Email spoofing remains one of the most common techniques used in phishing and business email compromise attacks. Attackers forge the sender’s address to make messages appear as if they came from a trusted internal user or a well‑known external partner.

Microsoft 365 includes built‑in anti‑spoofing protection, and Spoof Intelligence adds visibility and control so administrators can safely block malicious senders while allowing legitimate ones.

What Microsoft 365 Considers “Spoofing”

In Microsoft 365, spoofing is detected when the From address in an email appears forged. This is the sender address shown to users in Outlook and other email clients. Microsoft evaluates spoofing primarily when email authentication fails or does not align correctly.

Microsoft 365 uses a combination of:

• SPF, DKIM, and DMARC authentication

• Sender reputation

• Historical sending patterns

• Domain behavior analysis

When Microsoft has high confidence that the From address is forged, the message is identified as spoofed and handled by anti‑spoofing protection.

Built‑In Anti‑Spoofing vs Spoof Intelligence

All Microsoft 365 tenants with cloud mailboxes are automatically protected by anti‑spoofing protection, even without Defender for Office 365. This built‑in protection blocks many spoofed messages before they reach inboxes.

Spoof Intelligence adds an administrative insight layer. It does not replace anti‑spoofing protection, but provides visibility into who is spoofing your domains or trusted external domains, and lets administrators decide whether a spoofed sender should be allowed or blocked.

Spoof Intelligence is available in:

• Exchange Online Protection (baseline)

• Microsoft Defender for Office 365 Plan 1 and Plan 2

Where to Find Spoof Intelligence in Microsoft 365

Administrators can review spoofing activity directly in the Microsoft Defender portal. The Spoof intelligence insight page at https://security.microsoft.com/spoofintelligence is available when you select View spoofing activity from the spoof intelligence insight on the Spoofed senders tab on the Tenant Allow/Block Lists page.

The Spoof Intelligence view shows senders that Microsoft has detected as spoofed within the last seven days. These can be spoofed internal domains or external domains that interact with your organization.

Using Spoof Intelligence to Block Attackers Without Breaking Legitimate Email

Not all spoofing is malicious. Microsoft explicitly documents scenarios where legitimate senders may appear as spoofed, such as:

• Third‑party services sending email on behalf of your domain

• Internal applications sending notifications

• External companies sending reports or bulk messages on your behalf

• Mailing lists that relay messages from original senders

Spoof Intelligence is designed to help administrators distinguish between malicious spoofing and legitimate sending scenarios.

From the Spoof Intelligence insight, you can:

• Review authentication results (SPF, DKIM, DMARC)

• See whether Microsoft automatically allowed or blocked the sender

• Manually override the verdict by allowing or blocking a spoofed sender

Allowing a sender does not disable spoofing protection globally. It creates a manual allow entry specifically for the spoofed sender and appears on the Spoofed senders tab in the Tenant Allow/Block List.

How Allow and Block Decisions Actually Work

When you override a spoofing verdict:

• The entry is added to the Tenant Allow/Block List under Spoofed senders

• The allow or block applies only to that spoofed sender and sending infrastructure combination

• It does not weaken authentication checks for other mail

Administrators can also pre‑emptively create allow or block entries for known spoofed senders before they appear in Spoof Intelligence. This is useful for well‑known third‑party services that send as your domain.

Microsoft also supports defining sending infrastructure using:

• PTR record domains

• IP subnets

• DKIM‑verified domains (for hosted or shared sending platforms)

Best Practices From Microsoft (Without Over‑Tuning)

Microsoft’s documentation strongly recommends:

• Keeping SPF, DKIM, and DMARC configured for all accepted domains

• Reviewing Spoof Intelligence regularly instead of bulk‑allowing senders

• Avoiding broad allow rules that bypass authentication

• Allowing only known senders with verified sending behavior and infrastructure

Spoof Intelligence is intended to reduce false positives, not to replace proper authentication or anti‑phishing policies.

How We Help

At PlexHosted, we help organizations review Spoof Intelligence, validate legitimate sending sources, and safely block malicious spoofed senders without disrupting business email. As a Microsoft Cloud MSSP, we also ensure authentication, anti‑phishing policies, and tenant allow/block rules are aligned with Microsoft‑recommended security practices.