Data Protection

Spoof Intelligence in Office 365

Microsoft added Spoof Intelligence for email security earlier this year (January 2018 I think). This was included as a feature of the Office 365 Enterprise E5 plan, as well as a feature of the Advanced Threat Protection add-on for non-E5 customers. Spoof Intelligence provides visibility into who is spoofing your domain and/or domains that are sending email to you, and provides the capability to allow or deny any of these sending patterns. Spoofing means sending as a domain when you aren’t actually part of that domain, and the default behaviour in anti-spam engines is to treat spoofed email as junk or otherwise invalid. But that’s not always true.

In its documentation on Spoof Intelligence, Microsoft lists several situations when spoofing is valid:

When a sender spoofs an email address, they appear to be sending mail on behalf of one or more user accounts within one of your organization’s domains, or an external domain sending to your organization. Surprisingly, there are some legitimate business reasons for spoofing. For example, in these cases, you wouldn’t block the sender from spoofing your domain:
– You have third-party senders who use your domain to send bulk mail to your own employees for company polls.
– You have hired an external company to generate and send out advertising or product updates on your behalf.
– An assistant who regularly needs to send email for another person within your organization.
– An application that is configured to spoof its own organization in order to send internal notifications by email.

External domains frequently send spoofed email, and many of these reasons are legitimate. For example, here are some legitimate cases when external senders send spoofed email:
– The sender is on a discussion mailing list, and the mailing list is relaying the email from the original sender to all the participants on the mailing list.
– An external company is sending email on behalf of another company (for example, an automated report, or a software-as-a-service company).

You need a way to ensure that the mail sent by legitimate spoofers doesn’t get caught up in spam filters in Office 365 or external email systems.

There’s a plethora of technical standards and reputation dealings and authentication magic happening in the background to determine whether a message is spoofed or not, but the simple idea is that Spoof Intelligence provides a simple way of seeing who is spoofing you, and providing you with the ability to mark these spoofs as valid or invalid.

Categories: Data Protection