Category: Phishing

Best Practices in configuring Office 365 Anti Phishing Policy

Office 365 Advanced Threat Protection enables additional layer of protection against malicious URLs, Malicious Attachments and Phishing campaigns.

In my previous posts we talked about these configurations, please click on the hyperlinks below to see those posts.

1. Best practices in configuring Office 365 Safe Attachments

2. Best Practices in configuring Office 365 Safe Links.

Today we’ll take a look at anti phishing policies which can be configured in Office 365 for protection against

  • 1. User Impersonation
  • 2. Domain Impersonation
  • 3. Domain Spoofing

User Impersonation : User Impersonation configuration allows organization to list down their top executives like CEO, CFO, Directors etc and any emails coming with the exact same display name and going to users will be quarantined/delivered to Junk as per the configuration.

Domain Impersonation : Domain Impersonation configuration protects against emails coming with similar typosquatted domains like yours. For eg. your organizations domain is and attackers may send emails after registering similar looking domains like, etc.

Domain Spoofing :  Domain spoofing configuration enables domain authentication like SPF, DKIM, DMARC to be enforced validating the origin of the emails as per the from address and block/quarantine/junk those emails which fails authentication.

I have created this video tutorial of Step by Step tutorial of the recommended configurations of Anti Phishing Policies in Office 365 Advanced Threat Protection.

Hope you like the videos, please do subscribe to the channel to be updated with future tutorials.


Best Practices in configuring ATP Safe Link Policies in Office 365

One of the major attack vector used by threat actors are sending emails with malicious URLs. These emails without any malicious attachments usually has luring text which encourages users to click on a link to take any action and then take them to a Phishing URL or a webpage with malicious content.

For E.g. the email below, which looks like it has come from Microsoft to users and asking users to click on a URL which would lead to


Office 365 Advanced Threat Protection enables Safe Link policy which protects users at the time of click by verifying the URL against threat intelligence for any phishing page or malicious content.

Please watch this video on how to configure Office 365 Safe Links with recommended configurations.

if you want to see a quick demo on how Office 365 Safe works, checkout the following video.


Getting Spoofed emails delivered ? Common Office 365 Configuration Mistakes

In my previous post, we discussed how to detect Spoofed emails and build defenses against them.

If you were able to relate to some of these emails and you find them getting delivered to your user’s inbox, you may want to check some common misconfigurations on your Office 365 Tenant.

I have create this video to illustrate how these mistakes often open doors for these kind of emails to come in,

Do watch it and share your comments,

Domain Spoofing – Making things difficult for an attacker

Phishing emails comes in many shapes and form. here are various forms of phishing, organizations are currently struggling with :

Types of Phishing

1. Domain Spoofing – In this type of phishing, the email’s from address indicates it has come from reputated domains like Microsoft, Google, Paypal etc and often organization’s own domain but it really has not originated from there servers. Attackers often spoof the domain to make it look like a legitimate emails from these company’s and asking recipients to do a task like verify their account to harvest credential, download and install a file which is malicious, or visit a malicious webpage.

2. Domain Impersonation – In this type of phishing, the attackers registers a similar looking domain as your organization’s or major brands Microsoft etc, For Eg If your Organization’s domain is, attackers would register domains like, etc and then sends out emails from these domains to your users asking them to carry out a transaction, click on URLs or open an attachment. If users are not paying attention they would never be able to differentiate between original domain name of the organization and “Typosquatted” domain attacker is sending these email from.

3. User Impersonation – In this type of phishing, attackers uses the name of top executive’s names like your CEO, Director, CFO etc and then send email to their subordinates or to the other group of employees and then ask them to carry out a high value activity. These executive’s name usually have high authority which are often not questioned and hence employees falls for it without verifying the identity or the intent of the email.

While this is not a exhaustive list, attackers also use combinations of above techniques to increase their chances of a successful exploitation.

In this post, we’ll talk about Domain Spoofing in details”:

Spoofing a domain and its reputation have been into existence for ages and with the advent of various tools and scripts it has got a lot easier to carry out this attack.




Protection against Spoofed Emails

Create a SPF record for your Organization : –

SPF or Sender Policy Framework is a authentication technique to validate if the email is actually originated from designated server of the domain or not and hence helps in detecting spoofed and forged emails.

If you are an Office 365 Email customers, you can follow these steps to create your SPF Record.

DMARC and DKIM are additional domain authentication techniques you should also look at.

This will ensure if any attackers tries to spoof your domain to send emails to your organization or to others external parties will have their domain authentication failed.


If you are an Office 365 Exchange Online Customer, Inbuilt Exchange Online Protection by default protects from domain spoofing by redirecting all the emails to Junk Mailbox folder if the SPF or domain authentication is failed by marking them as High Spam or Spam.

You should definitely check your Anti Spam settings to see how you want Spam and High Spam emails to be treated,


SPAM Settings





Detecting a Spoofed email

Detecting a spoofed email is never so easy as the from address will have the exact domain name as you’d like it to have. So if an attacker is trying to spoof your own organization’s domain, your users will actually see the correct domain name in the ‘From’ address.

if you take a look at following example of an Spoofed email, the ‘from’ domain is actually showing as which is the legitimate domain of this Organization. So its not that easy to differentiate unless you are ready to dive deep into Header Analysis

Spoofed Email

Yes, you may find additional clue in the email which might seem odd and can help figure it out, you can read my previous post on finding clues for Phishing.

So lets take a look at what are the things you should look at in the email header which can help identify that this is a spoofed email.

Follow this to pull out the message headers if you are using Outlook Client.

If you are using OWA, click on the drop down menu on the right hand side and click on message details.


You may copy the message headers and then paste it to the Microsoft Message Header Analysis tool and hit analyze.

Now lets see what things you should look at:

You should find that domain Authentication like SPF = FAIL.  We’ll learn more about SPF later in this post.

Since the email is not originated from the server of the domain which it says its from, the SPF will be failed.

Also Auth AS value should be showing Anonymous. which means the email is not authenticated with a credentials.

if this email actually had been sent from your domain, the Auth As value should be “Authenticated”

Auth As

Create an Warning Message for all External Email – Mail Tips

Consider creating a caution message on the top of all the emails originating from external servers,  You can use Exchange Online mail flow rules to create these custom notifications, More info on creating disclaimers here

Mail tip

Legitimate Spoofing

Legitimate Spoofing” ? Is that even a thing? why would a spoofing be legitimate?

Well, Yes, there are emails which could be SPF failed but still be legitimate,

No SPF Records :  If you are getting an email from a organizations who have not configured and published their SPF records with their domain registrar, there is no way to authenticate them.

Cloud Hosted Email Service Provider :  If your sender’s email service is hosted on a shared tenant with a cloud service provider, there are chances that the provider cannot provide individual server details for SPF configuration for each and every email tenant.

Marketing and Newsletters : Some organizations outsources their marketing email campaign to third party companies who sends emails on behalf of their clients and hence those emails would look like as Spoof however genuine.

Spoof Intelligence to rescue :

Office 365 Customers can now take a look at the Spoof Intelligence report to see the domain pairs who are sending emails to your organizations and their domain authentication is getting failed. You also have the option to configure if you are okay to have their emails coming in while their domain authentication has failed.

Spoof Intelligence

So if you do see a domain here which is sending legitimate emails but getting failed authentication, you can come here and mark them as “Allowed to Spoof” which will ensure optimized mail flow from them.

I hope this post helps un understanding domain Spoofing and how can we make it harder for attackers to bypass the protection.

In my next post, we’ll look at a common configuration mistake which lets these Spoofed emails coming in and getting delivered, specially if the attacker is spoofing your own domain.



The Game of Phishing – How to beat your Opponent

With more than 1.4 Billion clear text user credentials accumulated and up for grabs in the dark web clearly indicates that the hunt for credentials from genuine users/Organizations is the most important phase of the the cyber kill chain.

Verizon Data Breach Investigation report 2017 says that 81{133ac7b6b546e3a9292346674892cfa2a474ed03d372a26bd3c9b466588878a9} of breaches that have occurred involved compromised credentials and in 75{133ac7b6b546e3a9292346674892cfa2a474ed03d372a26bd3c9b466588878a9} of them perpetrators were outsiders.

Phishing emails are proving to be most effective way to grab credentials of users and then use them to carry out attacks on them and their organization.

If you are new to this term, This should help.


The Mind Game

Over the years, the art of phishing has evolved and adversaries are now using more sophisticated ways to trick human mind in making a wrong judgement.

If you are fan of National Geographic’s popular show “Brain Games” like me, they’ve showed how amazing ways human brain functions. How a part of brain questions everything, sees with suspicion before making any decision and how another part of brain which simply accepts the fact and assumes it as true and takes the action.

For E.g, When you are about to cross the road, A part of brain looks at this scenario with suspicion and caution. It only makes decision to cross the road after determining that there is no threat to life from incoming vehicle. Lets call this part of the brain – Part 1

However on a different scenario, when you pickup a TV remote and about the press the power button, does you brain sees this act with same level of caution and suspicion? No, right? This time the other part of the brain makes the decision by assuming that when you press the button, the TV will turn on and nothing bad will happen. Lets call the part of the brain Part-2.

Adversaries are now using various physometeric tactics to let your Part 2 of brain acts and makes you take quick decision to act swiftly on the email and supress your other side of the brain which makes you question it.

Lets play a game.

Can you tell which of the following screenshot of the Office 365 Logon Page is a Phishing Page and which one is authentic webpage?


Fig 2

If you happen to land on one of these webpages and provide your credentials, You have just made a life of a attacker easy by handing over one of your organizations critical asset, your Username and Password.

So what could really happen when someone else have your credentials?

1. They can logon to your mailbox and use your email account to send with emails with Malicious attachments to all your colleagues. Since all your colleagues trusts you they will not use their Part 1 of brain to think twice before opening those attachments.

2. They can use your mailbox to attack your friends/family similar way.

3. They can use your mailbox to spear phish senior leaders of your organization to grab their credentials and elevate privileges.

4. They can VPN and connect to your corporate network as you and initiate exploration and then exploitation activities or just spreading a worm based ransomware in the network.

5. and much more Smile

How to be better than the game?

Detecting Signs on a Phishing Email

1. Sense of Urgency – Look for the sense of urgency in the email. If the email is asking you take an action in hurry with words like immediately, Urgently etc, be cautious.

2. Grammatical errors or spelling mistakes- More often or not, attackers from non native English speaking regions tend to make spelling or grammatical mistakes in their emails or on the Phishing site.

3. Spoofed Email Sender – Do not trust the email sender name on your email header. While it might look its coming from known sender but when you expand the Email Name, you may see a different email address (spoofed)

4. Obfuscated URLs : What you see my not be what you get. Hover your mouse on the Links to see the actual URL its taking you to. If you see Base64 in URL, move away.

5. Detailed Email Header – If you are ready to dive deep, Look at the detailed email header to review the complete mail flow and sender Info including IP address and Sender Domain.

6. Email formatting – Emails coming from various reputated organizations goes through multiple review w.r.t formatting. if the email looks weirdly formatted it may be anomalous.


Detecting Signs of a Phishing website.

If you do end up on a site by clicking on those URLs in your email, following tips can help detecting it a Phishing Site.

Yes, it would be really taxing to check every email with suspicion and open every links in the email and verify the webpage for signs of phishing.

If you are an Office 365 customers,  Advanced Threat protection of O365 protects against phishing attacks by analyzing the URLs in the emails and blocks the access to the malicious website at the time of click.

If you’d like to see a short demo on how Office 365 ATP Safe link protects against Phishing attack, check this video

To learn more about the Safe Link capabilities of Office 365 ATP, check here

PS: If you have not been able to figure out yet, Figure 2 is a phishing page 🙂



Originally Published On