none
Transport rule for To: undisclosed-recipients:; RRS feed

  • Question

  • Is there any way to create a transport rule for emails that are sent only to bcc recipients which causes the To: header in the email to show up as 'To: undisclosed-recipients:;'.  There is a lot of phishing attempts from legitimate accounts that have been compromised and this would be the best way to stop these emails. I have tried several variations of rules based on the to: header and none of them work.

    Britt

    Tuesday, July 25, 2017 2:37 PM

All replies

  • Is there any way to create a transport rule for emails that are sent only to bcc recipients which causes the To: header in the email to show up as 'To: undisclosed-recipients:;'.  There is a lot of phishing attempts from legitimate accounts that have been compromised and this would be the best way to stop these emails. I have tried several variations of rules based on the to: header and none of them work.

    Britt


    Actually, the best way to stop phishing is to enable DMARC in your tenant and quarantine any inbound messages that fail it with a transport rule.
    Tuesday, July 25, 2017 3:12 PM
    Moderator
  • I am not asking for the best way to stop phishing. I am asking for a specific configuration for a specific issue. In this case we have had multiple vendors and clients who have been phished over the last few months and using their legitimate but compromised accounts phishing emails were sent out to groups of people using the bcc option. Therefor I need to be able to block or otherwise modify emails that do not have recipients listed in the to: field.

    Britt

    Tuesday, July 25, 2017 10:07 PM
  • So you want to block messages that users are CCed or BCCed on?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, July 25, 2017 11:23 PM
    Moderator
  • Hi Britt,

    I'm afraid no such way to achieve your requirement via transport rule, the following article for your reference:

    Email incident report created by a transport rule does not include Bcc recipients in Exchange Online for Internet messages

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 26, 2017 10:05 AM
    Moderator
  • Its important to note that BCC is handled at envelope during the SMTP transaction, not as part of inside 5322 header level. That's why messages sent from external senders to ExO cant be seen by a transport rule.
    Wednesday, July 26, 2017 10:51 AM
    Moderator