In the ongoing battle against spam and phishing, technical measures have much effect as they are able to triage spam or phishing messages based on configuration or programmed rules. By now, many of these measures have been widely adopted to limit messages of those categories to reach the inbox of the end user. Measures like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) can be used to validate origination or contents of the message, or authenticate senders.
This post isn’t about those measures or how to implement them. I suggest reading this excellent DMARC implementation guide by MSFT’s Martijn van Geffen for more information on how to implement SPF and DMARC successfully. Note that his website also contains lots of tools and scripts to troubleshoot and report on SPF/DMARC. If you’re unfamiliair with his site, I suggest you have a look.
One of the weaker links in the whole chain of messaging remains the end end user. One can still devise technical measures up to a point, there are still end users out there who blindly click links or follow instructions in that message from ‘Microsoft’ requesting them to change their Office 365 password. One can not always blame the end user; phishers became very crafty in making their deceptions look genuine; even IT professionals often need to look twice to determine legitimacy of a message. For those interested, few months ago Google put a phishing quiz online where you can assess your phishing detection skills.
To assist end users processing inbound messages, many companies have resorted to providing visual clues so end users can more quickly determine the origin of a message or the message being potentially non-legit. One measure often is marking messages originating from outside the organization, by inserting a notice before the contents, or prefixing the subject with something like “[External]”.
Recently, MVP fellow Tony Redmond wrote an article on how to accomplish marking external messages using transport rules in Exchange. For example, to create a transport rule you can use the following cmdlet:
New-TransportRule -Name 'Tag External Mail' -SetHeaderName 'X-ExternalMail-Tagged' -SetHeaderValue 'True' -ApplyHtmlDisclaimerLocation Prepend -ApplyHtmlDisclaimerText '<span style="background-color:yellow;color:black;"><b>Notice</b>: This message originates from outside the organization. Make sure to validate the sender before clicking links or opening attachments.</span>' -ExceptIfHeaderContainsMessageHeader 'X-ExternalMail-Tagged' -ExceptIfHeaderContainsWords 'True' -ExceptIfSenderInRecipientList Allow -FromScope NotInOrganization
The above will create a transport rule that prepends the message with a colored (HTML) notice, inserting a message header to prevent insertion of multiple notices and allowing end users to add senders to their Safe Sender Allow List to bypass tagging messages.
However, the problem with these notices is that over time it might make end users insensitive, as messages from external sources are usually large in numbers and become part of the other visual noise like disclaimers and marketing messages. Therefor a better option might be to mark messages which fail DMARC or SPF checks, provided you are not rejecting those messages at some level.
For example, to mark messages failing DMARC or SPF checks, you could create the following transport rule:
New-TransportRule -Name 'Tag DMARCSPFFail Mail' -SetHeaderName 'X-DMARCSPFFail-Tagged' -SetHeaderValue 'True' -ApplyHtmlDisclaimerLocation Prepend -ApplyHtmlDisclaimerText '<span style="background-color:white;color:red;"><b>Warning:</b> The sender of this message could not be validated, and may not be the actual sender.</span>' -ExceptIfHeaderContain
sMessageHeader 'X-DMARCSPFFail-Tagged' -ExceptIfHeaderContainsWords 'True' -ExceptIfSenderInRecipientList Allow -FromScope NotInOrganization -HeaderMatchesMessageHeader 'Authentication-Results' -HeaderMatchesPattern 'dkim=fail','spf=TempError','spf=PermError', 'spf=SoftFail', 'spf=Fail', 'spf=None'
Of course, you could also prepend the subject with a tag to help identifying messages in this category.
More recently, Microsoft added the MailTip feature to Outlook Mobile which also helps in making end users more aware of their communications. After enabling the MailTips for external recipients using:
Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true
end users will receive a notification when replying to messages outside their organization from Outlook Mobile; Outlook Desktop already had this feature.
Outlook Desktop:
Outlook Mobile:
These MailTips are in my opinion the preferred visual clue, as it not only notifies users up front, it also doesn’t clutter message bodies with notifications and warnings.In the end, these notifications are however a small price to pay, compared to the cost of phishing or end users clicking malicious links. It would be nice if Microsoft could already show the MailTip when displaying the message, so it would prevent in accidental clicking of malicious links or attachments.
Note: Advanced Threat Protection (ATP) could of course also help companies with the protection against malicious links and attachments, however not every company has ATP licenses. In both cases, these notices might complement the overall set of measures.
Like this:
Like Loading...
Today, the Exchange Team 
Yesterday, an article was published on ZDNet, where the author claims “Russian Cyberspies” are exploiting a backdoor in Exchange. The article is based on a report of Slovakian-based ESET Research, which is no stranger on the anti-virus/malware market. The report, titled “Turla LightNeuron, One email away from remote code execution”, claims the group – Turla – leverages LightNeuron to exploit Exchange Server for malicious usage, using instructions hidden in image attachments delivered through e-mail to control the backdoor. The news was quickly picked up by other media, and it didn’t take long for customers to start asking questions on the topic. Time for some fact checking.
A little notice on a potential helpful feature which was introduced to Outlook at some point, but I wasn’t aware of before (or it’s just new). At least the option is available in Outlook v1905 build 11629.20008 C2R; it might also be available in standalone.
