Monday, 11 January 2016

Spoofed email display name | Exchange 2016

We had an interesting issue with one of our customers the other day: users reported that they were receiving spoofed email from the CEO. I’ve replicated the issue so in this scenario, email was received from Rick Mehew (fictional CEO for

  • Sender: Rick Mehew <>
  • Recipient: 
  • Subject: Afternoon meeting

The from address is clearly not a email and so the problem is that the sender’s display name is correct and this is catching users out as they don’t always see the email address, for example in Outlook or on mobile devices. So, we now need a way to block or perform some other action on these emails.

Message headers

To find out more information about the email, the first thing I did was to use Search-Mailbox to retreve the email from the user’s mailbox and view the message headers which are below:

Received: from ( by ( with Microsoft SMTP Server (TLS) id
15.0.913.22 via Mailbox Transport; Fri, 8 Jan 2016 09:51:28 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id
15.0.913.22; Fri, 8 Jan 2016 09:51:22 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id
15.0.913.22 via Frontend Transport; Fri, 8 Jan 2016 09:51:20 +0000
Received: from 1aHThX-0000QK-5p by with hostsite:113836 (Exim 4.85)
    (envelope-from <>)
    id 1aHThY-0000f7-4u
    for; Fri, 08 Jan 2016 01:51:20 -0800
Received: by emcmailer; Fri, 08 Jan 2016 01:51:20 -0800
Received: from ([])
    by with esmtps (TLSv1.2:AES128-GCM-SHA256:128)
    (Exim 4.85)
    (envelope-from <>)
    id 1aHThX-0000QK-5p
    for; Fri, 08 Jan 2016 01:51:19 -0800
Received: by with SMTP id tr5so23393497obc.2
        for <>; Fri, 08 Jan 2016 01:51:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113;
MIME-Version: 1.0
X-Received: by with SMTP id dk3mr83764828oeb.78.1452246673512;
Fri, 08 Jan 2016 01:51:13 -0800 (PST)
Received: by with HTTP; Fri, 8 Jan 2016 01:51:13 -0800 (PST)
Date: Fri, 8 Jan 2016 10:51:13 +0100
Message-ID: <>
Subject: Afternoon meeting
From: Rick Mehew <>
To: <>
Content-Type: multipart/alternative; boundary="089e0122867c19f5720528cf8707"
Received-SPF: SoftFail ( domain of transitioning discourages use of as permitted sender)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;;;
X-FM-OS: Linux 2.2.x-3.x
X-PolicySMART: 4760852
X-SPAM-Status: NO, 0.0 / 4.0
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-Network-Message-Id: 29da57e2-9e05-4bab-52ff-08d318114787
X-EXCLAIMER-MD-CONFIG: 61102a45-deb9-493a-9a01-082f19bb638a
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthAs: Anonymous

For more information about the Search-Mailbox cmdlet, see here.

In OWA, here we can see the email address clearly is not from someone within the organization,


How to block spoofed email

Now, let’s look at how we can prevent these type of email. Let’s look at whether we can block it using normal methods:

Sender ID Filtering

We cannot use Sender ID filtering because the email is sent from Gmail using ( and this address is listed as a permitted sender.

Reverse DNS checks

There is a valid PTR record for which resolves to and there’s also a valid A record which resolves to Reverse DNS checks out. For more information about reverse DNS, see here.


The email has a valid DKIM signature. 

IP blacklist

The IP is not on any blacklist.

Content filtering

Content filtering cannot be used as there are no specific words that we can look for to identify this email.

As this email has in fact come from a valid gmail SMTP server which makes it hard to block.

Transport rule

The way to get Exchange to recognize this email is to set up a custom transport rule which we can use to identify the email and perform any action on it. To identify the display name in the email, we need to set up our transport rule conditions to include emails which have "Rick Mehew” in the email’s “From” header and only email from senders outside the organization so it doesn’t affect the internal email delivery for Rick Mehew. 

Note that if Rick Mehew has an external account (i.e. a personal email account which is not part of the Exchange organization) then you'll need to add this email address as an exception to the rule so it is not marked as spam.

In this example we are prepending the subject line of the email with SPAM to notify users:


Now when we get emails from, they will appear as below with “SPAM” prepended to the subject to inform users:


This should help you out with this type of issue. All the best!


  1. provides support for most of the email issues. Our technicians are well trained to identify the issue/s and provide support accordingly. Some of the issues may require remote access of the computer. So give us a call on +1-888-511-0014 and let us take care of all your email related problems.

  2. What if you use 3rd party for some emails like, MailChimp, would those emails be marked SPAM because it's from "Outside" the organization?

    1. You can add an exception to look at the "sender" header and put in whatever MailChimp uses there to have it bypass the rule.

  3. So this Transport rule has to be configured for each mailbox? Is this only available in Exchange 2016 or was it in earlier releases?

    1. Hey Marla, this is months later, but I just implemented in O365 as a "mail flow" rule, so it affects all mailboxes.

    2. @Kyler, I'm not sure how this was implemented for all users in Mail Flow, can you explain? Is there a wildcard that I can use to replace Rick specifically?

    3. Hey Dan,

      I misunderstood your question. I created a mail flow rule, but only for a single source of email - the CEO's name. I don't have a method of using a type of wildcard for any inbound email. Nor do I recommend it - I imagine you'd catch some valid spam, but also some happenstance email when an employee is named "John Smith" and a real business contact is also named "John Smith".

    4. Hey Dan,

      You can use a "containing" match - "If [message header] [from] contains 'Rick'" then take an action. But be careful unless you are looking for an uncommon name - a filter for "john" is going to catch a high percentage of email.

  4. Just had to implement this, thanks so much for posting the details!

  5. Mark,

    Any idea how to make this for all internal users and not just Rick so we don't have to add a rule for each person in the company?

    1. you can modify the rule by mentioning the domain,

      From : Domain
      sender is located : outside
      Action : Prepend as SPAM

  6. Is it possible to create a mail flow rule that compares sender address with reply-to address in the mail header and if they don't match deletes the mail?

    1. Keep in mind that this would block most Saas ticketing solutions (used by most modern IT, software engineering teams), anything done by a remailer like SurveyMonkey, MailChimp, etc (used by most businesses' HR, leadership teams), and some other valid use cases.

      If you can find a mail flow setting, be careful with testing it out before turning it on. Probably start with the "forward to contacts for approval" setting on the mail rule so you can audit what is sent and approve what you need to.

  7. we are using this rule:

    works well for domain spoof, but doesnt block display name spoof which is increasing every week it seems. i created a rule now that blocks all C level employees for now like so:

    1. sorry i mean it block all c level employees FROM BEING SPOOFED.

    2. Hey Jamie,

      You'll probably want to create exceptions for the C-level's person email addresses. That's the first issue I saw when I implemented this - it was blocking emails forwarded from the personal email address of the person I was helping protect.

    3. Yea I only have it being tagged right now, if you look at the screen shot link. so ill monitor it and see how it behaves.

  8. Anyone know how to select a group instead of individually adding people?

  9. I know this is a little late in the game but this post is EXACTLY what we need in our organization. However when I go to setup this mail flow rule - I do not see "A message header matches" anywhere.

    Any help is appreciated

    1. click + to add new rule, then click more options when the window pops up.

    2. Yup Did that and the option isn't there. Microsoft was of no help whatsoever. See below link for screenshot.

      Any help is appreciated!

    3. I set this up using "includes any of these words," which I see in your screenshot. Then in there you can add multiple things, like "John Smith" and "jsmith" and "" Works perfectly here.

  10. So, is there a way to set up a rule to look at the DisplayName the message is from and compare it to all addresses in my GAL and then append a message if the message came from an external location? That would enable me to catch cases of name spoofing for all my users, not just specific ones I name when creating the rule as suggested.

  11. Very nice informative article about software and related information, its very nice article. thanks for sharing such great article hope keep sharing such kind of article Bulk Mailer Software

  12. I'm having an issue with the transport rule. For most on my customers it works, however some are complaining that they are receiving the warning needlessly. Fore example, receiving the warning from someone that IS inside their organization, or also from someone outside the organization but without a matching display name. Why is this occurring? Thanks

  13. I find it very informative and interesting this article.its very nice article. thanks for sharing such great article hope keep sharing such kind of article outlook email extractor software

  14. Super leading source website for your ethereum instant exchange purpose, world's most reliable company for cryptocurrency community

    Ethereum to Paypal instant Exchange thanks for visiting our link

  15. Thanks for sharing such great article hope keep sharing such kind of article email extractor

  16. I Find it very interesting and supportive. Thanks for sharing such great information. hope you keep sharing such kind of information Files Phone and Email Extractor

  17. Configuring Hotmail account on android is facile provided with right procedure to make it possible. If you find it tedious, these few step-by-step guides will help you sort out it. Start following…
    In your Android phone, Open your phone’s Settings
    Tap on Accounts and sync
    Tap on Exchange
    Now enter your Hotmail’s email ID -> click Next
    Enter your password -> click Next
    Lastly, enter your account name -> click Next
    Relax! … Now you’re successfully retrieved your old account.
    email provider is hotmail

  18. Very Nice Article it's very Informatinve i have learn lot .Thanks for sharing. Hotmail Email Address Extractor

  19. The mass mailer software is the one which you should use when you and sending bulk emails.

  20. Very nice posting. Your article us quite informative. Thanks for the same. Our service also helps you to market your products with various marketing strategies, Thanks for the sharing such nice blog bulk mailing software

  21. This article is very nice and informative, Thanks for Sharing such nice article. its explain lot of technique and Features extract email addresses from outlook

  22. This comment has been removed by the author.

  23. Thanks ! This has helped us so much

  24. Very Nice Blog, Thanks for sharing such a nice blog. It is very simple to use while being compatible with all the popular versions of Windows best email extractor

  25. Thank u so much for the information with us, Nice info about Outlook not receiving some emails. if any customer getting Outlook account issues for technical related then just click at read outlook more.

  26. thanks for sharing us such a knowledgeable blog extract email addresses from Gmail keep sharing

  27. REVERSE PHONE CHECK Get the Name, Address, Email, Criminal Records and Search more... is world's best phone number search engine

    Using Reverse Phone Check, you can find detailed personal information using just the phone number. If you are trying to find true owner's name, address and other personal details associated with a phone number, look no further. Using Reverse Phone Check is super easy. Enter the phone number in the form below and Reverse Phone Check with search through millions of records to find the most accurate and recent owner's profile. We recommend you search your own phone number first to see how Reverse Phone Check works and how the results are structured. Do not forget to bookmark and search this page for future use. Remember, no registration or payment is needed to get basic search results.

    Click Here To Access The Tool Now > > > REVERSE PHONE CHECK Get the Name, Address, Email, Criminal Records and more...

  28. I Find it very informative about marketing.Thanks for sharing such great information. hope you keep sharing such kind of information Internet email extractor software