This is part of an ongoing series of Office 365 Best Practices which should in place for every organization – big or small, business or non-profit.
“Spoofing” is a spam technique in which malicious actors pose as legitimate senders for their own nefarious purposes – monetary gain, account access, etc. A common spoof attempt seen in my line of work is the high-pressure fake e-mail from the CEO: “Bob, I need you to buy $500 in Amazon gift cards and send me the codes from the back. This is critical to close a deal so I need you to do it NOW. Thanks!” Of course, it turns out to not be the CEO. It turns to be someone posing as the CEO with a very similar-looking e-mail – and it succeeds more often than you might think.
While we can’t control what spammers are doing outside of our 365 tenant, we can control what happens when they try to spam your users. To help draw your user’s attention to spoofing attempts, we can deploy an attention-grabbing warning to all mail sent from outside the organization – looking something like this:
The idea is that when a user receives an e-mail supposedly from CEO Bob Smith – but lo and behold, it has the yellow banner because it came not from Bob but from an external e-mail address – they’ll notice the banner and be clued-in to the potential scam.
To enable a banner like the one seen above, follow this process:
1. Log in at Portal.Office.com and access the Exchange Admin Center.
2. Select Mail Flow from the left menu, then ensure you’re on the Rules tab.
3. Select the + symbol, then Create a New Rule.
4. Give the rule a descriptive name. I suggest something like “Warning Banner on External Mail“.
5. Pull the drop-down for Apply This Rule If, select The sender is located, and select Outside the Organization.
6. Pull the drop-down for Do the following, select Apply a disclaimer to the message, and select Prepend the message.
7. In the Specify Disclaimer Text box, you’ll enter HTML specifying how you want the banner to look. I found this great pre-made banner from O365Reports.com – just plug this into the box:
<p><div style=”background-color:#FFEB9C; width:100%; border-style: solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:’Calibri’; color:Black; text-align: left;”><span style=”color:#9C6500″; font-weight:bold;>CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div><br></p>
When you’ve made all the above changes, your Create Rule box should look like this:
8. Press Save to committ changes and close the wizard. If you have other specialty mail flow rules in your Exchange Admin, then you might need to tweak the priority to ensure you’re getting the banner while not disrupting other rules. If this is the only mail flow rule you have, you can leave it the way it is.
…and, done! From now, mail coming in from outside the organization will be prepended with the banner shown at the top of the guide. Obviously, it’s not an “active” measure – spoof messages are not being zapped or prevented entirely, as there is no good way to ban all spoof attempts permanently – but if you train your users to pay attention to the yellow banner, then this WILL help identify potential spoofing.