Redirect User Impersonation Emails

Introduction:

The purpose of this article is to outline the steps for setting up a mail flow rule that will redirect an email coming from outside of the organization that has a specific set of words (usually a name) in the from field. Phishers will try just about anything to trick a user into believing that an email is coming from a certain person or source. This mail flow rule is designed to prevent this kind of user impersonation. In our example below, an external email account is set up to show the VIP’s name in the from field. If users are not careful, they could mistake an email like this for a legitimate one. If they are busy and respond hastily, they may accidentally share sensitive information with an attacker or click on a malicious link.

How It Works:

If email comes from outside the organization and the from field includes one of a few variations of a VIP’s name, prepend a description to the subject of the email and redirect the email to a different email address.

Steps to set up the rule:

1. Navigate to the following URL and log in with Office 365 global admin credentials:

   1. https://outlook.office365.com/ecp

2. On the left navigation click ‘mail flow’.

3. Click the ‘+’ icon and select ‘Create a new rule’ from the dropdown.

4. In the popup window scroll toward the bottom and click ‘More options…’.

5. In the top field enter a descriptive name for the rule.

6. Under ‘*Apply this rule if…’ mouse over ‘The sender…’ and then select ‘is external/internal’.

7. From the popup window select ‘Outside the organization’ and then click ‘OK’.

8. Click the ‘add condition’ button.

9. Click on the dropdown under ‘and’ and mouse over ‘A message header…’.

10. Select ‘includes any of the words’ from the list.

11. Find the link that says ‘Enter text..’ and click on it.

12. In the ‘specify header name’ popup enter ‘From’ and click ‘OK’.

13. Find the link that says ‘Enter words…’ and click it.

14. Specify the name of the person in the blank field and click the ‘+’ button.

15. Under ‘*Do the following’ select ‘Prepend the subject of the message with…’.

16. In the popup box specify the subject prefix and click ‘OK’.

17. Click the ‘add action’ button.

18. From the selection under ‘and’ mouse over ‘Redirect the message to…’and select ‘these recipients’.

19. From the popup window search for the recipient(s), click the ‘add ->’ button and then click ‘OK’.

20. Click ‘Save’.

Steps to test the rule:

1. From an email account that contains the words or text specified in step 14 above, send an email to a user in your organization.

2. The expected result is the email will be redirected to the recipient(s) specified in step 18 above with the prepended message defined in step 16 above.