Manage spoofed intelligence
- 7 minutes
When a sender spoofs an email address, they appear to be a user in one of your organization's domains, or a user in an external domain that sends email to your organization. Organizations naturally want to block attackers who spoof senders to send spam or phishing email. But there are scenarios where legitimate senders are spoofing internal or external domains. For example:
Legitimate scenarios for spoofing internal domains include:
- Third-party senders use your domain to send bulk mail to your own employees for company polls.
- An external company generates and sends advertising or product updates on your behalf.
- An assistant regularly needs to send email for another person within your organization.
- An internal application sends email notifications.
Legitimate scenarios for spoofing external domains include:
- The sender is on a mailing list (also known as a discussion list). The mailing list relays email from the original sender to all the participants on the mailing list.
- An external company sends email on behalf of another company. For example, an automated report or a software-as-a-service company.
Organizations can use the spoof intelligence insight in the Microsoft Defender portal to quickly identify spoofed senders who are legitimately sending you unauthenticated email. These messages are from domains that don't pass SPF, DKIM, or DMARC checks. Based on the spoof intelligence, organizations can manually allow those senders.
By allowing known senders to send spoofed messages from known locations, you can reduce false positives. False positives are good email that the system marks as bad. By monitoring the allowed spoofed senders, you provide an extra layer of security to prevent unsafe messages from arriving in your organization. Likewise, you can review spoofed senders that spoof intelligence allows and manually block those senders from the spoof intelligence insight.
The rest of this unit explains how to use the spoof intelligence insight in the Microsoft Defender portal.
Open the spoof intelligence insight in the Microsoft Defender portal
To modify the spoof intelligence policy or enable or disable spoof intelligence, you must be a member of:
- Organization Management
- Security Administrator and either View-Only Configuration or View-Only Organization Management.
- For read-only access to the spoof intelligence policy, you must be a member of the Global Reader or Security Reader role groups.
Organizations can enable or disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. The system enables spoof intelligence by default. To view the recommended settings for spoof intelligence, see EOP anti-phishing policy settings.
Complete the following steps to open the spoof intelligence insight in the Microsoft Defender portal:
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration, then Policies & Rules, then Threat policies, and then Tenant Allow/Block Lists in the Rules section.
On the Tenant Allow/Block Lists page, the spoof intelligence insight looks like this:
The insight has two modes:
- Insight mode. If an organization enables spoof intelligence, the insight displays how many messages spoof intelligence detected during the past seven days.
- What if mode. If an organization deactivates spoof intelligence, the insight reveals the quantity of messages spoof intelligence would detect over the preceding seven days.
To view information about the spoof intelligence detections, select View spoofing activity in the spoof intelligence insight.
Only spoofed senders that spoof intelligence detects appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry. As such, it only appears on the Spoof tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before spoof intelligence detects them. For more information, see Manage the Tenant Allow/Block List in EOP.
The spoof intelligence insight shows seven days worth of data. The Get-SpoofIntelligenceInsight PowerShell cmdlet shows 30 days worth of data.
View information about spoofed messages
The Spoof intelligence insight page appears after you select View spoofing activity in the spoof intelligence insight. This page contains the following information:
Spoofed user. The domain of the spoofed user, which is displayed in the From box in email clients. Mail systems also refer to the From address as the 5322.From address.
Sending infrastructure. Also known as the infrastructure. The sending infrastructure is one of the following values:
- The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address.
- If the source IP address has no PTR record, then the system identifies the sending infrastructure as [source IP]/24 (for example, 192.168.100.100/24).
Message count. The number of messages from the combination of the spoofed domain and the sending infrastructure to your organization within the last seven days.
Last seen. The last date when the system received a message from the sending infrastructure that contains the spoofed domain.
Spoof type. One of the following values:
- Internal. The spoofed sender is in an accepted domain that belongs to your organization.
- External. The spoofed sender is in an external domain.
Action. One of the following values:
- Allowed. The domain failed explicit email authentication checks SPF, DKIM, and DMARC. However, the domain passed Microsoft's implicit email authentication checks (composite authentication). As a result, the system took no anti-spoofing action on the message.
- Blocked. Spoof intelligence marked messages from the combination of the spoofed domain and sending infrastructure as bad. The default anti-phishing policy or custom anti-phishing policies control the action taken on the spoofed messages. The default value is Move message to Junk Email folder. For more information, see Configure anti-phishing policies in Microsoft Defender for Office 365.
To filter the results, you have the following options:
Select the Filter button. In the Filter pane that appears, you can filter the results by:
- Spoof type
- Action
Use the Search box to enter a comma-separated list of spoofed domain values or sending infrastructure values to filter the results.
View details about spoofed messages
When you select an entry from the list, a detail pane appears that contains the following information and features:
- Allow to spoof or Block from spoofing. Select one of these values to override the original spoof intelligence verdict. The system then moves the entry from the spoof intelligence insight to the Tenant Allow/Block List as an allow or block entry for spoof.
- The reason why the system caught the message.
- The steps you should take against the message.
- A domain summary that includes most of the same information from the main spoof intelligence page.
- Data about the sender.
- A link to open Threat Explorer to see extra details about the sender under View, then Phish in Microsoft Defender for Office 365.
- Similar messages from the same sender.
Allowed spoofed senders
An allowed spoofed sender is either:
- An allowed spoofed sender in the spoof intelligence insight.
- A blocked spoofed sender that you manually changed to Allow to spoof, and you only allow messages from the combination of the spoofed domain and the sending infrastructure. It doesn't allow email from the spoofed domain from any source. It also doesn't allow email from the sending infrastructure for any domain.
For example, the following spoofed sender can spoof:
- Domain: gmail.com
- Infrastructure: tms.mx.com
You can only spoof email from that domain/sending infrastructure pair. The system doesn't automatically allow other senders attempting to spoof gmail.com. Spoof intelligence still checks, and possibly blocks, messages from senders in other domains that originate from tms.mx.com.
Knowledge check
Choose the best response for each of the questions below.