TIP Mail rule to stop phishing message with fraudulent DisplayName and external address

Office 365        1

Revisions        1

Office 365

Create this transport rule for any high profile person within the Organization (e.g. CFO. CEO). This Technote suggests prepending the Subject line with SPAM:

http://markgossa.blogspot.ie/2016/01/spoofed-email-display-name-exchange-2016.html

I like this variant that would add a visual cue to the message body instead of changing the subject line (not everyone reads the subject line). You could modify the rule above to use the suggestions in this Technote:

https://blogs.perficient.com/microsoft/2016/04/office-365-providing-your-users-visual-cues-about-email-safety/

This is a more generalized approach which would apply to everyone in the organization (not just high profile) and if it works would be the best option, but it could be risky to delete the message and also it requires you to know if there are any outside sources for the organization’s emails (e.g. Constant Contact etc). You could change the rule to not delete the email and instead add the visual cue described above:

https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365

Revisions

PS121317

Initial Version

THIS INFORMATION IS PROVIDED “AS IS” WITH NO WARRANTY OF ANY KIND AS TO THE ACCURACY OF ITS CONTENT.