Prevent display name spoofing in Microsoft Exchange 365

Recently, I have come across quite a few emails where someone pretended to be the CEO of the company who asks employees a favor, specifically to advance money for buying gift cards. Despite having quite a few mechanisms in place to prevent spam, these emails managed to pass the spam-check. Why? Because only the sender display name and content are fake. In this post I will show how to detect and block these messages using the Microsoft’s Exchange 365 console.

Here’s an example of such a message:

So, how to deal with this? My solution is to create a Mail Flow Rule in the Exchange Admin console to block all email from <name of CEO> unless it originated from verified e-mail addresses. It it a bit tedious but as long as Microsoft 365’s spam intelligence isn’t able to detect these messages, I guess this a workable solution.

  • Create a new Mail Flow Rule (Mail Flow -> Rules -> new rule) and at the bottom of the panel click on ‘More Options…’.
  • Select ‘A Message Header..’ > ‘Matches these text pattern’ under ‘Apply this Rule if…’
    • Enter ‘FROM’ in the ‘Enter text…’ field and enter the name or names of the person who is impersonated (make sure the use the same name(s) that that person uses to sent mail with)
  • In the next field ‘Do the following’ you can choose what action you feel most appropriate. I opted for including a pre-claimer in the message and BCC’ing the message to some one else.
  • Last but not least, add at least two exceptions:
    • ‘The sender… ‘ -> ‘is this person’. And select the person who is impersonated.
    • ‘The sender…’ -> ‘address matches any of these text patterns’. At least add to receive notifications from Team messages. Teams messages may, depending on your region, also come from, but you may use a wildcard, for example noreply@* (you might be temped to add *@* but that’s not accepted). This is also the place to include any personal email address that person uses to communicate with.
  • Last but not least: test the rule by sending an email from the person (make sure normal communication arrives properly) and also send an email from another email account using their name to see if the action is applied.

I hope this helps you to block these kind of scam messages! If you have any questions, please comment below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.