Spoof intelligence management enhancements for policy, insights and report

Originally posted by Microsoft Apr 3, 2021 Exchange Online 0 Comments

The Spoof intelligence experience will introduce enhancements so that Security Administrators can gain better management of spoofing activity within their tenant. These feature updates will provide a clearer and easier way for Security Administrators to configure domain spoofing for both Cross-Org (External) and Intra-Org (Internal) email messages using a new “Tenant allow/block list policy” designed for Spoofing activity. Furthermore, users will be able to review insights provided by spoof intelligence system and take actions. Additionally, an enhanced Spoof detections report (also known as Spoof Mail Report) will show details about authentication results such as SPF, DKIM, DMARC, so users can assess configurations within their tenant and adopt industry email standards as applicable. This Spoof Mail Report will provide a historical view of up to last 90 days of spoofing activity using the report.

This message is associated with Microsoft 365 Roadmap ID 70590

When this will happen

Roll out will begin at the end of April and is expected to be completed by the end of June.

How this will affect your organization

Once available, a new additional policy, “Tenant Allow/Block Lists” will appear in the list of Threat policies page, which will provide a page for “Spoofing” from where a Security Administrator can manage spoofed domains/users (i.e. email addresses) and allow or block them for the tenant. You need to have a Security Admin role as well as View-Only Configuration/View-Only Organization Management role.

As a Security Administrator, you can view, add, update, delete spoofed domain pairs using this Policy or optionally using the below PowerShell cmdlets.

  • Get-TenantAllowBlockListSpoofItems
  • New-TenantAllowBlockListSpoofItems
  • Set-TenantAllowBlockListSpoofItems
  • Remove-TenantAllowBlockListSpoofItems

Note: The existing ‘spoof intelligence policy‘ setting currently seen within the AntiSpam policy will no longer be available. You will be able to perform the actions to allow or block spoofed senders using the new Tenant allow/block lists-Spoofing policy. (Note, the legacy PS cmdlets Get-PhishFilterPolicy and Set-PhishFilterPolicy that are tied to the AntiSpam policy->Spoof intelligence policy will temporarily still be available, however it is not recommended that you use these as they will be retired in the future by the end of Dec 2021) 

Furthermore, as you might be aware, currently you can review insights as suspicious or non-suspicious spoofed domains determined by Spoof intelligence system within the past 7 days. You will be able to continue reviewing these insights in an easier way – By using spoof intelligence insight pages when you click on “View suspicious domains” or “View non-suspicious domains” links and optionally using Get-SpoofIntelligenceInsight cmdlet. Note: The spoofing activity shown on these insight pages is purely determined  by the Spoof intelligence system and accordingly allowed or blocked by the system, whereas the spoofing activity shown on Tenant Allow Block list-Spoofing page is purely determined by a Security Administrator. If you wish to update an action (shown as Allow/Block) on a particular existing domain pair while reviewing the spoof intelligence insight (in case you decide to override the action taken by Spoof intelligence), you must use the UX portal. Once you update the current action of an existing domain pair from Spoof intelligence insight page, that pair will no longer be shown on the Spoof intelligence insight page, but will be shown on Tenant allow/block list-Spoofing page because it is considered a pair determined by the Administrator. 

For a detailed Spoof detections report and a historical view of up to the last 90 days of spoofing activity, you can view Spoof detections report or optionally use Get-SpoofMailReport cmdlet.

What you need to do to prepare

You may consider updating your training and documentation as appropriate. An easy way to associate these pages is as below –

  • Spoof intelligence insight page: Spoofing activity determined purely by the Spoof intelligence system within the last 7 days. (PS cmdlet: Get-SpoofIntelligenceInsight) 
  • Tenant allow/block list-Spoofing page: Spoofing activity determined purely by Security Administrator, never expires unless deleted by Administrator (PS cmdlets: Get-TenantAllowBlockListSpoofItems, New-TenantAllowBlockListSpoofItems, Set-TenantAllowBlockListSpoofItems, Remove-TenantAllowBlockListSpoofItems) 
  • Spoof Detections report (or Spoof Mail report) page: Spoofing activity shown with detailed information about authentication results such as SPF, DKIM, DMARC ( up to last 90 days) 

Message ID: MC248392

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: