Spoof intelligence insight in EOP

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing. EOP uses spoof intelligence as part of your organization's overall defense against phishing. For more information, see Anti-spoofing protection in EOP.

When a sender spoofs an email address, they appear to be a user in one of your organization's domains, or a user in an external domain that sends email to your organization. Attackers who spoof senders to send spam or phishing email need to be blocked. But there are scenarios where legitimate senders are spoofing. For example:

  • Legitimate scenarios for spoofing internal domains:

    • Third-party senders use your domain to send bulk mail to your own employees for company polls.
    • An external company generates and sends advertising or product updates on your behalf.
    • An assistant regularly needs to send email for another person within your organization.
    • An internal application sends email notifications.
  • Legitimate scenarios for spoofing external domains:

    • The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list.
    • An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company).

You can use the spoof intelligence insight in the Microsoft Defender portal to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders.

By allowing known senders to send spoofed messages from known locations, you can reduce false positives (good email marked as bad). By monitoring the allowed spoofed senders, you provide an additional layer of security to prevent unsafe messages from arriving in your organization.

Likewise, you can use the spoof intelligence insight to review spoofed senders that were allowed by spoof intelligence and manually block those senders.

The rest of this article explains how to use the spoof intelligence insight in the Microsoft Defender portal and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

Note

  • Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see Spoofed senders in the Tenant Allow/Block List.

  • The Action values Allow or Block in the spoof intelligence insight refer to spoof detection (whether Microsoft 365 identified the message as spoofed or not). The Action value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.

  • The spoof intelligence insight and the Spoofed senders tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center.

  • The spoof intelligence insight shows 7 days worth of data. The Get-SpoofIntelligenceInsight cmdlet shows 30 days worth of data.

What do you need to know before you begin?

Find the spoof intelligence insight in the Microsoft Defender portal

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use https://security.microsoft.com/tenantAllowBlockList.

  2. Select the Spoofed senders tab.

  3. On the Spoofed senders tab, the spoof intelligence insight looks like this:

    The Spoof intelligence insight on the Anti-phishing policy page

    The insight has two modes:

    • Insight mode: If spoof intelligence is enabled, the insight shows you how many messages were detected by spoof intelligence during the past seven days.
    • What if mode: If spoof intelligence is disabled, then the insight shows you how many messages would have been detected by spoof intelligence during the past seven days.

To view information about the spoof intelligence detections, select View spoofing activity in the spoof intelligence insight to go to the Spoof intelligence insight page.

View information about spoof detections

Note

Remember, only spoofed senders that were detected by spoof intelligence appear on this page.

The Spoof intelligence insight page at https://security.microsoft.com/spoofintelligence is available when you select View spoofing activity from the spoof intelligence insight on the Spoofed senders tab on the Tenant Allow/Block Lists page.

On the Spoof intelligence insight page, you can sort the entries by clicking on an available column header. The following columns are available:

  • Spoofed user: The domain of the spoofed user that's displayed in the From box in email clients. The From address is also known as the 5322.From address.
  • Sending infrastructure: Also known as the infrastructure. The sending infrastructure is one of the following values:
    • The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address.
    • If the source IP address has no PTR record, then the sending infrastructure is identified as <source IP>/24 (for example, 192.168.100.100/24).
    • A verified DKIM domain.
  • Message count: The number of messages from the combination of the spoofed domain and the sending infrastructure to your organization within the last seven days.
  • Last seen: The last date when a message was received from the sending infrastructure that contains the spoofed domain.
  • Spoof type: One of the following values:
    • Internal: The spoofed sender is in a domain that belongs to your organization (an accepted domain).
    • External: The spoofed sender is in an external domain.
  • Action: This value is Allowed or Blocked:

To change the list of spoofed senders from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

To filter the entries, select Filter. The following filters are available in the Filter flyout that opens:

  • Spoof type: The available values are Internal and External.
  • Action: The available values are Allow and Block

When you're finished in the Filter flyout, select Apply. To clear the filters, select Clear filters.

Use the Search box and a corresponding value to find specific entries.

Use Export to export the list of spoof detections to a CSV file.

View details about spoof detections

When you select a spoof detection from the list by clicking anywhere in the row other than the check box next to the first column, a details flyout opens that contains the following information:

  • Why did we catch this? section: Why we detected this sender as spoof, and what you can do for further information.

  • Domain summary section: Includes the same information from the main Spoof intelligence insight page.

  • WhoIs data section: Technical information about the sender's domain.

  • Explorer investigation section: In Defender for Office 365 organization, this section contains a link to open Threat Explorer to see additional details about the sender on the Phish tab.

  • Similar Emails section: Contains the following information about the spoof detection:

    • Date
    • Subject
    • Recipient
    • Sender
    • Sender IP

    Select Customize columns to remove the columns that are shown. When you're finished, select Apply.

Tip

To see details about other entries without leaving the details flyout, use Previous item and Next item at the top of the flyout.

To change the spoof detection from Allow to Block or vice-versa, see the next section.

Override the spoof intelligence verdict

On the Spoof intelligence insight page at https://security.microsoft.com/spoofintelligence, use either of the following methods to override the spoof intelligence verdict:

  • Select one or more entries from the list by selecting the check box next to the first column.

    1. Select the Bulk actions action that appears.
    2. In the Bulk actions flyout that opens, select Allow to spoof or Block from spoofing, and then select Apply.
  • Select the entry from the list by clicking anywhere in the row other than the check box.

    In the details flyout that opens, select Allow to spoof or Block from spoofing at the top of the flyout, and then select Apply.

Back on the Spoof intelligence insight page, the entry is removed from the list, and is added to the Spoofed senders tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem.

About allowed spoofed senders

Messages from an allowed spoofed sender (automatically detected or manually configured) are allowed only using the combination of the spoofed domain and the sending infrastructure. For example, the following spoofed sender is allowed to spoof:

  • Domain: gmail.com
  • Infrastructure: tms.mx.com

Only email from that domain/sending infrastructure pair is allowed to spoof. Other senders attempting to spoof gmail.com aren't automatically allowed. Messages from senders in other domains that originate from tms.mx.com are still checked by spoof intelligence, and might be blocked.

Use the spoof intelligence insight in Exchange Online PowerShell or standalone EOP PowerShell

In PowerShell, you use the Get-SpoofIntelligenceInsight cmdlet to view allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the New-TenantAllowBlockListSpoofItems cmdlet. For more information, see Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List and Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List.

To view the information in the spoof intelligence insight, run the following command:

Get-SpoofIntelligenceInsight

For detailed syntax and parameter information, see Get-SpoofIntelligenceInsight.

Other ways to manage spoofing and phishing

Be diligent about spoofing and phishing protection. Here are related ways to check on senders who are spoofing your domain and help prevent them from damaging your organization: