Email filtering reports

image

There are some real nice and helpful email report in your Microsoft 365 Security console if you haven’t taken a look recently. You can pull them up by visiting:

https://security.microsoft.com/securityreports

as shown above. Then selecting Email & collaboration reports on the right.

image

The one I really like is the Mailflow status summary which you can drill into further by clicking on the heading or selecting the View details button.

image

If you then select the Funnel option across the top as shown, you get an idea of the number of bad emails that are being caught by each stage of the filtering process, from top (total in) to bottom (remaining out).

SNAGHTMLc4b85a0

However, the report I love is the one you get when you select the Tech view as shown above. Why? Because this one even shows you results from DMARC as highlighted.

image

Many also allow you to Create schedule as shown above,

image

that allows you to email the reports regularly.

Keep an eye on the reporting areas of your tenant, as they are rapidly improving and expanding!

Exchange Online AV engines

image

I have found that many don’t appreciate that Exchange Online uses anti virus engines from multiple providers, apart from Microsoft.

“We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can’t choose one anti-malware engine over another.:

per – How many anti-malware partners do you have? Can I choose which malware engines we use?

So email will be scanned by three (3) engines in total. One from Microsoft and another two from third parties.

Native external sender notifications in Exchange Online

image

I’ve never been a big fan of setting up rules to add a HTML banner to inbound emails, as shown above, that “warn” a user about an external email source. I dislike this solution for a number of reasons, including that it is something that an attacker can replicate, it creates a certain amount of complacency for the receiver and it ends up embedded in every reply to the email going forward.

i do however understand what is trying to be achieved here due to a lack of something provided by Exchange Online. That is, until now! A native approach is now available.

image

image

You can now get the External tag, as shown above, to appear in all versions of Outlook (desktop, web and mobile) to help understand the origin of email messages. I like this solution much better because it is built into the platform and appears in an area that an attack would find really hard to replicate. Having such labelling as a native part of Exchange Online is a much better approach I feel.

image

image

You also get the above when you view the email item.

You can enable this on new inbound messages received (only from the point you enable it going forward) using PowerShell.

image

You’ll need to firstly ensure that you have the latest version of the Exchange Online V2 PowerShell module. The minimum version required is 2.0.4. To verify this, and to ensure all the Microsoft 365 PowerShell modules are current in your environment, I encourage you to use my script:

https://github.com/directorcia/Office365/blob/master/o365-update.ps1

that will verify and update if necessary. Just remember to run the PowerShell environment as an administrator prior to running my update script.

Now connect to Exchange Online using PowerShell. Again, you can use my script at:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

to do this. In fact, using that script will also ensure that you have the latest version of the Exchange Online PowerShell V2 module installed.

Once connected to Exchange Online as an administrator running the command:

Set-externalinoutlook -enabled $true

The best documentation is currently here:

https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/exchange/exchange-ps/exchange/Set-ExternalInOutlook.md

as this is still a new command at this point in time. You’ll also note that the command also has an Identity and AllowList option that you can further customise your settings.

Once the command has been run it will take a few hours for the External label to start appearing on emails from outside the organisation.

I would expect to see further configuration options become available as well as improvements to the label display. However, a very handy option that will improve the security in your environment and I’d encourage you enable it today!

What the online world can learn from recent on prem Exchange Server challenges

It has been a pretty challenging few days for those that still manage and maintain on premises Exchange servers thanks to:

HAFNIUM targeting Exchange Servers with 0-day exploits

Throughout which I’ve seen a lot of smug cloud administrators wondering why people still bother with on premises. I think a better use of their energies would be to look at the current situation and learn from it rather than allocating it to self righteousness.

The cloud is a shared responsibility model. This means that both Microsoft and end user now responsible for the security of cloud infrastructure. Luckily, these recent Exchange issues have largely fallen to Microsoft when it comes to the cloud. Where there is room to learn for the rest of us, is in the response to the situation from those battling to contain it.

From everything I have seen online in regards to the HAFNIUM issue, what I find most interesting is the lack of a response plan. Technically, administrators can follow directions, run scripts, patch systems pretty well. However, most seem totally unprepared for this kind of situation, especially at scale. That’s what worries me the most. Why? Because challenges in the cloud can easily be of the same scale and impact.

There have been plenty of examples when services like Azure AD or Exchange Online have been unavailable, but when they have, I’ve seen the same level of, dare I say, panic. Because systems work 99.99% or more of the time ‘on average’, a large amount of complacency begins to creep into the system, especially those charged with maintaining these systems. Thoughts of disaster recovery and outage impact get put on the back burner and never really addressed because there are always ‘higher’ priorities.

What worries me is the dependency we have built into our modern lives, business and economy, to the point where most cannot function if their phones run out of charge. What worries me when I look at the response I see to broad security challenges in IT is simply the lack of a credible contingency plan. A check list of what to do, if you like. Of course, you can’t have a plan for every contingency but some semblance of a plan is better than no plan at all surely?

In the end it comes down to risk analysis. When the sun is shining, risk analysis is the furthest thing from people minds. This however, is exactly the time that it should be a priority because developing a strategy in midst of a crisis does not generally lead to the best outcome. You want to have a checklist of what to do, well in advance of whenever you may need it.

Even though the systems I work with are cloud based are immune from the HAFNIUM (it appears at least), that doesn’t stop me learning from how the unfortunate are dealing with it. I’m watching, learning and preparing, because as the saying goes, “When did Noah build the Ark?”

Before it rained.

Before it rained.

A painful bulk email sending lesson

I needed to get some event registration and Microsoft Teams meeting details out to around 100+ users recently. So, I composed the email, Bcc’d people and pressed Send as I always do.

image

Not longer after, I get a failed delivery to all those addresses as you can see above. The message reads:

Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

What the hell is going on here I thought? I’ve done this before, what’s wrong?

image

As always, the issue has to do with the email security settings I have. One of my primary recommendations with outbound spam filtering is to limit the amount of emails that a user can send per hour and then block them once they reach this threshold.

I had, of course, gone for a very low setting because ‘I never send more than 90 email per hour’ to external recipients. We’ll guess what? The email I just tried to send  crossed that threshold and now I was blocked as a user. I could no longer send ANY emails!

So that’s the why, now the how to fix it so I could again send emails?

image

Initially, I thought that I’d just go in and change the policy and bump up the threshold plus set the action to alert only. Surely, that’ll fix my problem, right? After retrying 5 minutes, 10 minutes, etc up to 1 hour after the change, I still had the same issue. Damm!

image

As it turns out, because I had contravened that outbound spam policy I’d ended up as a ‘Restricted user’, as shown above. The direct URL to this portal is:

https://security.microsoft.com/restrictedusers

I could go in there and select the Unblock link to the right of my login.

image

I’m take through a wizard as shown above, giving me the reason why I have been restricted and some recommendations.

image

Given that I already have MFA enabled and I’m happy that my password has not been compromised, I select the Unblock user button at the bottom of the page. Note, the warning at the bottom of the page here:

It may take up to 1 hour before restrictions are removed

Damm!

image

I receive a last warning about removing the restrictions, to which I select Yes to continue.

After waiting the 1 hour, as directed, I was back in business.

In summary, it is always the exception that catches you out. I had never before crossed the outbound threshold limits before. I must have been close, but clearly this send was above those limits and resulted in contravention of the policy. The result being that I ended up on the restricted user list, unable to send. Once I had worked out how to get myself off that list, by visiting the appropriate portal, it was easy enough to get things back in order, although the up to 1 hour wait for this removal process to complete should not be overlooked.

After this learning experience, the question is now, what should my outbound spam policy be set to? I rarely send this many emails within an hour time frame, but I may indeed need to do so in the future again at some point? Should I increase the limit from 90? Should I also change the action from restrict to just alert? All very good questions I’ll need to consider.

So the learning from this experience is, when you get a security exception, where do you look to work out why it has happened? Second, how to ‘allow’ it if the action was not an exploit? Finally, what adjustments should be taken in the policy to avoid the same instance happening again in the future. Security is not an exact science and it is exceptions that cause you the greatest pain. Sometimes that pain will be due to a false positive, but in the end, I’d rather experience that pain than a full on breach!

Email overrides are not best practice

I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.

For more information, let’s review the Microsoft document:

Create safe sender lists in EOP

which says:

  • We don’t recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks.
  • Use Outlook safe senders – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user’s Safe Senders or Safe Domains lists don’t prevent malware or high confidence phishing messages from being filtered.
  • Use the IP allow lists – Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn’t prevent malware or high confidence phishing messages from being filtered.
  • Use allowed sender lists or allowed domain lists – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don’t prevent malware or high confidence phishing messages from being filtered. Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.

In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:

Mail flow best practices for Exchange Online and Office 365

Best practices for configuring standalone EOP

Recommended settings for EOP and Defender for Office 365 security

To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:

image

Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.

image

From the pull down options in the top right, as shown above, select Message override.

image

You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.

A direct link to this report can be found here:

Threat Protection status – Message override

Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.

Microsoft 365 Mailbox capacities and sizes

To better understand the mailbox capacities in Microsoft 365, think of an Exchange Online mailbox as potentially being made up of three distinct components like so:

image

  • Primary mailbox = Can be synchronised to Outlook on the desktop and into an OST file
  • Archive mailbox = Resides in the cloud
  • Compliance mailbox = Provides extra features like unlimited storage, litigation hold, etc. This too only resides in the cloud

The process by which the Compliance mailbox is provided unlimited storage is by adding 100GB blocks of space as required. Thus you start with 100GB and when you exceed that another 100GB is added and so on. You can read about this in more detail here:

Overview of unlimited archiving

Now the capabilities and capacities of each of these individual mailboxes is defined in the Exchange Online limits, which currently are:

image
image

The configuration for Microsoft 365 Business Basic, Business Standard, Office 365 E1 and Exchange Online Plan 1 stand alone look like:

image

For all these licenses you get a 50GB primary mailbox and a 50GB cloud only archive.

image
image

So a user with Microsoft 365 Business Standard like so:

image

will have a primary mailbox of capacity 50GB:

2021-02-05_10-54-41

and an archive also of 50GB like so:

2021-02-05_10-53-59

Thus, the total mailbox capacity across primary and archive combined here will be 100GB for these plans.

A Microsoft 365 Enterprise E3, E5, Office 365 E3, E5 or Exchange Online Plan 2 mailbox looks like:

image

It has a 100GB primary mailbox and an unlimited archive thanks to the fact that the features of the Compliance mailbox are baked into these plans as shown above. Confirming this in the Exchange Online limits documentation:

image
image

This unlimited capacity is provisioned by Unlimited archiving in Office 365 as mentioned previously per:

image

Where confusion is common is when the capacity of Microsoft 365 Business Premium mailboxes is considered.

image

As you can see from the above diagram, Microsoft 365 Business Premium is a little bit special because it takes a standard Exchange Online Plan 1 as discussed previously and adds something called Exchange Online Archiving. In simple terms, think of Exchange Online Archiving mapping directly to the Compliance mailbox mentioned early on. In essence, it provides an Exchange Online Plan 1 mailbox will features like unlimited storage, litigation hold and so on.

image

Thus, an easier way to think about a Microsoft 365 Business Premium mailbox is as being almost identical to the mailboxes found in Microsoft E3, E5, Office 365 E3, E5 and Exchange Online Plan 2 stand alone. That is except for one important difference. The Microsoft 365 Business Premium mailbox has a primary mailbox limit of 50GB which is just like the other Microsoft 365 Business mailboxes. This means that maximum amount of data that can be accommodated by a Microsoft 365 Business mailbox in a local OST file is 50GB NOT 100GB like what you receive with Enterprise mailboxes.

In summary then:

  • All Business mailboxes (and E1) receive a 50GB primary mailbox + 50 GB cloud archive mailbox = 100GB total storage
  • All Enterprise mailboxes (apart from E1) receive a 100GB primary mailbox + unlimited cloud archive mailbox
  • Business Premium mailboxes receive a 50GB primary mailbox + unlimited cloud archive mailbox

image

Microsoft 365 Business Premium receives this ‘unlimited’ mailbox capability thanks to the inclusion of Exchange Online Archiving as shown above.

To get the best performance of any mailbox it is recommended best practice to ensure that capacities don’t get anywhere near what is detailed here. However, if you must, just keep the capacities and limitations for your license in mind.