Office 365 Email Spoofing Report
What is Email Spoofing?
E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. In simple words, email spoofing is the act of sending email on behalf of another user.
Is Email Spoofing Bad?
Email spoofing has both good and bad faces. Some malicious user may spoof the actual domain to send spam or phishing emails. Spoofing is a common way for getting the user credentials or credit card information.
In some cases, there are legitimate reasons for spoofing.
- You are using 3rd party service to send bulk mail or to run any mail campaign.
- You may be using an external company to handle the customer care on behalf of your organization.
What Actions Need to be Taken?
- The admin has to ensure that the mail sent by legitimate spoofers doesn’t get caught by the spam filters at the sending and receiving end.
- In the other hand, malicious emails need to be blocked. So the admin needs to disable unauthorized spoofing in the domain.
How does Spoof Intelligence Work in Office 365?
Customers who have Office 365 Enterprise E5 or have purchased Advanced Threat Protection licenses have access to spoof intelligence in the Office 365 Security & Compliance Center.
The spoof intelligence policy is already set and enforced by O365. We cannot disable it, but we can choose how much we want to actively manage it.
You can control which domain or user can spoof your domain by reviewing the existing policy applied in Office 365 & Compliance Center.
To manage senders who are spoofing your domain by using the Security & Compliance Center
- Go to the Security & Compliance Center.
- Sign in to Office 365 with your work or school account. Your account must have administrator credentials in your Office 365 organization.
- In the Security & Compliance Center, expand Security policies > Anti-spam.
- In the right pane, on the Standard tab, expand Spoof intelligence.
- To view the list of senders spoofing your domain, choose Review new senders.If you’ve already reviewed senders and want to change some of your previous choices, you can choose Show me senders I already reviewed instead. The following panel appears.
- On the Standard tab, each row represents a sender that is spoofing one or more users in your organization.If a sender is spoofing multiple users, and you want to allow that sender to spoof some users but not others, on the Standard tab, select Choose users.To add a sender to the allow list for a user, choose Yes from the Allowed to spoof column. To add a sender to the block list for a user, choose No. This brings up the Detailed tab with the list of users being spoofed split into individual rows so you can choose whether to allow or block the sender from spoofing each user individually.
- Choose Save to save any changes.
How to See Spoofed Email Activity for My Office 365 Tenant?
You can check the ‘Spoof Mail Report’ in your Security & Compliance Center to get the view of spoofed senders in your domain. You can quickly get a visual report of summary data, and drill-down into details about individual messages, for as far back as 90 days. You can check this in detail in this Microsoft TechNet blog.