Office 365 basic and advanced e-mail Protection against SPAM, Phishing and CEO-Fraud

Spam (irrelevant or unsolicited messages), phishing (credential compromise) or CEO-fraud (impersonate C-level management for financial abuse) are harder to mitigate if they come from the customer e-mail domain.

E-mail authentication protocols protect against these kind of impersonation (domain or user) attacks. Via authentication, the e-mail infrastructure verifies it is authorized to send mail from the protected SMTP (Simple Mail Transfer Protocol) e-mail domain(s).

There are three basic (Microsoft 365 E3) and two advanced (Microsoft 365 E5 Security) e-mail spoofing / impersonation protection features:

- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Messaging and Reporting Compliance)
- Anti-phishing (CEO Fraud)
- Spoof Intelligence

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) prevents unauthorized e-mail systems to send e-mail with the company’s SMTP domain on the internet.

Image for post
Image for post

The receiving mail server uses DNS to validate the senders mail server(s) via the SPF-record (DNS TXT record) values like A- (host), ip4 and/or ip6 and MX (inbound)-records.

SPF checks the 5321.MailFrom value. The authorized e-mail system(s) are presented in a DNS TXT record.

Example DNS TXT Record

v=spf1 include:spf.protection.outlook.com -all

-all is a hard fail so non-authorized mail is rejected
~all is a soft fail so non-authorized mail is marked as spam

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) was initially designed as an (Asymmetric) public key encryption for e-mail security (mail send from example.com is verified if the sender is example.com), but lately, it is used for spam protection. DKIM permits the owner of the signing domain to claim responsibility for a message by associating the domain with the message.

The sender signs the message with the private Key in the message DKIM-Signature header, which the receiver verifies via the public key published in DNS.

Example DNS CNAME Record(s) (2 records to rotate the keys)

selector1._domainkey CNAME selector1-domainname-com._domainkey.tenantname.onmicrosoft.com

selector1._domainkey CNAME selector2-domainname-com._domainkey.tenantname.onmicrosoft.com

The DNS record is a CNAME record from selector1._domainkey to selector1-domainname-com._domainkey.tenantname.onmicrosoft.com

The 2nd value is the actual TXT value which holds the Public key.

Image for post
Image for post

Domain-based Messaging and Reporting Compliance (DMARC)

Domain-based Messaging and Reporting Compliance (DMARC) protects users by evaluating both SPF and DKIM and then determines if either domain matches the domain in the 5322.From address (the address you see in Microsoft Outlook).

Image for post
Image for post

If the SPF or DKIM (or both) authenticated identifier is positive ( Pass) then the e-mail is compliant with DMARC and delivered to the mailbox.

Image for post
Image for post

(X Fail) then to Policy is applied (e.g. Quarantine or Reject) and an aggregate report is sent to the sender.

Example DNS Record

DNS v=DMARC1; p=none; rua=mailto:dmarc@example; ruf=mailto:dmarc@example; fo=1;

Office 365 ATP

Microsoft Office 365 ATP (Advanced Threat Protection) has great advanced e-mail protection features like safe links and safe attachments. Two extra features (less known) are anti-phishing and spoof intelligence to protect against spoofing (impersonation).

Anti-Phishing

Microsoft Office 365 ATP — Anti-phishing (anti-impersonation) provides inbound protection for all users in the organization against C-level or finance impersonation (e.g. CEO Fraud) via detection algorithms (display- or domain name).

Image for post
Image for post

This setting has user impact, e.g. a person from the protected list cannot send e-mails from personal (e.g. @outlook.com or @gmail.com to a business address (@nexperia.com) if the display name is the same. User adoption / communication is important for the user(s) included in the Policy

Anti-phishing checks incoming messages for indicators of phishing (e.g. identical display names, forged domains, etc.). If the user is covered by a policy (anti-phishing in this case) the incoming message is evaluated by machine learning models (e.g. impersonation attacks) that analyses the message and determine of action is required (suspicious e-mail is delivered in the Junk folder).

Spoof Intelligence

Microsoft Office 365 ATP — Spoof Intelligence provides protection, via machine learning techniques (sender reputation, sender/recipient history, behavioral analysis, etc.), against e-mail attack(s) against spoof, or unauthenticated, e-mail. Intra-org (Accepted Domains) and cross-domain (external) are protected via spoof intelligence.

Image for post
Image for post

The compauth value is added to the message header for extra anti-spoofing protection in the Authentication-Results header next to the SPF, DKIM & DMARC checks.

If you got any questions, please contact me or the InSpark Cybersecurity Team

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store