How to monitor and block EchoSpoofing with a Data Protection Policy
search cancel

How to monitor and block EchoSpoofing with a Data Protection Policy

book

Article ID: 375474

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

How to create a data protection policy to monitor and block EchoSpoofing.

EchoSpoofing is a process that allows a bad actor to spoof the From address of domains registered in ClientNet by relaying a message through Office 365. Attackers are then able to bypass email authentication checks when the message is relayed. EchoSpoofing is possible because the Office 365 SMTP relay allows Office 365 customers to send mail from any domain.

Environment

Email Security Cloud

Cause

In July 2024, a vulnerability in Office 365 was discovered allowing attackers to bypass email authentication checks when a message is relayed. Attackers were able to send millions of spoofed emails impersonating large brands. The phishing emails originated on an SMTP virtual server routed via Office 365 Online Exchange before entering a domain-specific relay server.

Note: Several very specific configuration requirements must be in alignment for an attack to occur, which we will not detail in this article.

Resolution

Learn how to create a policy in Broadcom Email Security.cloud Data Protection to detect EchoSpoofing.

To detect EchoSpoofing, we'll create a Data Protection policy that looks at the "X-OriginatorOrg" header provided by Microsoft to determine if it matches your domain. If it does not match, you can decide on the appropriate action.

Create a policy to detect EchoSpoofing

  1. In the cloud portal, navigate to Dashboard> Services > Data Protection.
  2. Create a new Data Protection policy, and configure it as follows:
    • Name: Anti-Spoofing
    • Apply to: Outbound email only
    • Execute if: All rules are met
    • Action: Log Only. Other actions are available, which depend on the result you intend. We recommend logging activities initially before advancing to other actions.
    • Administrator email: Configure a non-production administrator email address. This must be non-production address because Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
    • Notifications: Administrator

  1. Add two Rules, and configure them as follows:

               Rule 1: 

    • Name: Echospoof Org
    • Set it to: ALL conditions are met
    • Add a new condition, Content Keyword List
    • Click > Create a new Keyword List
    • Name: Originator Orgs
    • Category: None
    • Content Type: Keywords
    • Add list item: X-OriginatorOrg:
    • Click Save.
    • Condition options:
      • Email contains: a number of matches for the keywords in the selected lists
      • Case sensitive: No
      • Look in: Header
    • Click Save.

               Rule 2: 

    • Name: Echospoof Exception
    • Add a new condition, Content Regular Expression Lists
    • Click > Create a new Regular Expression List
    • Name: Exceptions
    • Category: None
    • Content Type: Regular expressions
    • Add list item: X-OriginatorOrg: <your company's domain name> (e.g. X-OriginatorOrg: example\.com - you will need a similar list item for each domain that sends email outbound through the service. 
    • Add list item: <your On-Prem IP addresses in the form of a regex> (e.g. \b123\.123\.123\.123\b) - you will need a similar list item for each static gateway IP that sends email outbound through the service                      
    • Click Save.
    • Condition options:
      • Email contains: a match for none of the regexes in the selected lists
      • Case sensitive: No
      • Look in: Header
    • Click Save.

 



Powered by Wolken Software