Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP

Applies to

• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Important

Spoofed sender management in the Microsoft 365 Defender portal is now available only on the Spoofed senders tab in the Tenant Allow/Block List. For current procedures in the Microsoft 365 Defender portal, see Spoof intelligence insight in EOP.

Spoofed sender management in Exchange Online PowerShell or Standalone EOP PowerShell is in the process of being migrated exclusively to the related *-TenantAllowBlockListSpoofItems, Get-SpoofIntelligenceInsight, and Get-SpoofMailReport cmdlets. For procedures using these cmdlets, see the following articles:

• Use PowerShell to view entries for spoofed senders in the Tenant Allow/Block List
• Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List
• Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List
• Use PowerShell to modify entries for spoofed senders in the Tenant Allow/Block List
• Use PowerShell to remove entries for spoofed senders from the Tenant Allow/Block List

The older spoofed sender management experience using the Get-PhishFilterPolicy and Set-PhishFilterPolicy cmdlets is in the process of being deprecated, but is still presented in this article for completeness until the cmdlets are removed everywhere.

What do you need to know before you begin?

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Exchange Online RBAC:
    • Modify the spoof intelligence policy or turn on or turn off spoof intelligence: Membership in one of the following role groups:
      • Organization Management
      • Security Administrator and View-Only Configuration or View-Only Organization Management.
    • Read-only access to the spoof intelligence policy: Membership in the Global Reader, Security Reader, or View-Only Organization Management role groups.
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

• The options for spoof intelligence are described in Spoof settings in anti-phishing policies.

• You can enable, disable, and configure the spoof intelligence settings in anti-phishing policies. For instructions based on your subscription, see one of the following topics:

  • Configure anti-phishing policies in EOP.
  • Configure anti-phishing policies in Microsoft Defender for Office 365.

• For our recommended settings for spoof intelligence, see EOP anti-phishing policy settings.

Use PowerShell to manage spoofed senders

To view allowed and blocked senders in spoof intelligence, use the following syntax:

Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-Detailed] [-SpoofType <Internal | External>]

This example returns detailed information about all senders that are allowed to spoof users in your domains.

Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal

For detailed syntax and parameter information, see Get-PhishFilterPolicy.

To configure allowed and blocked senders in spoof intelligence, follow these steps:

1. Capture the current list of detected spoofed senders by writing the output of the Get-PhishFilterPolicy cmdlet to a CSV file by running the following command:

   Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"
   

2. Edit the CSV file to add or modify the following values:

   • Sender (domain in source server's PTR record, IP/24 address, or verified DKIM domain)
   • SpoofedUser: One of the following values:
     • The internal user's email address.
     • The external user's email domain.
     • A blank value that indicates you want to block or allow any and all spoofed messages from the specified Sender, regardless of the spoofed email address.
   • AllowedToSpoof (Yes or No)
   • SpoofType (Internal or External)

   Save the file, read the file, and store the contents as a variable named $UpdateSpoofedSenders by running the following command:

   $UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed Senders.csv"
   

3. Use the $UpdateSpoofedSenders variable to configure the spoof intelligence policy by running the following command:

   Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList $UpdateSpoofedSenders
   

For detailed syntax and parameter information, see Set-PhishFilterPolicy.

How do you know these procedures worked?

To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, run the following commands in PowerShell to view the senders who are allowed and not allowed to spoof:

Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External

• In PowerShell, run the following command to export the list of all spoofed senders to a CSV file:

  Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed Senders.csv"