Configuring an Office 365 SPAM filtering policy

A common complaint I hear about Office 365 from IT Professionals is that it doesn’t filter spam as well as other third party solutions. My immediate question at that point is always “Well, have you actually gone in and configured ANY of the spam settings in Office 365 to improve your results?” to which the answer is always No. Thus, if you don’t take the time to customise what you get out of the box you’ll only get an out of the box solution which is probably not what you want! Thus, some configuration is required for EVERY Office 365 tenant to improve its spam filtering abilities.

The out of the box spam settings for Office 365 are not configured in an aggressive manner and you should go in and make changes from the defaults I would suggest. Here’s how to do that.

You’ll firstly need to login to the Office 365 portal as an administrator with rights to make changes. You’ll need to then navigate to the Office 365 Admin Center and select from the Admin centers on menu on the left hand side. You’ll find the Admin centers option right at the bottom.

From the list of options that now appear select Exchange as shown above.

This will take you to the Exchange Admin center as shown above. In here select the protection option on the left and then spam filter on the right.

You will then typically see a single policy called Default.

With this default policy selected, press the edit button (pencil) from the menu to view what settings this default policy has.

Select the different menu options on the left to view all the settings. Most you will see, like in the advanced settings shown above, are set to off.

You can of course edit this default policy, however it is better practice to go back to the list of policies and create a new one and leave the default one in place.

When you create a new policy using the plus button (+) a new dialog will appear like show above.

Give the new policy a name and now scroll through the settings to configure them for your needs.

When you reach the advanced options towards the bottom you’ll see a number of options that can set on or off. The crowd sourced results I obtained for these were:

Image links to remote sites = OFF

Numeric IP addresses = ON

URL redirect to other port = ON

URL to .biz or .info websites = ON

Empty messages = ON

Javascript or VBScript in HTML = ON

Frame or iFrame tags in HTML = ON

Object tags in HTML = ON

Embed tags in HTML = ON

Form tags in HTML = ON

Web bugs in HTML = ON

Apply sensitive word list = ON

SPF record hard fail = ON

Conditional sender ID hard fail = ON

NDR backscatter = ON

You can then set whether the policy will simply run in test mode if you wish.

The final option is to determine where this policy will apply. Normally you want this across all your domains and users but as you see, you can have different policies for different users and domains if you wish.

All you now need to do is save the policy and start monitoring the results.

Hopefully, you can now see that out of the box Office 365 does take a very relaxed approached to spam which is not uncommon for most spam protection products. You can, and should, of course go in and configure the available options to be more restrictive. When you do this you will of course get much better results.

This post showed you how to make spam filter setting via the web interface, a much better and more consistent approach across many tenants is to do this using PowerShell. Look out for an upcoming article on this.

SPAM filtering in Office 365–Best practice results

Recently, I asked people to vote on the settings in Office 365 Spam protection they believe should be made active to improve protection. That survey will continue to run and you can add your voice here:

http://bit.ly/o365spam

However, with just over 30 votes as I write this I think we can draw some indications of what the best practice options are going to be.

So let’s start with the ones that should be definitely turned on based on a majority of votes for that condition:

URL direction to another port = ON

Backscatter = ON

SPF Hard fail = ON

Scripts in HTML = ON

Numeric IP addresses in URL = ON

Apply sensitive words list = ON

Empty Messages = ON

Web Bugs = ON

Condition Sender hard fail = ON

Form Tags in HTML = ON

Frame or iFrame tags in HTML = ON

Embed Tags in HTML = ON

Next, the one’s that should be off are:

Image links in Remote Site = OFF

Lastly, border line results that you probably want to set on if you want aggressive anti spam or off if you want relaxed.

Object tags in HTML = ?

URL to .INFO or .BIZ sites = ?

I’ll leave the survey running and you can check the results at any time in the future here.

In upcoming post I’ll show you how to set these options inside Office 365. However, thanks to the wisdom of the crowd (thanks to all who voted) we have an idea of what the settings should be.

SPAM filtering Office 365–Help shape a best practice

I hear a lot of people say that they don’t find Office 365 anti-spam filtering as good as other providers. My reply to that is – “Have you ever actually gone in and configured the settings from what is there by default?”. Unsurprisingly, the answer is always No.

The out of the box spam settings you get with Office 365 are designed for the “average” and probably configured for the least business interruption (i.e. less aggressive classification of what is spam). Thus, to get the optimal level of filtering you desire, it is recommended that you go and set the options the way that you want.

I have configured my tenant for the way I wish to handle spam but that is probably not exactly the best place for people to start. So with that in mind I thought that I’d call on the power of the crowd and offer up a survey were people can nominate what they consider to be major indicators of spam, based on the policy options that Microsoft provide. You’ll find that survey here:

http://bit.ly/o365spam

which I encourage you to fill out and share with everyone else.

The idea is that once the results are in I report back on an overall “best practices” starting policy that the majority would feel comfortable with. I can then also show you how to exactly configure that in Office 365.

So please take a moment to complete the survey and share you expertise and thought on the ‘best practice’ approach of configure anti-spam policies in Office 365.

You can find the details on the specific advanced spam filtering options in Office 365 here:

http://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

Searching the Office 365 activity log for failed logins

Inside the Office 365 Security & Compliance center, under the Search & investigation menu option on the left you’ll find Audit log search as shown above.

To run a search simply provide a start and end date and select the Search button at the bottom of the screen. You can refine your search by selecting a list of different activities if you want but here we’ll leave the option set to Show results for all activities.

Once the search results are returned you’ll see lots and lots of items as shown above.

If you now select the Filter results button in the top right, each column will now display a box at the top that you can enter text into.

You can now go into the column headers and enter further filtering information. Here I have added the text ‘fail’ to the Activity column as shown. This produces two results for failed user logins.

Adding a filter now only shows the matches on the page.

You can also export the data into CSV file by selecting the Export results button next to the filter button.

You can either download everything in the audit logs (Download all results) or just your search query (Save loaded results). Here I have select the Save loaded results option.

This will then download a CSV file that you can open in Excel and will look like the above.

To make these easier to read you should convert the out to a table from the Insert tab and then select the Table icon.

Now that you have a table go to the top row of the Operations column and select the arrow to the right of this as shown. This will display the above menu. Uncheck the Select all option at the top of the list in the lower portion of the displayed dialog box.

Scroll down this same list and locate the UserLoginFailed option and select it.

This will now basically filter the whole tables of entries to only display those that have a match is UserLoginFailed in the operations column.

Which is exactly the result that you see obtained above and the same results we received from the console.

Thus, you can search the audit logs inside Office 365 directly from the portal but you can also export them to Excel to gain more power over how you wish to manipulate and report these events.

Selecting sites to include/exclude in Office 365 DLP

When you create a DLP policy you have the option to exclude or include certain SharePoint sites as shown above.

If the sites you wish to include or exclude are anything but the default team site (i.e. https://tenant.sharepoint.com) then you need to manually search for the URL.

Thus, if you are looking to include or exclude a SharePoint site that was created by Microsoft Teams then you need to explicitly search for it by URL to add it to your list as shown above.

May Office 365 Webinar Resources

May 2018 Office 365 Need to Know Webinar from Robert Crane

Slides from this month’s webinar are at:

https://www.slideshare.net/directorcia/may-2018-office-365-need-to-know-webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.

Office 365 DLP Document Finger Printing

Data Loss Prevention (DLP) is a way of preventing sensitive information inside you organisation from being sent places you don’t want. Office 365 E3 and above have always included DLP but now Microsoft 365 Business also includes DLP.

There a number of different options you can configure when it comes to DLP inside Office 365. One of these ways is to use DLP is via Document Fingerprinting that allows Office 365 to check information against a template you provide.

Here’s how it works.

The first thing I do is create a template of the information I want to be fingerprinted against. Here I have created an invoice template as shown above. Thus, information being sent from my tenant will be checked (‘fingerprinted’) against this to prevent documents that ‘look like’ this template from being sent externally.

To configure DLP Document Fingerprinting you’ll need to navigate to the Exchange Admin Center and then the compliance management option on the left. You’ll then need to select the data loss prevention option at the top of the page on the right.

On this page you’ll need to select the Manage document fingerprints hyperlink in the top half of the page as shown above.

Here you will see any document fingerprints already configured. Press the plus (+) key to add a new fingerprint document.

Simply give the fingerprint a name (in this case Invoice – DLP).

In the lower window you’ll need to select the plus (+) symbol and upload the template document that you have created. In my case, I’m going to upload the invoice template shown earlier.

Save you selections.

In the lower part of the data loss prevention page you’ll see a list of DLP policies in your tenant. Some of these policies may have been created elsewhere (like the Office 365 Security and Compliance Center). Locate the document fingerprint policies you just created (here called Check for Invoices), select it and then select the edit icon from the menu at the top as shown.

You can then further configure the DLP policy. Here I have elected to enable and enforce the policy but there are other options you can select.

Select the rules option from the menu on the left.

To create a new rule, select the plus (+) icon from the menu across the top.

Here is where you will create the outbound transport rule to check information sent via email. In this case, the rule will apply of the recipient is outside my Office 365 tenant.

When I select the type of sensitive information I can now select from the document fingerprint I just created.

When there is a policy match, I then elect to block the document, notify the user via a policy tip and send a report to a nominated user.

With my new document fingerprinting DLP policy in place I now create a new invoice based on the original template as shown above that you can see is different from the original template but still similar in format.

As you can see above, when I attempt to attach this new document via Outlook on the desktop that looks like the previously configured fingerprint document, it activates my DLP policy and prevents the item being sent outside the organisation as desired.

I get a similar result if I try and do this using the Outlook Web Client (OWA).

I get a policy tip at the top of email as shown above.

and when I attempt to send the email I can’t. DLP in action!

This is one example of the DLP capabilities of suitably licensed Office 365 and Microsoft 365 tenants. DLP is great way to prevent standard information, like invoices, being accidentally or maliciously sent outside your organisation.

As I mentioned, DLP is now part of Microsoft 365 Business which means that it an even more enticing offering for SMB who are subject to compliance regulations.

Introduction to Office 365 Advanced Threat Protection (ATP)

Office 365 Advanced Threat Protection (ATP) is one of the recent offerings rolled into Microsoft 365 Business. See:

Microsoft 365 Business new feature comparison

I feel that ATP should be a mandatory add on for all Office 365 SKUs that don’t already include it. It is very cheap but really helps protect users from bad stuff coming in via emails.

One thing that many people fail to realise about ATP (and many other O365 security features in fact) is that you need to enable it or set up policies to control what you want the service to do. These generally aren’t there by default, so simply adding a license isn’t good enough. You actually need to go in and configure the policies.

The above video gives you and overview of how to set these policies and what options they involve. You’ll also see ATP in action protecting a mailbox from malware. This should give you a goo introduction to Office 365 ATP.

Learn how ATP will make you and your business safer.