Microsoft Technical Bulletins

The latest updates for all the Microsoft Products you use every day.

Written by Richard Quatier

My goal is to help your business by integrating processes that automate mundane tasks and simplify complex ones without breaking budgets.

Categories: Uncategorized

May 26, 2021

Blog Home

(Updated) Spoof intelligence management enhancements for policy, insights and report

QuixTec provides technical bulletins ‘unaltered’ from Microsoft. As an authorized Microsoft Partner, experienced SharePoint development group and Office 365 expert, QuixTec’s’ custom online or on prem solutions include the latest Microsoft updates throughout initiatives that we custom develop for you.

From Microsoft Corporation
Technical Bulletin MC248392 · Published Apr 2, 2021 · Last updated May 4, 2021

Message Summary

Updated May 04, 2021: We have updated the rollout timeline below. Thank you for your patience.

The Spoof intelligence experience will introduce enhancements so that Security Administrators can gain better management of spoofing activity within their tenant. These feature updates will provide a clearer and easier way for Security Administrators to configure domain spoofing for both Cross-Org (External) and Intra-Org (Internal) email messages using a new “Tenant allow/block list policy” designed for Spoofing activity. Furthermore, users will be able to review insights provided by spoof intelligence system and take actions. Additionally, an enhanced Spoof detections report (also known as Spoof Mail Report) will show details about authentication results such as SPF, DKIM, DMARC, so users can assess configurations within their tenant and adopt industry email standards as applicable. This Spoof Mail Report will provide a historical view of up to last 90 days of spoofing activity using the report.

This message is associated with Microsoft 365 Roadmap ID 70590

When this will happen

Roll out will begin at the end of May (previouisly April) and is expected to be completed by the end of June.

How this will affect your organization

Once available, a new additional policy, “Tenant Allow/Block Lists” will appear in the list of Threat policies page, which will provide a page for “Spoofing” from where a Security Administrator can manage spoofed domains/users (i.e. email addresses) and allow or block them for the tenant. You need to have a Security Admin role as well as View-Only Configuration/View-Only Organization Management role.

As a Security Administrator, you can view, add, update, delete spoofed domain pairs using this Policy or optionally using the below PowerShell cmdlets.

  • Get-TenantAllowBlockListSpoofItems
  • New-TenantAllowBlockListSpoofItems
  • Set-TenantAllowBlockListSpoofItems
  • Remove-TenantAllowBlockListSpoofItems

Note: The existing ‘spoof intelligence policy‘ setting currently seen within the AntiSpam policy will no longer be available. You will be able to perform the actions to allow or block spoofed senders using the new Tenant allow/block lists-Spoofing policy. (Note, the legacy PS cmdlets Get-PhishFilterPolicy and Set-PhishFilterPolicy that are tied to the AntiSpam policy->Spoof intelligence policy will temporarily still be available, however it is not recommended that you use these as they will be retired in the future by the end of Dec 2021) 

Furthermore, as you might be aware, currently you can review insights as suspicious or non-suspicious spoofed domains determined by Spoof intelligence system within the past 7 days. You will be able to continue reviewing these insights in an easier way – By using spoof intelligence insight pages when you click on “View suspicious domains” or “View non-suspicious domains” links and optionally using Get-SpoofIntelligenceInsight cmdlet. Note: The spoofing activity shown on these insight pages is purely determined  by the Spoof intelligence system and accordingly allowed or blocked by the system, whereas the spoofing activity shown on Tenant Allow Block list-Spoofing page is purely determined by a Security Administrator. If you wish to update an action (shown as Allow/Block) on a particular existing domain pair while reviewing the spoof intelligence insight (in case you decide to override the action taken by Spoof intelligence), you must use the UX portal. Once you update the current action of an existing domain pair from Spoof intelligence insight page, that pair will no longer be shown on the Spoof intelligence insight page, but will be shown on Tenant allow/block list-Spoofing page because it is considered a pair determined by the Administrator. 

For a detailed Spoof detections report and a historical view of up to the last 90 days of spoofing activity, you can view Spoof detections report or optionally use Get-SpoofMailReport cmdlet.

What you need to do to prepare

You may consider updating your training and documentation as appropriate. An easy way to associate these pages is as below –

  • Spoof intelligence insight page: Spoofing activity determined purely by the Spoof intelligence system within the last 7 days. (PS cmdlet: Get-SpoofIntelligenceInsight) 
  • Tenant allow/block list-Spoofing page: Spoofing activity determined purely by Security Administrator, never expires unless deleted by Administrator (PS cmdlets: Get-TenantAllowBlockListSpoofItems, New-TenantAllowBlockListSpoofItems, Set-TenantAllowBlockListSpoofItems, Remove-TenantAllowBlockListSpoofItems) 
  • Spoof Detections report (or Spoof Mail report) page: Spoofing activity shown with detailed information about authentication results such as SPF, DKIM, DMARC ( up to last 90 days) 

ABOUT US: QuixTec, LLC is a U.S. certified Veteran Owned, modern DevOps organization and Microsoft Partner that specializes in Microsoft SharePoint, Office 365 expertise & HTML5 technologies for small to enterprise-sized organizations. The founder, Richard, has 30 years of experience working with several notable companies that include World Vision, Expedia, Microsoft, Levi Strauss, NASA, Boeing Aerospace, Los Alamos National Laboratory and the U.S. Air Force, to name a few. QuixTec is located in the Seattle area. Phone today for a free consultation and project estimate: (425) 367-9025 SHAREPOINT DEVELOPMENT – CUSTOM SOFTWARE DEVELOPMENT – OFFICE 365 EXPERTS – SHAREPOINT DOCUMENT LIBRARIES – SHAREPOINT CONUSLTANCY – CUSTOM SOLUTION DEVELOPMENT

You May Also Like…

Delayed – Changes to the way EOP moves email to Junk folder

Delayed – Changes to the way EOP moves email to Junk folder

QuixTec provides technical bulletins 'unaltered' from Microsoft. As an authorized Microsoft Partner, experienced SharePoint development group and Office 365 expert, QuixTec's' custom online or on premises solutions include the latest...