Of the many things we do to protect our users, this is one of them. This is a script we implement across all our Exchange or O365 companies. This will identify if an outside user is trying to spoof an inside company user, usually in hopes of phishing. The script will then append text to the message letting the user know that this email is not from anyone inside the company. Every day we are doing something new and inventive to stay ahead of the hackers out there.
Script credit: Elliot Munro
Our Slightly Modified Script
We have slightly modified this script to work for us by simply running the ./filename.ps1 command from any powershell prompt. From here we are able to schedule the script to run with task scheduler or any other number of methods on a periodic basis to check for changes of employees within the company, and update them.
[code]
$StopWatch = [System.Diagnostics.StopWatch]::StartNew()
Function Test-Command ($Command)
{
Try
{
Get-command $command -ErrorAction Stop
Return $True
}
Catch [System.SystemException]
{
Return $False
}
}
IF (Test-Command “Get-Mailbox”) {Write-Host “Exchange cmdlets already present”}
Else {
$CallEMS = “. ‘$env:ExchangeInstallPath\bin\RemoteExchange.ps1′; Connect-ExchangeServer -auto -ClientApplication:ManagementShell ”
Invoke-Expression $CallEMS
$stopwatch.Stop()
$msg = “`n`nThe script took $([math]::round($($StopWatch.Elapsed.TotalSeconds),2)) seconds to execute…”
Write-Host $msg
$msg = $null
$StopWatch = $null
}
$ruleName = “External Senders with matching Display Names”
$ruleHtml = “<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 align=left width=`”100%`” style=’width:100.0%;mso-cellspacing:0cm;mso-yfti-tbllook:1184; mso-table-lspace:2.25pt;mso-table-rspace:2.25pt;mso-table-anchor-vertical:paragraph;mso-table-anchor-horizontal:column;mso-table-left:left;mso-padding-alt:0cm 0cm 0cm 0cm’> <tr style=’mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes’><td style=’background:#910A19;padding:5.25pt 1.5pt 5.25pt 1.5pt’></td><td width=`”100%`” style=’width:100.0%;background:#FDF2F4;padding:5.25pt 3.75pt 5.25pt 11.25pt; word-wrap:break-word’ cellpadding=`”7px 5px 7px 15px`” color=`”#212121`”><div><p class=MsoNormal style=’mso-element:frame;mso-element-frame-hspace:2.25pt; mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal: column;mso-height-rule:exactly’><span style=’font-size:9.0pt;font-family: `”Segoe UI`”,sans-serif;mso-fareast-font-family:`”Times New Roman`”;color:#212121′>This message was sent from outside the company by someone with a display name matching a user in your organisation. Please do not click links or open attachments unless you recognise the source of this email and know the content is safe. <o:p></o:p></span></p></div></td></tr></table>”
$rule = Get-TransportRule | Where-Object {$_.Identity -contains $ruleName}
$displayNames = (Get-Mailbox -ResultSize Unlimited).DisplayName
if (!$rule) {
Write-Host “Rule not found, creating rule” -ForegroundColor Green
New-TransportRule -Name $ruleName -Priority 0 -FromScope “NotInOrganization” -ApplyHtmlDisclaimerLocation “Prepend” `
-HeaderMatchesMessageHeader From -HeaderMatchesPatterns $displayNames -ApplyHtmlDisclaimerText $ruleHtml
}
else {
Write-Host “Rule found, updating rule” -ForegroundColor Green
Set-TransportRule -Identity $ruleName -Priority 0 -FromScope “NotInOrganization” -ApplyHtmlDisclaimerLocation “Prepend” `
-HeaderMatchesMessageHeader From -HeaderMatchesPatterns $displayNames -ApplyHtmlDisclaimerText $ruleHtml
}
[/code]
