Configuring Exchange Online Protection - Untold.IT


Post Top Ad

Thursday, September 17, 2020

Configuring Exchange Online Protection

Every Office 365 tenant with Exchange Online mailboxes has Exchange Online Protection (EOP), the cloud-based email anti-spam and anti-malware service. All inbound and outbound mail for Exchange Online mailboxes travels through EOP and is scanned for spam and malicious content, even if you use a third-party scanning service or route mail through an on-premises Exchange server.

Accessing Exchange Online Protection Settings

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign-in to Office 365.
  2. Choose the Admin tile.
  3. In the Microsoft 365 admin center, choose Admin centers > Exchange.

4. In the Exchange Admin Center, navigate to Protection

In each of the policy sections, you'll find a default policy that applies to your entire tenant. In some policy sections, you can add your own policies that are scoped to specific recipients, specific domains, or members of a group. This allows you to have granular policies that apply different controls to different parts of your user population.

When you configure multiple policies, they are given a relative priority. If no higher priority policy exists that matches an email, the default policy will be applied. For many customers just a single policy for each of the protection types is required. However, even in smaller organizations some exceptions to policies are desirable.

Configuring Malware Policies

Exchange Online Protection scans email attachments for malware using multiple anti-malware engines, as well as Microsoft's own detection rules based on their analysis of malware outbreaks. The malware policy settings in EOP mainly provide for customization of notifications. There is an additional setting for blocking file types that are likely to be harmful. This setting might be disabled in your tenant by default. You can turn it on, and then review the default list of file types to be blocked. If you like you can also add or remove file types to customize the list.

Configuring Connection Filtering

Exchange Online Protection uses connection filtering to allow or block email based on the source IP address. Connection filtering is a good way to prevent spam and malware from being received from known bad neighborhoods, such as the IP address ranges of residential ISPs where home computers can be infected by spam botnets.
There is one connection filtering policy that you can modify with specific IPs to allow or block.

Configuring Spam Filtering

Spam filtering in EOP makes decisions based on the content of emails. The spam filtering options provide some of the most detailed customization available to you in EOP.

Incoming email is assigned a “spam confidence level” (SCL) when it has been scanned by EOP.
The SCL ratings are published on TechNet, and are as follows:
  • -1 for non-spam coming from a trusted source (e.g. IP allow list)
  • 0-1 for email determined to be non-spam
  • 5, 6 for email determined to be likely spam
  • 7, 8, 9 for email determined to be high confidence spam
The default for likely spam and high confidence spam is to deliver to the recipient's junk email
folder. However, there are multiple actions you can choose from when spam is detected:
  • Move message to Junk Email folder (default setting)
  • Add X-Header (adds an entry to the message headers that you can then use for mail flow/transport rules)
  • Prepend subject line with text (useful for flagging to end-users that an item is suspected spam)
  • Redirect message to the email address (useful if you want to look at all the spam you're blocking)
  • Delete message (when you're really sure you won't miss legitimate email)
  • Quarantine message (when you're not confident enough to delete the messages)
  • Spam filtering also has block lists and allow lists available for you to explicitly allow/block email addresses or domains.

The international spam filter options have been quite effective in reducing spam for local businesses. If they have no global operations at all and don't speak or read any other languages, then there's usually no reason to accept email written in other languages.

The advanced spam options have some additional controls that can be turned on/off or placed in test mode as a way to measure the impact of turning them on. The first set of controls will increase the spam score for an email if the condition is matched. This doesn't mean that the email will be marked as spam, but it will increase the likelihood.

Configuring Outbound Spam Preferences

Exchange Online Protection will detect and block outbound spam, which is spam that is sent by users in your own organization. Most of the time the spam is not intentionally being sent by your own users but is being sent by someone who has compromised one of your accounts. Other times the spam is due to an over-eager marketing person using Outlook to send a bulk email out to the world, which is a bad idea.

To access the Outbound Spam Settings, click on the Anti-Spam page link.

Click on the drop arrow and select Edit Policy.

In the outbound spam preferences, you can set notifications so that you receive a copy of any suspicious outbound email. You can also configure a notification for any time one of your senders is blocked for sending spam.

No comments:

Post a Comment

Post Top Ad