Display name spoofing protection request
I'd like to see a feature whereby we can flag/block incoming external email which has a display name that matches the display name of an internal user. This would help stop the many emails we get where fraudsters have obtained staff names from LinkedIn etc. and have then created a free webmail account using their name, and then emailed staff attempting to ask them to make a bank transfer or other payment.
Elisa at SSC commented
This is part of anti-phishing in the O365 ATP product. Though it's broken a bit, as the GUI doesn't respect Powershell changes, but that's what I'm here to complain about. Was hoping this thread addressed it, will be starting one separately :)
Jesse Thompson commented
First, we need Microsoft to roll out the IP Skiplist so that DMARC actually works with hybrid ExO. I thought it was coming last summer. Please please please.
Next, we need the entire internet to fix the forwarding issue (maybe ARC will work, but realistically we need MLMs to rewrite the From headers).
Last, I agree that outright blocking messages that match an existing user's name is a shortsighted idea, but maybe surfacing it as a condition for an ETR rule would be helpful (so that the Subject can be tagged)
Eric Kool-Brown commented
Rather than block, the rule could tag the subject or body with something like "suspicious reuse of an internal name" (yeah, a mouthful, but you get the idea).
Mike Macary commented
G Suite offers this and it is a helpful feature. I'd love to see this added to EOP.
Jacob Fortune commented
This feature is suggesting that no one should be allowed to send to a tenant if they are an external user with a name that matches an internal user? That seems awfully aggressive. We have a tenant of near 200,000 mailboxes. If we rejected email from every external Tom, ****, and Jane Smith, nothing would get in.
Other vendors do this automatically. I have had to create a static transport rule to watch for this type of spam and it's not feasible to update the rule every time we hire or fire an employee.
We REALLY need an option to check for spoofing based upon the From field. Checking just the reply to is not enough, as evidenced by the spoofed messages we're receiving even with SPF setup for our domain and set to hard fail in our Spam filter settings in EOP.
me too. thanks.