How can i use the information in an email header about AntiSpam RRS feed

  • Question

  • I am the admin for an exchange server account.  I would like to stop a lot of the Fake Phishing and Ransomware attacks.  We have been receiving increasing amounts of it and sooner or later somebody is going to fall for one of these.  The email header even shows a line with  "X-Microsoft-Antispam-Untrusted:" among others but apparently being UN-trusted in and of itself doesn't them.

    These emails usually claim to be from Microsoft and contain just enough "Real" Microsoft "look and feel" to pass muster.  Most have been routed through multiple private servers with 10.xxx.xxx.xxx IP's before finally hitting real servers with Microsoft.  The most recent threatens to encrypt a system if the user doesn't send money using BitCoin to a Bitcoin address 

    What caught my attention when given to me is that whoever sent it DOES include a password that was once used by the someone the recipient knows so whoever is sending this is more than a simple hoaxer.  

    If i chose to filter out any email where the X filter for AntiSpam was set to "Untrusted"  would this be too wide a net to cast?  

    I can now add that it also has the "X-Microsoft-Exchange-Diagnostics-untrusted: " filled in as well
    • Edited by Questorfla Thursday, July 12, 2018 7:57 PM
    Thursday, July 12, 2018 7:52 PM