This article outlines steps that can be taken to investigate a spoofing incident in your Office 365 environment. We’ll introduce a set of tools that will help you get a better understanding of why and how spoofing may be happening in your environment and the steps you can take to remediate the issue.
Step 1: Check that your domain has an SPF record published in the public DNS host and that it is accurate.
-
The following tools can be used to view your SPF record:
-
-
Enter domain
-
Select ‘SPF Record Lookup’
-
-
-
Enter domain
-
Select TXT
-
Look for record starting with ‘v=spf1’
-
-
-
Check for the following:
-
Are all the IP addresses/host names correct?
-
Are all valid IP addresses/host names present?
-
Is there a
-
~all: soft fail, used for testing
-
-all: fail, strict, mail should be rejected
-
?all: neutral, not stated
-
+all: pass, assumed if not otherwise defined
-
-
Step 2: Check for 3rd party spoofing.
-
Verify whether there are legitimate 3rd party spoofing tools using the given domain on your behalf for your organization.
-
This may require some coordination with members of different departments in your organization to determine. Some examples of 3rd party tools that use legitimate spoofing:
-
IT ticketing systems
-
CRM that sends out a newsletter to subscribed users
-
Event planners
-
Step 3: Obtain and check message headers
-
Get message headers from messages where spoofing is taking place.
-
Want to either:
-
Get a copy of the original message.
-
Get the text of the message header.
-
-
-
Use Microsoft Remote Connectivity Analyzer
-
https://testconnectivity.microsoft.com/
-
Analyze message tab
-
-
Get message ID
-
Check the spam score
-
Check the sending domain/IP address
-
Step 4: Perform a Message Trace
-
Perform a message trace in Exchange Online
-
Search using message ID.
-
What inbox was the message delivered to?
-
Want to determine what folder the message was sent to and verify if it is being delivered where it is expected to go based on the spam filter policy.
-
-