Here are the instructions for setting up a mail flow rule for detecting spoofed messages and redirecting them.
- Login to Exchange Online (https://outlook.office365.com/ecp/)
- Click on mail flow > rules
- From the dropdown next to the ‘+’ icon select ‘Create a new rule’
- Click on ‘More options…’
- Enter a name in the ‘Name:’ field
- Under ‘*Apply this rule if..’ select ‘is external/internal’
- In the popup select ‘Outside the organization’ and click ‘OK’
- Click the ‘add condition’ button
- Mouse over ‘The sender’ and select ‘domain is’
- In the popup window enter your domain and click the ‘+’ button and then click ‘OK’
- Under ‘*Do the following’ mouse over ‘Apply a disclaimer to the message…’ and select ‘prepend a disclaimer’.
- Click on the ‘Enter text…’ link and copy in the HTML code found below:
- Click on the ‘Select one…’ link and select ‘Wrap’ and then ‘OK’
- Click on the ‘add action’ button.
- From the dropdown mouse over ‘Redirect the message to…’ and select ‘these recipients’
- From the popup window select the recipients who will receive the redirected message and click ‘OK’.
- Add exceptions as needed.
- It may be the case that there are legitimate 3rd party tools that are spoofing from your domain on your behalf. These exceptions can be added here.
- Under ‘Choose a mode for the rule:’ select ‘Enforce’
- Adjust the activation and deactivation dates/times as desired or leave as default.
- Click ‘Save’
Once the rule is saved it will be toggled on. The rule can be toggled off by unchecking the checkbox in the ‘ON’ column in the list of mail flow rules.
HTML Code:
<div style="background-color:#FFFFE0; border:1px solid #303030; text-align: center; vertical-align: middle; line-height: 20px;">
<p style="font-size:12pt; font-family: 'Cambria','times roman',serif;">
<span style="font-size:12pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;"> THIS IS A SPOOFED MESSAGE!!! </span>
</p>
</div>