共用方式為


General Guidance on combating spoofing

As an Escalation Engineer for Exchange Online we get lots of questions on how to stop email spoofing. It is a very broad topic and there are a number of things that can be done. Below is sone general guidance I provide to my customers when this topic comes up.

Last updated January 6th 2016

=================================================================

 Combating email spoofing can be tricky, what is right for another organization may not necessarily be right for your organization; moreover, it’s always important to understand you will never be able to block 100% of spoof attacks 100% of the time.

 

We recommend, when developing the strategy that is best for you, to look at these four areas:

 

SPF/DKIM/DMARC

The link below provides guidance on Using DMARC in Office 365

https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx 

DKIM outbound signing is now enabled for your default onmicrosoft.com domain. But in order to enable for vanity domains in which you manage the DNS you must add the two CNAME records as outlined in the article below.

https://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx

External DNS records required for SPF

   https://support.office.com/en-us/article/External-Domain-Name-System-records-for-Office-365-c0531a6f-9e25-4f2d-ad0e-a70bfef09ac0#BKMK_SPFrecords

 

Customize an SPF record to validate outbound email sent from your domain

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

 

 

User Education

Even with the most restrictive settings it is import to educate your user community to be able to spot red flags of spoofing attempts. If for whatever reason your user gets an email from itsupport@cont0so.com     they should be able to identify it does not look like legitimate email from your IT support staff.

 

Connection/SPAM Filters/Transport Rules

The links below provide in depth guidance on configuring your SPAM filters and advanced features that can help fine tune them to your specific needs

 

Configure the connection filter policy

** You can add IP  here to bypass filtering for email from these trusted sources if, and only if, those sources are already scanning/filtering mail before sending it on.

https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx

 

Configure your spam filter policies

https://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx 

 

Advanced Spam Filtering Options

**Proceed with caution setting some of the features and they can be very restrictive and generate a lot of false positives, especially the option to quarantine SPF hard fail.

https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx  

 

(Not) Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing

https://blogs.msdn.com/b/tzink/archive/2015/07/21/not-using-the-additional-spam-filtering-option-for-spf-hard-fail-to-block-apparently-internal-email-spoofing.aspx

 

 

Contingency/Action plans

As stated earlier you will never be able to block 100% of malicious email 100% of the time. When malicious/spoofed email does get though, develop an action plan including but not limited to:

 

•        Resetting the password on any compromised accounts

•        Running Malware/virus scans on affected machines

•        Using the Search-Mailbox to seek out and delete identified malicious email - https://technet.microsoft.com/en-us/library/dd298173(v=exchg.150).aspx   

•        Using Transport rules to help suppress the subsequent delivery of identified messages.

•        Using transport rules to block executable content:  https://blogs.msdn.com/b/tzink/archive/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection.aspx 

•        Submit sample messaged to Microsoft for analysis https://technet.microsoft.com/en-us/library/jj200769.aspx

•        Submit suspected malware to our protection center https://www.microsoft.com/security/portal/submission/submit.aspx

 

 

Some additional related links:

 

Anti-spam and anti-malware protection

https://technet.microsoft.com/en-us/library/jj200731(v=exchg.150).aspx

 

Best practices for configuring EOP

https://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspx

 

Terry Zink: Security Talk. Terry is one of our program managers EOP.

https://blogs.msdn.com/b/tzink/