Information
Use spoof intelligence in the Security Center on the Anti-spam settings page to review all senders who are spoofing either domains that are part of the organization or spoofing external domains. Spoof intelligence is available as part of Office 365 Enterprise E5 or separately as part of Defender for Office 365 and as of October 2018 Exchange Online Protection (EOP).
Rationale:
Bad actors spoof domains to trick users into conducting actions they normally would not or should not via phishing emails. Running this report will inform the message administrators of current activities, and the phishing techniques used by bad actors. This information can be used to inform end users and plan against future campaigns.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To review the spoofed domains report:
Navigate to Microsoft 365 Defender https://security.microsoft.com.
Under Email & collaboration click on Policies & rules then select Threat policies.
Under Rules click on Tenant Allow / Block Lists then select Spoofed senders.
Review.
To view spoofed senders that were allowed or blocked by spoof intelligence in the last 7 days:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell command:
Get-SpoofIntelligenceInsight
Review.