Reflexion KBA's: RTC
Reflexion "Spoofing Prevention" option
Posted by Max McElroy, Last modified by Max McElroy on 03 October 2019 10:39 AM

Reflexion's Spoofing Prevention option checks the Addresses listed in the headers of the message to determine if the inbound message is spoofed:

If either the Display address (From-address in Outlook) or the X-Sender address (Sender field in Reflexion Reports) claims to be from the domain receiving the mail, we will fail the incoming message.  This option does NOT check the domain's SPF record, OR the Username field in a piece of mail.  The block can be avoided by adding the X-sender to the Allow List, or by adding the sending IP to the IP Filtering good list.

Example of a message we would block:
From: max.mcelroy@reflexion.net [userA@reflexion.net]
to: max.mcelroy@reflexion.net [UserA@Reflexion.net]
X-sender: abc@phishco.spm



Example of a message we would NOT block:
From: Max McElroy [abc@phishco.spm]
To: Max McElroy [UserA@reflexion.net
X-Sender: abc@phishco.spm

In the second example, the Username field of the message is copying the name of a user, but the Reflexion system only checks the email addresses that are listed within the headers, in this case the abc@phishco.spm address.  Since this @phishco address is not listed in our Enterprise, we would not see this as a spoofed message.
There are ways to combat these Username field spoofs however, which are outlined in the below Technet article:
https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

(50 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).