I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.
For more information, let’s review the Microsoft document:
Create safe sender lists in EOP
- We don’t recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks.
- Use Outlook safe senders – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user’s Safe Senders or Safe Domains lists don’t prevent malware or high confidence phishing messages from being filtered.
- Use the IP allow lists – Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn’t prevent malware or high confidence phishing messages from being filtered.
- Use allowed sender lists or allowed domain lists – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don’t prevent malware or high confidence phishing messages from being filtered. Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.
In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:
Mail flow best practices for Exchange Online and Office 365
Best practices for configuring standalone EOP
Recommended settings for EOP and Defender for Office 365 security
To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:
Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.
From the pull down options in the top right, as shown above, select Message override.
You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.
A direct link to this report can be found here:
Threat Protection status – Message override
Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.
3 thoughts on “Email overrides are not best practice”
So you say it’s a bad idea to add domain / IP exceptions to EOP but you don’t really provide an alternative. You allude to “appropriately configured mail filtering policies” and link to MS documentation but don’t really give an alternative. The MS documentation you link to basically says to setup a transport rule that if the sender passes DMARC or SPF then let it through. That’s really no different from using the built in allow list.
There should be an option to exclude certain sender domains from bulk / spam filtering while leaving the security / phishing / malware filtering protections completely active.
You let the MS policies do their work without exception. I am suggesting you should always avoid whitelisting as you are creating holes in your security, especially if you whitelist whole domains. You use EOP Spam and Malware policies to best practice settings that are contained in the links provided. The best article to refer to for policies is – https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide.
If you really need to whitelist you can but it should be avoided, because as I said, it is bypassing a lot of security designed to protect you.