How to monitor and block EchoSpoofing with a Data Protection Policy
search cancel

How to monitor and block EchoSpoofing with a Data Protection Policy

book

Article ID: 375474

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

How to create a data protection policy to monitor and block EchoSpoofing.

EchoSpoofing is a process that allows a bad actor to spoof the From address of domains registered in ClientNet by relaying a message through Office 365. Attackers are then able to bypass email authentication checks when the message is relayed. EchoSpoofing is possible because the Office 365 SMTP relay allows Office 365 customers to send mail from any domain.

Cause

In July 2024, a vulnerability in Office 365 was discovered allowing attackers to bypass email authentication checks when a message is relayed. Attackers were able to send millions of spoofed emails impersonating large brands. The phishing emails originated on an SMTP virtual server routed via Office 365 Online Exchange before entering a domain-specific relay server.

Note: Several very specific configuration requirements must be in alignment for an attack to occur, which we will not detail in this article.

Resolution

Learn how to create a policy in Broadcom Email Security.cloud Data Protection to detect EchoSpoofing.

To detect EchoSpoofing, we'll create a Data Protection policy that looks at the "X-OriginatorOrg" header provided by Microsoft to determine if it matches your domain. If it does not match, you can decide on the appropriate action.

Create a policy to detect EchoSpoofing

  1. In the cloud portal, navigate to Services > Data Protection.
  2. Create a new Data Protection policy, and configure it as follows:
    • Name: Anti-Spoofing
    • Apply to: Outbound email only
    • Execute if: All rules are met
    • Action: Log Only. Other actions are available, which depend on the result you intend. We recommend logging activities initially before advancing to other actions.
    • Administrator email: Configure a non-production administrator email address. This must be non-production address because Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
    • Notifications: Administrator
  1. Add a new Rule, and configure it as follows:
    • Name: Match OrigID
    • Set it to: ALL conditions are met
    • Add a new condition, Content Keyword List
    • Click > Create a new Keyword List
    • Name: Originator Orgs
    • Category: None
    • Content Type: Keywords
    • Add list item: X-OriginatorOrg:<your company's domain name> (e.g. x-originatororg: example.org)
    • Click Save.
    • Condition options:
      • Email contains: none of the keywords in the selected lists
      • Case sensitive: No
      • Look in: Header
    • Click Save.
Powered by Wolken Software