Learn more about spoof intelligence

Customers who have Office 365 Enterprise E5 or have purchased Advanced Threat Protection licenses have access to spoof intelligence in the Office 365 Security & Compliance Center.

Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing your domain. You can review senders who are spoofing your domain and then choose to allow the sender to continue or block the sender.

What types of email spoofing can I review and which should I protect against with spoof intelligence?

When a sender spoofs an email address, they appear to be sending mail on behalf of one or more user accounts within one of your organization's domains. Surprisingly, there are some legitimate business reasons for spoofing. For example, in these cases, you wouldn't block the sender from spoofing your domain:

  • You have third-party senders who use your domain to send bulk mail to your own employees for company polls.

  • You have hired an external company to generate and send out advertising or product updates on your behalf.

  • An assistant who regularly needs to send email for another person within your organization.

  • An application that is configured to spoof its own organization in order to send internal notifications by email.

You also need a way to ensure that the mail sent by legitimate spoofers doesn't get caught up in spam filters in Office 365 or by external email systems. Normally, Office 365 treats these email messages as spam. As an Office 365 admin, you have the ability to prevent this by setting up spoof filters in the Security & Compliance Center and by configuring SPF, DKIM, and DMARC to allow for these senders.

On the other hand, malicious spoofers, those senders that are spoofing your domain to send spam or phishing email, need to be blocked. Spoofing is also a common way for phishers to get user credentials. Office 365 has built-in spoof protection to help shield your organization from senders of these malicious emails. Spoof protection is always on for all Office 365 customers. To further strengthen this protection, tell us which senders are authorized to spoof your organization's domains and send email on your behalf. Any email sent from a sender that you don't authorize will be treated as spam by Office 365. Keep an eye on the senders spoofing your domain and help us improve spoof intelligence by using the Security & Compliance Center.

Managing spoof intelligence in the Security & Compliance Center

The spoof intelligence policy you set up is always enforced by Office 365. You cannot disable it, but you can choose how much you want to actively manage it.

You can review the senders who are spoofing your domain and then decide whether each sender should be allowed to do so by using the Security & Compliance Center. For each spoofed user account that a sender spoofs from your domain, you can view the information in the following table.

Parameter

Description

Sender

Also called the true sender. This is usually the domain from which the spoof email originates. Office 365 determines the domain of the pointer (PTR) DNS record of the sending IP address that is spoofing your organization. If no domain is found, the report displays the sender's IP address instead.

Spoofed user

The user account that is being spoofed by the sender.

Standard tab only. If the sender is spoofing multiple user accounts, this field contains More than one.

Detailed tab only. If the sender is spoofing multiple user accounts, the report lists one row for each user that is spoofed by the sender.

Tip: For advanced admins    The spoofed user is the From (5322.From) address which is also the address displayed as the From address by the mail client. This is sometimes called the header.from address. This validity of this address is not checked by SPF.

Number of messages

The number of mail messages sent by the sender to your organization on behalf of the identified spoofed sender or senders within the last 30 days.

Number of user complaints

Complaints filed by users against this sender by your users within the last 30 days. Complaints are usually in the form of junk submissions to Microsoft.

Authentication result

Detailed tab only. This value is Passed if the sender passed Exchange Online Protection (EOP) sender authentication checks, such as SPF or DKIM, Failed if the sender failed EOP sender authentication checks, or Unknown if the result of these checks isn't known.

Decision set by

Detailed tab only. Shows whether the Office 365 administrator or the spoof intelligence policy determined whether or not the sender is allowed to spoof the user.

Last seen

Detailed tab only. The last date on which a message was received by this sender on behalf of this spoofed user.

Allowed to spoof?

Displays whether or not this sender is allowed to send email on behalf of the spoofed user. Possible values include:

  • Yes All spoofed addresses from this spoofing sender will be allowed to spoof your organization.

  • No Spoofed addresses from this spoofing sender won't be allowed to spoof your organization. Instead, messages from this sender will be marked as spam by Office 365.

  • Some users If a sender is spoofing multiple users, some spoofed addresses from this sender will be allowed to spoof your organization, the rest will be marked as spam. Use the Detailed tab to see the specific addresses.

To manage senders who are spoofing your domain by using the Security & Compliance Center
  1. Go to the Security & Compliance Center.

  2. Sign in to Office 365 with your work or school account. Your account must have administrator credentials in your Office 365 organization.

  3. In the Security & Compliance Center, expand Security policies > Anti-spam.

    Screenshot showing the anti-spam settings page in the Security & Compliance Center
  4. In the right pane, on the Standard tab, expand Spoof intelligence.

  5. To view the list of senders spoofing your domain, choose Review new senders.

    If you've already reviewed senders, and want to change some of your previous choices, you can choose Show me senders I already reviewed instead. The following panel appears.

    Screenshot showing the Standard tab on the Spoof intelligence panel in the Security & Compliance Center
  6. On the Standard tab each row represents a sender that is spoofing one or more users in your organization.

    If a sender is spoofing multiple users, and you want to allow that sender to spoof some users but not others, on the Standard tab, select Choose users.

    Screenshot showing how to choose which users to allow a sender to spoof

    This brings up the Detailed tab with the list of users being spoofed split into individual rows so you can choose whether to allow or block the sender from spoofing each user individually.

    Screenshot showing multiple spoofed users by one sender

    To add a sender to the allow list for a user, choose Yes from the Allowed to spoof column. To add a sender to the block list for a user, choose No.

  7. Choose Save to save any changes.

Other ways to manage spoofing and phishing with Office 365

Be diligent about spoofing and phishing protection. Here are related ways to check on senders spoofing your domain and help prevent them from damaging your organization:

  • Check the Exchange Online Protection spoof mail report as part of your routine. You can use this report often to view and help manage spoofed senders. For information, see Spoof mail report in Use mail protection reports in Office 365 to view data about malware, spam, and rule detections.

  • For more advanced Office 365 admins:

    • Review your Sender Policy Framework (SPF) configuration. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.

    • Review your DomainKeys Identified Mail (DKIM) configuration. You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see Use DKIM to validate outbound email sent from your domain in Office 365.

    • Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see Use DMARC to validate email in Office 365.

    • Use the Get-PhishFilterPolicy Windows PowerShell cmdlet to gather detailed data on spoofed senders, generate allow and block lists, and help you determine how to generate more comprehensive SPF, DKIM, and DMARC DNS records without having your legitimate email get caught in external spam filters. For more information, see How antispoofing protection works in Office 365.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×