We Won’t Get Spoofed Again
In the last six months, our clients have seen an uptick in the number of spoofed emails in Office 365 that appear to be coming from an internal user. These are phishing attempts that attempt to get the employee to click on a link contained within the email. They look legitimate because the return address will be that of a co-worker. If the link is clicked on there is a good chance their machine will be infected resulting in data theft.
This guide will show you how to put a one-line advisory at the top of every incoming email so you know if it originated from inside or outside of your organization.
If one of your users is fooled into clicking on a malware link, don’t shame them publicly – it helps no one. Instead, use it as a continuing education opportunity. Send out a reminder to everyone in the company to look out for fake and spoofed emails using an anonymized version of the phishing attempt with screenshots. You should be doing this quarterly anyway.
Parameters for the Spoofed Email Rule
Click Mail Flow, then the Plus (+) symbol and select Create a New Rule.
On the new rule setting page, name the rule, select “The sender is located…” “Outside the organization” and click on More options towards the bottom.
Click on Add Condition, then fill in the parameters as pictured below – “The recipient is located…” and “Inside the Organization.” Then add an action of “Prepend the disclaimer…” with the HTML code:
<em style=”color: #ff0000;”>*** EXTERNAL EMAIL ***</em>
Select the fallback option as Wrap. This is illustrated below:
After savings those settings, every user will receive this line at the top of emails that originated from outside:
Train your users to look for the External Email warning at the top of every email to make sure it’s sent from a legitimate user in your organization instead of a spoofed email address. Naturally, this won’t help if someone’s password has been cracked but that too can be largely mitigated by using multi-factor authentication (MFA/2FA.)
Microsoft is usually pretty good at blocking these types of spoofed emails but it’s always an arms race between the good and bad guys. This small change will add an extra line of defense. Always remember that the best security policy is layered – there is not a magic bullet that will completely protect you.