locked
Phishing Spam rule RRS feed

  • Question

  • Hi 

    we get spoofed spam mails from various domains with both sender and receipient doesn't contain our organization mail domain / display name. The TO is marked to some junk id and from is marked to some junk id. we checked the message heards through message analyser option in Testexchangeconnectivity.com also. we could not find our domain details anywhere. 

    Enabling DKIM , DMARC doesnt help in stopping these mails as these mails are originating from domains that are hosted in Microsoft office 365 with domain key signatures pointing to onmicrosoft.com and source of mail is from prod.outlook.com. Hence the SCL are very low because of generated from microsoft hosted services.

    To stop this kind of spam mails, i wish to create a Transport rule as,

    > sender is outside the organization and

    > receipient is outside the organization and

    > receipient does not contain our domain mail id (this option is not available)

    Then prepend the mail as suspicious Spam.

    how to do this?




    regards Sundaresan.C

    Wednesday, July 25, 2018 8:13 AM

All replies

  • Hi Sundaresan,

    Create a rule like below and check if any helps:

    Moreover, I also recommend you refer to the following article to use spoof intelligence to stop spoofing emails: Learn more about spoof intelligence


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    • Edited by Niko.Cheng Thursday, July 26, 2018 9:48 AM
    Thursday, July 26, 2018 9:46 AM
  • Hi

    thanks for the reply. but the domain is varying every day on this. may be i can remove that condition alone and create a rule..with a disclaimer or a prefix of subject as suspecting spam.

    But can we not put a condition as if the receipent address not in domain as?


    regards Sundaresan.C

    Thursday, July 26, 2018 11:16 AM
  • But can we not put a condition as if the receipent address not in domain as?

    Hi Sundaresan,

    By default, there is no such a built-in condition in transport rule.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Niko.Cheng Tuesday, July 31, 2018 9:34 AM
    Monday, July 30, 2018 9:42 AM