A painful bulk email sending lesson

I needed to get some event registration and Microsoft Teams meeting details out to around 100+ users recently. So, I composed the email, Bcc’d people and pressed Send as I always do.

image

Not longer after, I get a failed delivery to all those addresses as you can see above. The message reads:

Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.

What the hell is going on here I thought? I’ve done this before, what’s wrong?

image

As always, the issue has to do with the email security settings I have. One of my primary recommendations with outbound spam filtering is to limit the amount of emails that a user can send per hour and then block them once they reach this threshold.

I had, of course, gone for a very low setting because ‘I never send more than 90 email per hour’ to external recipients. We’ll guess what? The email I just tried to send  crossed that threshold and now I was blocked as a user. I could no longer send ANY emails!

So that’s the why, now the how to fix it so I could again send emails?

image

Initially, I thought that I’d just go in and change the policy and bump up the threshold plus set the action to alert only. Surely, that’ll fix my problem, right? After retrying 5 minutes, 10 minutes, etc up to 1 hour after the change, I still had the same issue. Damm!

image

As it turns out, because I had contravened that outbound spam policy I’d ended up as a ‘Restricted user’, as shown above. The direct URL to this portal is:

https://security.microsoft.com/restrictedusers

I could go in there and select the Unblock link to the right of my login.

image

I’m take through a wizard as shown above, giving me the reason why I have been restricted and some recommendations.

image

Given that I already have MFA enabled and I’m happy that my password has not been compromised, I select the Unblock user button at the bottom of the page. Note, the warning at the bottom of the page here:

It may take up to 1 hour before restrictions are removed

Damm!

image

I receive a last warning about removing the restrictions, to which I select Yes to continue.

After waiting the 1 hour, as directed, I was back in business.

In summary, it is always the exception that catches you out. I had never before crossed the outbound threshold limits before. I must have been close, but clearly this send was above those limits and resulted in contravention of the policy. The result being that I ended up on the restricted user list, unable to send. Once I had worked out how to get myself off that list, by visiting the appropriate portal, it was easy enough to get things back in order, although the up to 1 hour wait for this removal process to complete should not be overlooked.

After this learning experience, the question is now, what should my outbound spam policy be set to? I rarely send this many emails within an hour time frame, but I may indeed need to do so in the future again at some point? Should I increase the limit from 90? Should I also change the action from restrict to just alert? All very good questions I’ll need to consider.

So the learning from this experience is, when you get a security exception, where do you look to work out why it has happened? Second, how to ‘allow’ it if the action was not an exploit? Finally, what adjustments should be taken in the policy to avoid the same instance happening again in the future. Security is not an exact science and it is exceptions that cause you the greatest pain. Sometimes that pain will be due to a false positive, but in the end, I’d rather experience that pain than a full on breach!

Email overrides are not best practice

I see a lot of email configurations in Microsoft 365 that use some form of override to ‘get around’ a delivery issue. Doing so is simply not best practice and in fact opens you up for additional attacks.

For more information, let’s review the Microsoft document:

Create safe sender lists in EOP

which says:

  • We don’t recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks.
  • Use Outlook safe senders – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the user’s Safe Senders or Safe Domains lists don’t prevent malware or high confidence phishing messages from being filtered.
  • Use the IP allow lists – Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the IP Allow List doesn’t prevent malware or high confidence phishing messages from being filtered.
  • Use allowed sender lists or allowed domain lists – This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, the allowed senders or allowed domains lists don’t prevent malware or high confidence phishing messages from being filtered. Do not use domains you own (also known as accepted domains) or popular domains (for example, microsoft.com) in allowed domain lists.

In short, if you are using white lists or the like you are creating a vulnerability in your environment that attackers can exploit. All inbound messages should be filtered through appropriately configured mail filtering policies. If you want information on setting these appropriately see:

Mail flow best practices for Exchange Online and Office 365

Best practices for configuring standalone EOP

Recommended settings for EOP and Defender for Office 365 security

To get an overall picture of all the message overrides in your environment visit the Security and Compliance admin portal:

image

Locate the Reports option on the left and then select Dashboard as shown, from the expanded options. Then on the right locate the Threat protection status tile as shown and select it.

image

From the pull down options in the top right, as shown above, select Message override.

image

You should now see a nice summary of any messages passing through your environment that are overriding your configurations. Don’t forget that you can also View details table and select to Filter in the top right of this report.

A direct link to this report can be found here:

Threat Protection status – Message override

Overriding policies conditions is something that should be avoided as much as possible, simply because it increases the risk in your environment. Also, if you haven’t already, go take a look at what messages are overriding in your environment today and try to eliminate these to improve your security.

Microsoft 365 Mailbox capacities and sizes

To better understand the mailbox capacities in Microsoft 365, think of an Exchange Online mailbox as potentially being made up of three distinct components like so:

image

  • Primary mailbox = Can be synchronised to Outlook on the desktop and into an OST file
  • Archive mailbox = Resides in the cloud
  • Compliance mailbox = Provides extra features like unlimited storage, litigation hold, etc. This too only resides in the cloud

The process by which the Compliance mailbox is provided unlimited storage is by adding 100GB blocks of space as required. Thus you start with 100GB and when you exceed that another 100GB is added and so on. You can read about this in more detail here:

Overview of unlimited archiving

Now the capabilities and capacities of each of these individual mailboxes is defined in the Exchange Online limits, which currently are:

image
image

The configuration for Microsoft 365 Business Basic, Business Standard, Office 365 E1 and Exchange Online Plan 1 stand alone look like:

image

For all these licenses you get a 50GB primary mailbox and a 50GB cloud only archive.

image
image

So a user with Microsoft 365 Business Standard like so:

image

will have a primary mailbox of capacity 50GB:

2021-02-05_10-54-41

and an archive also of 50GB like so:

2021-02-05_10-53-59

Thus, the total mailbox capacity across primary and archive combined here will be 100GB for these plans.

A Microsoft 365 Enterprise E3, E5, Office 365 E3, E5 or Exchange Online Plan 2 mailbox looks like:

image

It has a 100GB primary mailbox and an unlimited archive thanks to the fact that the features of the Compliance mailbox are baked into these plans as shown above. Confirming this in the Exchange Online limits documentation:

image
image

This unlimited capacity is provisioned by Unlimited archiving in Office 365 as mentioned previously per:

image

Where confusion is common is when the capacity of Microsoft 365 Business Premium mailboxes is considered.

image

As you can see from the above diagram, Microsoft 365 Business Premium is a little bit special because it takes a standard Exchange Online Plan 1 as discussed previously and adds something called Exchange Online Archiving. In simple terms, think of Exchange Online Archiving mapping directly to the Compliance mailbox mentioned early on. In essence, it provides an Exchange Online Plan 1 mailbox will features like unlimited storage, litigation hold and so on.

image

Thus, an easier way to think about a Microsoft 365 Business Premium mailbox is as being almost identical to the mailboxes found in Microsoft E3, E5, Office 365 E3, E5 and Exchange Online Plan 2 stand alone. That is except for one important difference. The Microsoft 365 Business Premium mailbox has a primary mailbox limit of 50GB which is just like the other Microsoft 365 Business mailboxes. This means that maximum amount of data that can be accommodated by a Microsoft 365 Business mailbox in a local OST file is 50GB NOT 100GB like what you receive with Enterprise mailboxes.

In summary then:

  • All Business mailboxes (and E1) receive a 50GB primary mailbox + 50 GB cloud archive mailbox = 100GB total storage
  • All Enterprise mailboxes (apart from E1) receive a 100GB primary mailbox + unlimited cloud archive mailbox
  • Business Premium mailboxes receive a 50GB primary mailbox + unlimited cloud archive mailbox

image

Microsoft 365 Business Premium receives this ‘unlimited’ mailbox capability thanks to the inclusion of Exchange Online Archiving as shown above.

To get the best performance of any mailbox it is recommended best practice to ensure that capacities don’t get anywhere near what is detailed here. However, if you must, just keep the capacities and limitations for your license in mind.

End to End email protection with Microsoft 365–Part 6

This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:

End to End email protection with Microsoft 365 – Part 1

End to End email protection with Microsoft 365 – Part 2

End to End email protection with Microsoft 365 – Part 3

End to End email protection with Microsoft 365 – Part 4

End to End email protection with Microsoft 365 – Part 5

These articles are based on a model I have previously created, which you can read about here:

CIAOPS Cyber protection model

designed to help better explain expansive security included with Microsoft 365.


Email reporting and auditing

It’s now time to look at all the logging that occurs during even the simply process of receiving and viewing an email. For starters there is:

Message tracing

and

Message trace in the modern Exchange admin center

Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

There is also reporting options like:

Mail flow insights in the Security & Compliance Center

and

Mail flow reports in the Reports dashboard in Security & Compliance Center

as well as:

Microsoft 365 Reports in the admin center – Email activity

If you want to specifically look at email security there is:

Email security reports in the Security & Compliance Center

as well as:

Defender for Office 365 reports in the Reports dashboard in the Security & Compliance Center

and

Reports for data loss prevention (DLP)

I have also spoken about the importance of the Unified Audit Logs (UAL) in Microsoft 365:

Enable activity auditing in Office 365

Unified Audit Logs in Microsoft 365

and you need to ensure that these have been enabled so that you can:

View mailbox auditing

Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log.

Here are some benefits of mailbox auditing on by default:

  • Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.

  • You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).

  • When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor add new actions on mailboxes.

  • You have a consistent mailbox auditing policy across your organization (because you’re auditing the same actions for all mailboxes).

With this auditing enabled you can do things like:

Reporting mailbox logins

and

Search the Office 365 activity log for failed logins

as well as

Audit Office 365 user logins via PowerShell

Many of the reports that you find in the Microsoft 365 Admin area can be scheduled to be sent via email per:

Scheduling compliance reports

Apart from auditing and security you can also do more typical things like:

Viewing mailbox usage

Viewing Email apps usage

The availability of all this data is covered here:

Reporting and message trace data availability and latency

typically being 90 days.


User reporting and auditing

For information more specifically about user logins into the service and the Identity container, the best place to look is in Azure Active Directory (AD).

What are Azure Active Directory reports?

Find activity reports in the Azure portal

Azure Active Directory sign-in activity reports – preview

Audit activity reports in the Azure Active Directory portal

and if you want use PowerShell

Azure AD PowerShell cmdlets for reporting

Device reporting and auditing

There are lots of options when it comes to monitoring and reporting on devices. Apart from what is offered locally you also have:

Intune report

Create diagnostic settings to send platform logs and metrics to different destinations

Manage devices with endpoint security in Microsoft Intune

You can even get telemetry data and analytics reports from your desktop applications via:

Windows Desktop Application Program


Aggregated data reporting and monitoring

As you can see with all the options above, it is easy to get to information overload trying to keep up with all those signals. Luckily Microsoft provides a range of services to aggregate all this for you to make monitoring and report easier.

The first is Microsoft Cloud App Security services:

Cloud App Discovery/Security

Microsoft Cloud App Security overview

Microsoft Cloud App Security data security and privacy

There are plenty of reasons why you really should have Microsoft Cloud App Security in your environment:

A great security add on for Microsoft 365

Office 365 Cloud App Discovery

Next, is Microsoft Defender for Endpoint that will aggregate security and threat information for devices in your environment and make it available in a single console.

Overview of Microsoft Defender Security Center

Microsoft Defender Security Center portal overview

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint evaluation lab

Finally for me, there is Azure Sentinel, which I see as really the ultimate hub for event reporting, monitoring and alrtign across the whole service.

Another great security add on for Microsoft 365

Introduction to Azure Sentinel

Azure Sentinel is a service that growing in features rapidly:

A couple of new additions to Azure Sentinel

Stay ahead of threats with new innovations from Azure Sentinel


Summary

Hopefully, all this gives you some insight into all the auditing and usage data that Microsoft 365 captures during any interaction within the service. One of the biggest benefits is also how this information is integrated between services, especially those that aggregate information lime Microsoft Cloud App Security and Azure Sentinel. This means you don’t have to crawl through individual log entries, you can use a dashboard and drill down from there. I also like the fact that all of these services and data are accessible using a scripting tool like PowerShell if you want to automate this further.

Remember, throughout this six part series I’ve just looked at what happens when a single email is delivered and view with Microsoft 365. If you expand that out to all the services and capabilities that Microsoft 365 provides you can hopefully get a better appreciate of the protection it provides in place for your data on many different levels.

The call to action for readers is to go away and implement all the security features that Microsoft 365 provides. This may of course vary by the license that you have. You should then consider what additional security offerings the Microsoft cloud stack can offer that makes sense for your business, then implement those. Remember, security is not a destination, it is journey.

Enabling Play my emails on iOS

Play your emails on iOS has been with us for a while now. My experience is however that most documentation doesn’t tell you how to actually enable this if it is not already on.

To do so, ensure you have a Bluetooth connection to your iOS device. That could be a wireless headset or in your car.

image

Click the icon in the very top right of you Outlook app once it is open as shown above.

image

That should display the ‘back stage’ as shown above. Select the Play button on the left hand side towards the bottom as shown.

file

If the setting is Off then switch it On.

image

You can now make any adjustments to your configuration.

image

If you return to ‘back stage’ of the app and press the same Play button Cortana will appear and you’ll be able to have your emails read to you.

image

You can get back to the Play My Email configuration at anytime now via the app settings as shown above.

For more details on Play My Email in Outlook see:

End to End email protection with Microsoft 365–Part 2

This is part of a series of articles about email security in Microsoft 365.

End to End email protection with Microsoft 365 – Part 1

These articles are based on a model I have previously created, which you can read about here:

CIAOPS Cyber protection model

designed to help better explain expansive security included with Microsoft 365.

image

In the previous part of this series I spoke about DNS and Exchange Online Protection (EOP) and the role they play in email security as well as how to configure these in your service. I haven’t as yet spoken about the best practices settings that you should employ. The initial objective here is to help you understand the flow as well as all the security services that can be utilised in Microsoft 365 to better help you protect your data.

If you look at the above diagram, you’ll see that data is flowing via the email connector in and out of our Microsoft 365 environment (the ‘Service’). Through which, so far, we have talked about DNS and EOP, now it is time to move onto Defender for Office 365 (D4O). However, just before we do let, me point out somethings that you may not appreciate. Firstly, via the process far, inbound email data has not yet come to rest. That is, it hasn’t as yet been stored inside a users mailbox, it is still being ‘processed’ by the security feature set of Microsoft 365 (i.e. the ‘Service’). Secondly, and more importantly for security considerations, what we have examined so far largely only ‘scans’ the data and makes security decisions as data passed through that service. It doesn’t generally continue to protect the data once it has been processed by that service. For example, with spam filtering inbound emails are scanned by the anti spam service in EOP, appropriate action taken based on the policies in place but then the data exits the service. Once an email has exited the anti spam service in EOP it will no longer be scanned by the service. To distinguish these type of security services going forward, let’s refer to them as ‘pass through’ security services being that they only handle the data once during its transit through a connector.

So after DNS and EOP have ‘processed’ the inbound email it is time for Defender for Office 365 (D4O) to do it’s job.

image

Defender for Office 365 is an add-on to existing plans like Microsoft 365 Business Basic and Business Standard but included in Microsoft Business Premium. Interestingly, it is not part of Microsoft 365 E3 but is part of Microsoft 365 E5. In short, we’ll assume the plan here is Microsoft Business Premium.

Defender for Office 365 also has two plans

Gains with Defender for Office 365, Plan 1 (to date):

Technologies include everything in EOP plus:

  • Safe attachments

  • Safe links

  • Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business)

  • Time-of-click protection in email, Office clients, and Teams

  • Anti-phishing in Defender for Office 365

  • User and domain impersonation protection

  • Alerts, and SIEM integration API for alerts
  • SIEM integration API for detections

  • Real-time detections tool
  • URL trace
  • So, Microsoft Defender for Office 365 P1 expands on the prevention side of the house, and adds extra forms of detection.

    Gains with Defender for Office 365, Plan 2 (to date):

    Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus:

  • Threat Explorer
  • Threat Trackers

  • Campaign views
  • Automated Investigation and Response (AIR)

  • AIR from Threat Explorer

  • AIR for compromised users

  • SIEM Integration API for Automated Investigations
  • So, Microsoft Defender for Office 365 P2 expands on the investigation and response side of the house, and adds a new hunting strength. Automation.

    The above is from The Office 365 security ladder from EOP to Microsoft Defender for Office 365.

    Microsoft Business Premium includes Defender for Office 365 P1, while Microsoft 365 E5 includes Defender for Office 365 P2.

    Unlike EOP, you’ll also note that Defender for Office 365 extends protection actually into the data container as well as providing initial scanning of data as it passes through the service. This effectively means that Defender for Office 365 is monitoring email data inside user email boxes and providing additional protection even after an item is delivered. This is very important to appreciate because once most emails are delivered they are generally no longer protected by scanning technologies like anti-spam policies, especially third party offerings. Therefore, a major of value of using Microsoft 365 is that it can ensure the security of data even after it has been delivered using technology like Defender for Office 365.

    Another point that the above diagram illustrates is that Defender for Office 365 largely applies only to inbound email data. all the policies in Defender for Office 365 are focused at emails being delivered to, not from, mailboxes.

    Finally it is also important to note that previous components in the data flow chain impact Defender for Office 365, DNS probably being the more influential. This is why it is so important to ensure that you have your DNS records (especially SPF, DKIM and DMARC) configured correctly because their impact is more than on a single service in Microsoft 365.

    Defender for Office 365 is composed of three unique components:

    – Safe Attachments

    – Safe Links

    – Anti-Phishing

    Safe Attachments

    As Safe Attachments in Microsoft Defender for Office 365 notes:

    Safe Attachments uses a virtual environment to check attachments in email messages before they’re delivered to recipients (a process known as detonation).

    In short, it will open suspect attachments in a virtual environment and check to see whether they activate any malicious activity such as encrypting data (i.e. cryptolocker attack), changing registry settings and so on.

    Safe Attachments protection for email messages is controlled by Safe Attachments policies. There is no default Safe Attachments policy. Please note that, there is NO default Safe Attachments policy by default! Thus, ensure you have set one up if you are using Defender for Office 365.

    Set up Safe Attachments policies in Microsoft Defender for Office 365

    Safe Attachments will continue to provide protection even after the data has been delivered. This is because the maliciousness of the attachment is evaluated not only at the time the user opens it but also continually as they sit as data in users mailbox. Thus, you need to consider Safe Attachments as protection both during transit and at rest. This is generally different from the role of EOP.

    I will also briefly note here that Safe Attachments protection extends beyond just emails, but I’ll cover that in a later article.

    Safe Links

    As Safe Links in Microsoft Defender for Office 365 notes:

    Safe Links is a feature in Defender for Office 365 that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.

    In short, it routes any link clicked on in an email through a reputation proxy to ensure that it is safe prior to proceeding. This provides protection against malicious content, downloads, phishing and more.

    Safe Links settings for email messages

    How Safe Links works in email messages

    Safe Links can be configured to provide customised protection:

    Set up Safe Links policies in Microsoft Defender for Office 365

    Safe Links will continue to provide protection even after the data has been delivered. This is because the maliciousness of links is evaluated not only at the time the user clicks on them but also continually as they sit as data in users mailbox. Thus, you need to consider Safe Links as protection both during transit and at rest. This is generally different from the role of EOP.

    I will also briefly note here that Safe Links protection extends beyond just emails, but I’ll cover that in a later article.

    Anti-phishing

    Phishing is when attackers try to trick users into providing secure details in an effort to compromise that account. A common ‘trick’ is to attempt to impersonate a ‘familiar’ email address and try to have the recipient take an action that will result in an account compromise.

    Protection via Defender for Office 365 is again provided by a policy:

    Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365

    Anti-phishing will continue to provide protection even after the data has been delivered. This is because the maliciousness of email content is evaluated not only at the time the user views  them but also continually as they sit as data in users mailbox. Thus, you need to consider Anti-phishing as protection both during transit and at rest. This is generally different from the role of EOP.

    In addition to the above Defender for Office 365 P1 also provides:

    Threat Explorer and Real-time detections

    while Defender for Office 365 P2 additionally provides:

    Threat Trackers

    Automated investigation and response (AIR) in Microsoft Defender for Office 365

    Attack Simulator in Microsoft Defender for Office 365

    Summary

    Inbound email data flows into Defender for Office 365 after it has been processed by EOP. Here additional protection policies are applied. All of these policies can be configured by the user and have capabilities that extend into protecting data even after it has been delivered. This means that a major benefit of Defender for Office 365 is that it not only scans email data during inbound transit but also while it is being stored in the users mailbox over the life of that data item for both current and future threats.

    It is also important to note that many of the Defender for Office 365 do not have appropriate default policies in place and it is up to the user to configure these to suit their environment.

    The inbound email data has yet further protection configurations to be applied to it after being processed by Defender for Office 365 thanks to the capabilities of Microsoft 365. Please follow that process with the next article:

    End to End email protection with Microsoft 365–Part 3

    End to End email protection with Microsoft 365–Part 1

    image

    I’ve talked about the

    CIAOPS Cyber protection model

    before and you can see it above.

    image

    Now it is time to start applying it directly to Microsoft 365 to help understand the security Microsoft 365 provides and what can be configured to provide enhanced security.

    image

    I’ve therefore started by breaking the Email connector from my model into two components, Inbound and Outbound, as shown above. The left hand side (outside the box) is the Internet, while inside the box on the right hand side, is Microsoft 365.

    Outside the box, on the Internet, there are three user configurable items: SPF, DKIM and DMARC. You’ll see arrow from these three items away and further into the Internet as well as back into the Microsoft 365 service. This is because these three DNS records will affect both sent and received emails and should be considered the first item on your email security check list. Some articles that may help on this include:

    SPF, DKIM, DMARC and Exchange Online

    Set up SPF to help prevent spoofing

    Support for validation of DKIM signed messages

    Use DKIM to validate outbound email sent from your custom domain

    Use DMARC to validate email

    When others send email to Microsoft 365, the following articles may help:

    Sending mail to Microsoft 365

    Services for non-customers sending mail to Microsoft 365

    Inbound email is received into Microsoft 365 via Exchange Online. A component of this service is Exchange Online Protection (EOP).

    Exchange Online Protection overview

    EOP features

    Inbound emails

    The first stage of a message progressing through Exchange Online Protection is for it to traverse the Edge Protections as shown above. These are basically policies and configuration managed and maintained by Microsoft. A user is unable to alter them but information about these can be found at:

    Use Directory Based Edge Blocking to reject messages sent to invalid recipients

    Backscatter in EOP

    How EOP validates the From address to prevent phishing

    It is important to note that DNS records like SPF play an important role in helping secure email data, which is why it is important to configure them.

    How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

    After the Edge Protection phase is complete, any inbound email is then sent to Exchange Online Protection (EOP) for further processing. It is here that there are many policies and settings that can be configured by the user. The sequence in which these take place can be found here:

    Order and precedence of email protection

    Generally, first to be processed is the Connection filtering.

    Configure connection filtering

    Then Malware filtering.

    Configure anti-malware policies in EOP

    Then Transport rules.

    Mail flow rules (transport rules) in Exchange Online

    Next are any Data Loss Prevention (DLP) policies.

    Data Loss prevention

    Spam filtering follows.

    Anti-spam protection in EOP

    Configure anti-spam policies in EOP

    Anti-spam message headers in Microsoft 365

    Bulk complaint level (BCL) in Exchange Online Protection EOP

    Finally inbound email will be checked for phishing and spoofing.

    Anti-phishing policies in Microsoft 365

    Configure spoof intelligence policy

    After all these the inbound email will continue to be processed by any additional protection options and features like Defender for Office 365 which will be covered in an upcoming article, so don’t think that email protection stops with EOP, it continues with Defender for Office 365 right through to the email app on the device which will all be covered in upcoming articles.

    Outbound emails

    If we now turn our attention to outbound emails and work from right to left, along the bottom arrow, we see that the email has a lot less policies to travel through. The main one is the Outbound spam filter.

    Configure outbound spam filtering in EOP

    However, it will also go through the DLP policy:

    Data Loss prevention

    and then Transport rules:

    Mail flow rules (transport rules) in Exchange Online

    You can also use

    Message Encryption

    if you wish to protect the contents of emails sent from Microsoft 365.

    Summary

    Remember, what is covered here is only the first part of the full range of protection capabilities that Microsoft 365 provides for emails. You will also see that a significant amount of these capabilities provide the ability of customisation. For the items that are user configurable in the diagram, a good rule of thumb is to implement and configure from left to right, top to bottom. Once you have all that done, then you can move onto the next stage which will be covered in the next article on this topic.

    End to End email protection with Microsoft 365 – Part 2

    New Exchange Policy Configuration analyzer

    image

    If you have a look in your Threat Management policies in Security and Compliance you’ll see a new tile called Configuration Analyzer as shown above. The direct URL is:

    https://protection.office.com/configurationAnalyzer

    image

    When you select this tile you’ll see a screen like that shown above which compares your current policy settings to Microsoft best practices.

    image

    If you expand any of the headings you’ll the settings in question and what the recommendation is on the right. You’ll also see a link that allows you to easily Adopt this setting.

    image

    If you do select the Adopt link, you’ll be presented with the above warning asking you whether you wish to proceed and Confirm or Cancel the change.

    image

    You will also see a Configuration drift analysis and history option as shown above. This allows you to compare changes in configuration over time and their effect. Basically, whether changes made improve email security or not.

    If you want to learn more about Microsoft’s best practice configurations I suggest you take a look at my previous article:

    New templated email policies

    I see this as a further step towards what I spoke about here:

    The changing security environment wit Microsoft 365

    and how Ai will soon do all this automatically.