So this is a follow up to the previous blog post here.

Now for the vast majority of smaller business they'll primarily use Office 365 with very few services tagged on and this rule can be put into place with minimal thought.

Recently the waves of spam have focused on sending to the account holder as themselves.

Obvious blocks to this are SPF with hardfail, DKIM, and DMARC however its easy to appreciate that not all of these will be configured.

The quick fix for it all? Another exchange rule. XXXX is the placeholder for all of your office 365 hosted domains and subdomains.

Name: External Spoof Filter
Apply this rule if: The sender's domain is... "XXXX"
and
A message header includes any of these words:
Authentication-Results

"SPF: Fail" or "spf=fail" or "Received-SPF: Fail"

Do the following: Deliver the message to the hosted quarantine.

As a short note - any exceptions you add manually should be as specific as possible.