Message from Internal Domain made it through AntiPhish Protection in Defender due to Header From

Mail From (envelope-from <>) ( RFC5321.MailFrom )

Header From From: CEO Name <[email protected]>( RFC5322.From )

Reply-To: CEO Name  <[email protected]>

SPF and DKIM only apply on Mail From ( Not header from ) so it passed through DKIM and SPF Protection

Authentication-Results: spf=pass (sender IP is; dkim=pass (signature was verified);dmarc=fail action=none;compauth=fail reason=601

DMARCSet up DMARC to validate the From address domain for senders in Microsoft 365, DMARC uses SPF and DKIM to check for alignment between the domains in the MAIL FROM and From addresses. DMARC also specifies the action that the destination email system should take on messages that fail DMARC, and identifies where to send DMARC results (both pass and fail).

  1. Look to enable Dmarc in Fail Mode ( Not None )
  2. We have increased the Anti Phishing Threshold in Defender from 2 to 3
  3. Make sure all important accounts are added to Impersonation Users in Defender Anti Phish Policy
  4. We have created a Rule in Exchange to Delete any emails with Header From CEO outside the organisation  ( Can also try ‘Authentication-Results’ header contains ”compauth=fail reason=601” )
  1. We have created an Audit Rule in exchange with Header From emails so we can whitelist any legitimate emails before we turn this rule to delete
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)