Optional mail flow rule: Detect or block forwarded Hoxhunt simulations in Outlook

Overview

Screenshot_2021-02-24_at_12.15.08.png

These instructions help administrators to create a mail flow rule (also known as transport rule) to detect Hoxhunt simulation emails when they are being forwarded. There may be many reasons to implement this, one being that SOC operators can instantly notice an internally forwarded email is about a Hoxhunt simulation and not a real threat. You can also prevent external forwarding of Hoxhunt simulations and avoid unnecessary confusion outside your organization.

Hoxhunt can hide a static custom string to its simulation emails which you can then utilise to implement various mail flow rules. Even though the string is in the email content, it is not obviously visible to an average user.

 

Example how your mail flow could work: 

  • Email is sent from internal address
  • Email recipient is part of the SOC or Service Desk team 
  • Email contains the custom Hoxhunt string

-> Add tag "Email contains a Hoxhunt simulation; Ask the sender to report it via Hoxhunt button"

 

How to implement the mail flow rule?

Step 1:

Define your custom string to be included in the email body. Please ensure that the custom string uses only numbers, letters and hyphens (a-z,A-Z,0-9 and - characters) and you use at least 30 characters. No spaces are allowed as they break the formatting for some mail clients. 

Step 2:

Add your custom string value to your Hoxhunt organization settings.

Navigate to https://admin.hoxhunt.com/settings/email-delivery

Scroll down to Custom email body identifier

Add your custom email body identifier string and choose Save

NOTE: If Hoxhunt defined the custom email body identifier for you and shared it with you, you can also use that value. Please make sure the value/s you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery 

 

Step 3:

If you are configuring M365, log in to M365 and navigate to Admin > Admin Center > Exchange -> Mail flow -> Rules (https://admin.exchange.microsoft.com/#/transportrules)

If you are configuring on-premise Exchange, log in to Exchange Admin Center.

 

Step 4:

Under mail flow, select rules and create a new rule.

 

Examples

Example 1: Notify the internal receiver (co-worker) of a forwarded Hoxhunt simulation

Name the rule: Reveal internally forwarded Hoxhunt simulation to any internal recipient

Apply this rule if...

  • The sender is located -> Inside the organization
  • The recipient is located > Inside the organization
  • The subject or body matches these text patterns -> [custom string agreed with Hoxhunt]

Do the following...

  • Prepend the subject of the message with -> "This is a Hoxhunt Simulation"
    This will notify the receiver that the email contains a Hoxhunt simulation

    • And / Or
  • Add a disclaimer to the message -> prepend -> "This is a Hoxhunt Simulation"
    This will notify the receiver that the email contains a Hoxhunt simulation

Example 2: Notify the SOC team member of a forwarded Hoxhunt simulation

Name the rule: Reveal internally forwarded Hoxhunt simulation to SOC team members

Apply this rule if...

  • The sender is located -> Inside the organization
  • The recipient is a member of > [your SOC team AD group]
  • The subject or body matches these text patterns -> [custom string agreed with Hoxhunt]

Do the following...

  • Prepend the subject of the message with -> "This is a Hoxhunt Simulation"
    This will notify the receiver that the email contains a Hoxhunt simulation

    • And / Or
  • Add a disclaimer to the message -> prepend -> "This is a Hoxhunt Simulation"
    This will notify the receiver that the email contains a Hoxhunt simulation

 

Example 3: Prevent external forwarding of Hoxhunt simulation

Name the rule: Block Hoxhunt simulation from being forwarded externally

Apply this rule if...

  • The recipient is located -> Outside the organization
  • The subject or body matches these text patterns -> [custom string agreed with Hoxhunt]

Do the following...

  • Reject the message with an explanation...
    • Or
  • Delete the message without notifying anyone

 

TIP: You can utilise the hidden string to create any kind of rule that best suits your needs. 

Questions or further issues?

If you need any additional help, please don't hesitate to reach out to your Onboarding Manager or Hoxhunt Support at support@hoxhunt.com.

Was this article helpful?

6 out of 8 found this helpful

Have more questions? Submit a request