Get-SpoofIntelligenceInsight

Get-SpoofIntelligenceInsight
    [[-Identity] <HostedConnectionFilterPolicyIdParameter>]
    [<CommonParameters>]

The Get-SpoofIntelligenceInsight cmdlet returns the following information:

• SpoofedUser: The sending email address if the domain is one of your organization's domains, or the sending domain if the domain is external.
• SendingInfrastructure: The true sending domain that's found in the DNS record of the source email server. If no domain is found, the source email server's IP address is shown.
• MessageCount: The number of messages.
• LastSeen: The date when the sending email address or domain was last seen by Microsoft 365.
• SpoofType: Indicates whether the domain is internal to your organization or external.
• Action: The two possible values are Allow (messages that contain any spoofed sender email addresses in your organization are allowed from the source email server), and Block (messages that contain any spoofed sender email addresses in your organization are not allowed from the source email server).

You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Get-SpoofIntelligenceInsight

This example returns the list of senders that appear to be sending spoofed email to your organization.

$file = "C:\My Documents\Spoof Insights.csv"

Get-SpoofIntelligenceInsight | Export-Csv $file

This example exports the same list of spoofed senders to a CSV file.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.