Email Spoofing, how can they do that?

Spoofing an email is not a new thing, but it has gotten worse in recent years. Releasing antispoof intelligence to all Office 365 licenses is a great move by Microsoft to try and reduce this threat...

So, Email spoofing 101...

When you send an email, it has to go through an email server. There are many types of email server, exchange, POP, IMAP and SMTP are just a few. Normally these kinds of servers require that your email client is logged in to send or receive email through them, but not all.

When you send an email the route it takes looks something like this:

Email Client -> Email Server -> Internet -> Recipients Security -> Recipients Server -> Recipients Email Client.

Now with that in mind, spoofing works because the internet and recipients security doesn't 'just know' that your email should only come from your server. So the spoofer's bypass the first two parts of the route and just pretend they came from your email server.

So this looks something like this:

Spoofer's Email Client -> Internet -> Recipients Security -> Recipients Server -> Recipients Email Client.

As you can see, there is no interaction with your Email system AT ALL. So unless the recipients security asks, it will just deliver the email to the recipient.

So what can we do?

There are a number of things we can do. The first is to add a technology called SPF (sender protection framework), it is a record on the internet that tells email security that email can only come from your servers. But this only works if the email security on the recipients end is set to look for it. They also tend to be a little lenient as some systems allow their website or signature manager send out as well, so careful management of the SPF record is required.

The second thing we can do is use DKIM (Domain keys Identified Mail), this takes the idea one step further and the sender server stamps email with a key. If the key is missing or doesnt match the one from the senders genuine server, the email will get blocked.

These can be extended using DMARC, which reports back to the sender admins, telling them where threats are coming from so they can take action.

These technologies all rely of the other side having appropriate security.

Microsoft Antispoof Intelligence.

Microsofts Antispoof Intelligence uses a combination of records and AI to significantly reduce the amount of spoofing going through your system. It also picks up on spoof emails coming in. It was orginally bundled with Microsoft ATP which was only available to E5 or ATP customers, but now it is included in all Office 365 subscriptions.

It allows us to monitor spoofing from the Office 365 portal and gives us forensic reports, as well as stopping threats before they become a problem.

Editing spoofing filter settings

The new Anti spoofing technology from Microsoft has some new controls in Office 365, as an admin we can now control what Exchange Online protection looks for, we can block and whitelist domains and IP addresses and we can also now control where spoofed emails go and how they are notified.

You can find a more detailed over view here: https://docs.microsoft.com/en-gb/office365/securitycompliance/learn-about-spoof-intelligence

But if you would like to know more, get in touch using the contact form found here