There’s been a new recent wave of spoof emails sent to companies , usually emailed to financial personnel’s pretending to be from the CEO to get quick funds paid and withdrawn.
Spoofing an email address isn’t hard and with the correct background check , spammers get the correct email and sometimes signature of the “CEO”.
How do we stop this?
- To start with SPF, DKIM, DMARC records should all be added to the domain to verify the sender to check they are allowed to send from the company domain
- You should definitely have an incoming spam filter before Microsoft Exchange , depending if this is a Barracudo box / Post fix / Microsoft Frontbridge you should be able to enable a Rule to SPF check for only your domain. Enabling this for all domains will starting to spam lots of incoming email due to people not having SPF records
- Create a quarantine in Exchaneg – From EMC > Organization Configuration > Hub Transport > Transport Rules create a new transport rule that says:
From users that are outside the organization
And when the from address matches text patterns yourdomain.com
Forward the message to [email protected] for moderation
Now, if you have other SMTP servers in or out of your org that send on behalf of your domain, you’ll need to create an exception by adding:
Except when the message header received matches text patterns smtp.yourdomain.com or smtp.theirdomain.com
You can also tighten down SPF to only allow specific email address to send from third party services instead of whole domain : https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/