by Rudy Mens19 Comments
Phishing emails are a constant threat to your IT environment. Besides all the security measures that you can take, is the awareness of your users really important. You can help them by warning them of potential phishing emails.
I have written before about how you can add a warning to phishing emails based on suspicious words in the subject or content. But another common tacking from attackers is to use impersonation.
They pretend to send the email as someone from inside your organization, using a display name that matches one of your users’ names.
You can help your users detecting these kinds of phishing emails by adding a warning to external emails that have a matching display name.
Creating a Transport Rule to add a warning when display name exists Internally with PowerShell
To add a warning to emails we will need to create a transport rule in Exchange Online. We also need a list with all the display names from our organization. Both can be done with PowerShell.
For the warning message, we are going to use the same layout as we have used for the phishing email warning. If you want to know more about it, or how to change the look, make sure you read this article.
As always, I will first explain how the script is build up and at the end of the article you can find the complete script.
Get all Display Names with Exchange Online
The first step is to get all the display names from your organization. To keep the script simple, we are going to use Exchange Online for this. You will need to choose if you want to add the names of the shared email boxes as well.
1. # Get all existing users<font></font> 2. $displayNames = (Get-EXOMailbox -ResultSize unlimited -RecipientTypeDetails usermailbox).displayname
Get Existing Transport rule
Users come and go in your organization, so we need to be able to update the list with display names. So we set our transport rule name and then check if the rule already exists later on.
1. # Set the transport rule name<font></font>
2. $transportRuleName = "Impersonation warning"<font></font>
3. <font></font>
4. # Get existing transport rule<font></font>
5. $existingTransportRule = Get-TransportRule | Where-Object {$_.Name -eq $transportRuleName}
Create the Warning Banner
We also need to define the warning banner which we are going to add to the emails:
1. $HTMLDisclaimer = '<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%"><font></font> 2. <tr><font></font> 3. <td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td><font></font> 4. <td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word"><font></font> 5. <div style="color:#222222;"><font></font> 6. <span style="color:#222; font-weight:bold;">Warning:</span><font></font> 7. This email was sent from outside the company and it has the same display name as someone inside our organisation. This is probably a phishing mail. Do not click on links or open attachments<font></font> 8. unless you are certain that this email is safe.<font></font> 9. </div><font></font> 10. </td><font></font> 11. </tr><font></font> 12. </table><font></font> 13. <br/>'
Create the Transport Rule with PowerShell
With all the components in place, we can add the transport rule with PowerShell. The rule will be applied to all emails sent from outside the organization, where the From field matches one of the display names.
1. Write-Host "Creating Transport Rule" -ForegroundColor Cyan<font></font> 2. <font></font> 3. # Create new Transport Rule<font></font> 4. New-TransportRule -Name $transportRuleName `<font></font> 5. -FromScope NotInOrganization `<font></font> 6. -SentToScope InOrganization `<font></font> 7. -HeaderMatchesMessageHeader From `<font></font> 8. -HeaderMatchesPatterns $displayNames `<font></font> 9. -ApplyHtmlDisclaimerLocation Prepend `<font></font> 10. -ApplyHtmlDisclaimerText $HTMLDisclaimer `<font></font> 11. -ApplyHtmlDisclaimerFallbackAction Wrap<font></font> 12. <font></font> 13. Write-Host "Transport rule created" -ForegroundColor Green
The complete script
Putting it all together results in the script below. You can also download it from my Github repo.
1. # Connect to Exchange Online<font></font>
2. Write-Host "Connect to Exchange Online" -ForegroundColor Cyan<font></font>
3. Connect-ExchangeOnline<font></font>
4. <font></font>
5. $HTMLDisclaimer = '<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%"><font></font>
6. <tr><font></font>
7. <td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td><font></font>
8. <td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word"><font></font>
9. <div style="color:#222222;"><font></font>
10. <span style="color:#222; font-weight:bold;">Warning:</span><font></font>
11. This email was sent from outside the company and it has the same display name as someone inside our organisation. This is probably a phishing mail. Do not click on links or open attachments<font></font>
12. unless you are certain that this email is safe.<font></font>
13. </div><font></font>
14. </td><font></font>
15. </tr><font></font>
16. </table><font></font>
17. <br/>'<font></font>
18. <font></font>
19. # Get all existing users<font></font>
20. $displayNames = (Get-EXOMailbox -ResultSize unlimited -RecipientTypeDetails usermailbox).displayname<font></font>
21. <font></font>
22. # Set the transport rule name<font></font>
23. $transportRuleName = "Impersonation warning"<font></font>
24. <font></font>
25. # Get existing transport rule<font></font>
26. $existingTransportRule = Get-TransportRule | Where-Object {$_.Name -eq $transportRuleName}<font></font>
27. <font></font>
28. if ($existingTransportRule) <font></font>
29. {<font></font>
30. Write-Host "Update Transport Rule" -ForegroundColor Cyan<font></font>
31. <font></font>
32. # Update existing Transport Rule<font></font>
33. Set-TransportRule -Identity $transportRuleName `<font></font>
34. -FromScope NotInOrganization `<font></font>
35. -SentToScope InOrganization `<font></font>
36. -HeaderMatchesMessageHeader From `<font></font>
37. -HeaderMatchesPatterns $displayNames `<font></font>
38. -ApplyHtmlDisclaimerLocation Prepend `<font></font>
39. -ApplyHtmlDisclaimerText $HTMLDisclaimer `<font></font>
40. -ApplyHtmlDisclaimerFallbackAction Wrap<font></font>
41. <font></font>
42. Write-Host "Transport rule updated" -ForegroundColor Green<font></font>
43. }<font></font>
44. else <font></font>
45. {<font></font>
46. Write-Host "Creating Transport Rule" -ForegroundColor Cyan<font></font>
47. <font></font>
48. # Create new Transport Rule<font></font>
49. New-TransportRule -Name $transportRuleName `<font></font>
50. -FromScope NotInOrganization `<font></font>
51. -SentToScope InOrganization `<font></font>
52. -HeaderMatchesMessageHeader From `<font></font>
53. -HeaderMatchesPatterns $displayNames `<font></font>
54. -ApplyHtmlDisclaimerLocation Prepend `<font></font>
55. -ApplyHtmlDisclaimerText $HTMLDisclaimer `<font></font>
56. -ApplyHtmlDisclaimerFallbackAction Wrap<font></font>
57. <font></font>
58. Write-Host "Transport rule created" -ForegroundColor Green<font></font>
59. }<font></font>
60. <font></font>
61. # Close Exchange Online Connection<font></font>
62. $close = Read-Host Close Exchange Online connection? [Y] Yes [N] No <font></font>
63. <font></font>
64. if ($close -match "[yY]") {<font></font>
65. Disconnect-ExchangeOnline -Confirm:$false | Out-Null<font></font>
66. }
Transport Rule in Exchange Online
You can find the transport rule in Exchange Online after you have executed the script:
- Open the Exchange Admin Center
- Expand Mail flow and select Rules
- Open the rule Impersonation Warning to see the details
Wrapping Up
If you are adding the names of shared mailboxes to the list as well, then you probably want to filter out names like “info” from the list, because info is pretty common 😉
The size of a transport rule is limited, so when you have a large tenant, with more than 250 users, you might need to create multiple transport rules.
If you have any questions, just drop a comment below.