Tag: Spam

Exchange Online PowerShell configuration rules and policy relationship

bp1

In the context of configuring anti-spam settings in Exchange (particularly Exchange Online, which uses Exchange Online Protection or EOP), “rules” and “policies” work together to define how email is processed and protected. PowerShell is the primary tool for granular control over these settings.

Here’s a breakdown of their relationship:

1. Policies (Anti-Spam Policies):

  • What they are: Policies are the core configuration containers that define the overall anti-spam settings. They specify what actions to take when a message is identified with a certain spam confidence level (SCL) or other anti-spam verdict (e.g., spam, high-confidence spam, phishing, bulk email).

  • Key settings within policies:

    • Spam Actions: What to do with messages identified as spam (e.g., move to Junk Email folder, quarantine, add X-header, redirect).

    • High-Confidence Spam Actions: Similar to spam actions, but for messages with a very high probability of being spam.

    • Phishing Actions: Actions for phishing attempts.

    • Bulk Email Thresholds (BCL – Bulk Complaint Level): How to treat bulk mail (e.g., newsletters, marketing emails) that isn’t necessarily spam but users might not want.

    • Allowed/Blocked Senders and Domains: Lists of specific senders or domains that should always be allowed or blocked, bypassing some or all spam filtering.

    • Advanced Spam Filter (ASF) settings: More granular options like increasing spam score for specific characteristics (e.g., certain languages, countries, or specific URLs/patterns).

  • Default Policies: Exchange/EOP comes with built-in default policies (e.g., “Default,” “Standard Preset Security,” “Strict Preset Security”) that provide a baseline level of protection.

  • Custom Policies: You can create custom anti-spam policies to apply different settings to specific users, groups, or domains within your organization.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterPolicy: Views existing anti-spam policies.

    • New-HostedContentFilterPolicy: Creates a new custom anti-spam policy.

    • Set-HostedContentFilterPolicy: Modifies an existing anti-spam policy.

    • Get-HostedOutboundSpamFilterPolicy, Set-HostedOutboundSpamFilterPolicy, New-HostedOutboundSpamFilterPolicy: Manage outbound spam policies.

2. Rules (Anti-Spam Rules / Mail Flow Rules / Transport Rules):

  • What they are: Rules are used to apply policies to specific recipients or groups of recipients, or to implement more dynamic and conditional anti-spam actions. While “anti-spam rules” are directly linked to anti-spam policies, “mail flow rules” (also known as “transport rules”) offer a broader range of conditions and actions, including those that can influence spam filtering.

  • Relationship to Policies:

    • Anti-Spam Rules (specifically): An anti-spam rule (e.g., created with New-HostedContentFilterRule) links an anti-spam policy to specific conditions (e.g., applying the policy to members of a certain distribution group). A single anti-spam policy can be associated with multiple rules, but a rule can only be associated with one policy. This allows you to apply different policies to different sets of users.

    • Mail Flow Rules (broader impact): Mail flow rules can also be used to influence anti-spam behavior, even if they aren’t strictly “anti-spam rules.” For example:

      • Bypassing spam filtering: You can create a mail flow rule to set the Spam Confidence Level (SCL) of a message to -1 (Bypass spam filtering) if it meets certain conditions (e.g., from a trusted internal system, or specific external partners).

      • Increasing SCL: You can increase the SCL of messages that contain specific keywords or come from particular sources, forcing them to be treated more aggressively by anti-spam policies.

      • Redirecting/Quarantining: Mail flow rules can directly redirect suspicious messages to a quarantine mailbox or add specific headers for further processing, often based on content or sender characteristics that might indicate spam or phishing.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterRule: Views existing anti-spam rules.

    • New-HostedContentFilterRule: Creates a new anti-spam rule and links it to an anti-spam policy.

    • Set-HostedContentFilterRule: Modifies an existing anti-spam rule.

    • Get-TransportRule, New-TransportRule, Set-TransportRule: Manage general mail flow (transport) rules, which can include anti-spam related actions.

How they work together (with PowerShell in mind):

  1. Define the “What”: You use New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy to define the core anti-spam behavior (e.g., “quarantine spam, move high-confidence spam to junk, block these specific senders”).

  2. Define the “Who/When”: You then use New-HostedContentFilterRule to create a rule that applies that specific policy to certain users or under specific conditions. You can prioritize these rules using the -Priority parameter on the Set-HostedContentFilterRule cmdlet, where a lower number means higher priority.

  3. Advanced Scenarios: For more nuanced control, or to handle edge cases not covered directly by anti-spam policies, you leverage New-TransportRule or Set-TransportRule. These allow you to:

    • Exempt certain senders/domains from all spam filtering (SCL -1).

    • Apply custom actions based on message headers (e.g., from a third-party spam filter).

    • Implement more sophisticated content-based filtering using keywords or regular expressions before the message hits the main anti-spam policies.

Example Scenario and PowerShell:

Let’s say you want to:

  • Apply a strict anti-spam policy to your “Executives” group.

  • Allow a specific partner domain to bypass most spam filtering.

Using PowerShell, you might:

  1. Create a custom anti-spam policy for executives:

    PowerShell

    New-HostedContentFilterPolicy -Name "ExecutiveSpamPolicy" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 4 -MarkAsSpamBulkMail $true

  2. Create an anti-spam rule to apply this policy to the “Executives” group:

    PowerShell

    New-HostedContentFilterRule -Name "ApplyExecutiveSpamPolicy" -HostedContentFilterPolicy "ExecutiveSpamPolicy" -SentToMemberOf "ExecutivesGroup" -Priority 1

  3. Create a mail flow rule to bypass spam filtering for the partner domain:

    PowerShell

    New-TransportRule -Name "BypassSpamForPartner" -FromScope OutsideOrganization -FromDomainIs "partnerdomain.com" -SetSCL -1 -Priority 0 # Higher priority to ensure it's processed first

In summary:

  • Policies define the actions for different spam verdicts and general anti-spam behavior.

  • Rules (both anti-spam rules and broader mail flow/transport rules) define the conditions under which those policies or other anti-spam actions are applied.

PowerShell gives administrators the power to create, modify, and manage these policies and rules with a high degree of precision and automation, which is crucial for effective anti-spam protection in Exchange environments.

What to check with spoofed email in Microsoft 365

If you find that a spoofed email is reaching users inboxes in Microsoft 365 (say something like managing.director@gmail.com pretending to be managing.director@yourdomain.com) then here are some initial suggestions and things to check.

Firstly, ensure you have SPF, DKIM DMARC configured for your domain. They all help reduce spoofed emails getting to the inbox. 

Set up SPF to help prevent spoofing

Support for validation of DKIM signed messages

Use DMARC to validate email

Next, run the analyzer that is built into the Microsoft 365 Security Center to see where your policies may deviate from best practices.

Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365

and you’ll find those best practice settings here:

Recommended settings for EOP and Microsoft Defender for Office 365 security

I’d be checking against the strict rather than the standard settings if it was me.

image

In the settings for your spam policy in Exchange Online there are a few additional settings you can enable as shown above. Even though the Microsoft best practices doesn’t recommend it, I still have most of these set and at a minimum recommend that the SPF hard fail option be enabled.

image

In your Anti-phishing policies ensure the option for Show first contact safety tip is enabled as shown above. Microsoft Best Practice policies don’t set this. In general make sure all the above settings are all enabled as shown.

Another good indicator to configure is

Set-ExternalInOutlook -Enabled $true

using PowerShell, that will let you know about

Native external sender callouts on email in Outlook

Another custom adjustment you can consider is changing the Spam Confidence Level (SCL)

Spam Confidence level (SCL) in EOP

A further option you may wish to tweak beyond Microsoft’s recommended best practices is the phishing thresholds in anti-phishing policies:

Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365 

When you get emails that are confirmed as trying to trick users, make sure you report them to Microsoft

How do I report a suspicious email or file to Microsoft?

Use the Submissions portal to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft

Probably the best way to do that is to use the free add-in that works with Outlook.

Enable the Report Message or the Report Phishing add-ins

doing so helps build the intelligence for Exchange Online as well as helping others who may see similar insecure emails.

The final option available to you is always to reach out to Microsoft for assistance.

Get help or support for Microsoft 365 for business

I would also suggest you check any white listing options you may have in Exchange Online as these are easily forgotten over time. Best practice is not to white list any domain or specific email address but always check when you see repeated emails get through filtering. I can’t tell you how many times I find this as the cause of any issue. Keep in mind, there are few places that you can white list emails:

Create safe sender lists in EOP

You can of course also block the insecure sender:

Create blocked sender lists in EOP

Remember that if you tighten your email security the result will probably be an increase in false positives, at least initially, as Exchange Online learns to evaluate the changes and user behaviours based on the updated settings. Email security is not an exact science. The bad operators are working just as hard to bypass all these settings so it is always going to be a game of cat and mouse. However, hopefully, using the Microsoft recommended best practices and some additional tweaks as suggested above, you can prevent the vast majority of insecure emails out of your users email boxes.