always important to understand you will never be able to block 100% of spoof attacks 100% of the time.
We recommend, when developing the strategy that is best for you, to look at these four areas:
SPF/DKIM/DMARC
The link below provides guidance on Using DMARC in Office 365
https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx
DKIM outbound signing is now enabled for your default onmicrosoft.com domain. But in order to enable for vanity domains in which you manage the DNS you must add the two CNAME records as outlined in the article below.
External DNS records required for SPF
Customize an SPF record to validate outbound email sent from your domain
https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
User Education
Even with the most restrictive settings it is import to educate your user community to be able to spot red flags of spoofing attempts. If for whatever reason your user gets an email from itsupport@cont0so.com they should be able to identify it does not look like legitimate email from your IT support staff.
Connection/SPAM Filters/Transport Rules
The links below provide in depth guidance on configuring your SPAM filters and advanced features that can help fine tune them to your specific needs
Configure the connection filter policy
** You can add IP here to bypass filtering for email from these trusted sources if, and only if, those sources are already scanning/filtering mail before sending it on.
https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx
Configure your spam filter policies
https://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx
Advanced Spam Filtering Options
**Proceed with caution setting some of the features and they can be very restrictive and generate a lot of false positives, especially the option to quarantine SPF hard fail.
https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx
(Not) Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing
Contingency/Action plans
As stated earlier you will never be able to block 100% of malicious email 100% of the time. When malicious/spoofed email does get though, develop an action plan including but not limited to:
• Resetting the password on any compromised accounts
• Running Malware/virus scans on affected machines
• Using the Search-Mailbox to seek out and delete identified malicious email - https://technet.microsoft.com/en-us/library/dd298173(v=exchg.150).aspx
• Using Transport rules to help suppress the subsequent delivery of identified messages.
• Using transport rules to block executable content: https://blogs.msdn.com/b/tzink/archive/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection.aspx
• Submit sample messaged to Microsoft for analysis https://technet.microsoft.com/en-us/library/jj200769.aspx
• Submit suspected malware to our protection center https://www.microsoft.com/security/portal/submission/submit.aspx
Some additional related links:
Anti-spam and anti-malware protection
https://technet.microsoft.com/en-us/library/jj200731(v=exchg.150).aspx
Best practices for configuring EOP
https://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspx
Terry Zink: Security Talk. Terry is one of our program managers EOP.