Secure architecture design – How Defender for Office 365 protects against EchoSpoofing

” A new spoofing technique calledEcospoofingIt has recently been reported to affect some. Proof points Customers. This blog provides: short Overview Method This particular attack is exploited Their specific architecture and explain Architectural best practices implemented by Microsoft Defender for Office 365 help prevent security issues such as: echoSPuffing and Spoofing attack generally.

What is “spoofing”?

Spoofing is a tactic used by threat actors to disguise their identity by manipulating data, such as email sender addresses, to appear as if they are from a trusted source. The goal of this technique is usually to trick individuals or systems into taking action.—This includes leaks of sensitive information, unauthorized access, and execution of financial transactions.

when at If the address is spoofed, users will see something that looks like a legitimate email address, like this: user@contoso.com. rainRealistically speaking, yes, Based on the information contained in the message header, the message did not come from contoso.com. bloodTo protect this display address It’s important, because it helps. Users trust the information they see.

As a first line of defense, users need to be able to trust the information they see. at Write down the address and make sure it’s actually that person. WHO The message was sent. To do this, email providers use various standards to validate the message. at Address to protect against forgeryinclude:

• Sender Policy Framework (SPF) – ahAn email authentication standard that helps protect senders and recipients from spam, spoofing, and phishing. Adding an SPF record to your domain name system provides a public list of approved senders who are allowed to send email from your domain.
• Domain Key Identification Mail (DKIM) – ahn An email authentication standard that adds a digital signature to outgoing messages. A mail server that receives a message signed with DKIM can verify that the message came from the sender and not from someone claiming to be the sender.
• Domain-based Message Authentication Reporting and Conformance (DMARC) – ahAn email security standard that verifies email senders based on the DKIM and SPF protocols of DNS.

Defender for Office 365 uses all of these technologies. And more including Spoofing Intelligence Provides effective protection against spoofing. Certified Receiver Chain (ARC) To preserve original authentication details from third-party email services:, You may be in front of Microsoft 365. If you are using another vendor, please contact them. For support.

What is echo spoofing?

“Echo Spoofing” ~is A process that allows bad actors to spoof at address of a specific domain By delivering messages through various services. no way Weaknesses of Proofpoint Architecture Enable editable email routing configuration on your Proofpoint server to allow your organization to relay outbound messages. Through their services. no wayattacker I used this To bypass email authentication checks When the message was delivered. this Their results are as follows: message Because it is being updated proof It will pass In the receiving service and appearhuh ~like Trusted.

Common use cases include: Relay messagesuch forwarding. rainHowever, in this case, the sender’s validity was not verified before the message was sent. Accepted and relayed. additionally In a shared environment, check Sender’s It’s important To avoid this type of problem.

Defender Office 365 safe Architecture is designed to protect Ecospoofing

In Microsoft Defender Office 365, You can send messages in a variety of ways—Either one Connect directly to the SMTP endpoint or connect through a connector. In both cases:, Microsoft VerifyS The sender of the message must confirm We either process the message correctly or simply reject it. ~like one Invalid relay.

In each case, Sender It has been verified And the message Belongs to To the tenant as follows::

1. Inbound Connector – mefa messages come in via:n inbound connector, SMTP.mailsender(P1) The certificate of the sender or connector is used to verify the connection to a specific tenant. If no attribute You can make it, that The connection is Treated as ~ ~ inInternet connection expected.
2. Internet connection – middleMessage received from the internet It will be considered received and processed.

that video Below is a diagram showing the traffic flow and its contents. ~ will be wake up If there was the same attack Tried environment Where organizations use Defender for Office 365 to protectPlease check your email.

In the diagram above, The message You will be directed to Fabrikam.com. Tenants End point, It will be cured ~like Internet traffic It is treated as normal incoming traffic.-middleinnings that The message is considered received. that alpineskihouse.com resident ~ in User@fabricam.com. Since then at address Can’t do it Be verified Based on the data in the message Due to shortage Alignment between P1 transmitters and DKIM domain, It will be considered fake And it was handled properly. Defender Office 365 effectively The attacker does not allow Cleanse the message Try Delivered through Fabrikam tenantsDeny Echo spoofing attack.

In Microsoft Defender for Office 365 All these protection featurese is enabled by default And it’s inherent in our architecture design. There are no configuration requirements for customers.

More info: