Block Email with Exchange Online Mail flow
Recently there is an increasing number of whale attacks against the senior executive, and most of the attacks are carried out by mail. The main goal of the attacker is to steal identities and sensitive information.
In many cases, the same mail and the same display name are used, and an attempt is made to spoof the same user.
Therefore we have set up several Exchange-level rules to solve the problem, and this example is for an incoming email with the same display name only.
How to block incoming email
The way to get Exchange Online to recognize this email is to set up a custom Exchange Transport Rule, which we can use to identify the email and perform any action.
From the Exchange Admin Center, open Mail Flow and Create New Rule.
On the rule, configure the following settings:
- Name: Phishing
- Apply this rule if The sender is located… Outside the organization
and: a message header matches… From and the Display Name for the relevant user
- Do the following… Prepend the subject of the message with. Spam or Phishing (you can type whatever you need)
and: Set the spam confidence level (SCL) to… 8
- Priority: 0
- Audit: High
The complete rule
Once I configured the rule and sent an email with the same Display Name, the Exchange acts, and the email looks like the image below:
- You can add conditions to the rule as you need (this is a basic rule)
- You can add action based on SPF, DKIM, and other
- this rule can be compatible with Exchange 2013 and higher