Every Office 365 tenant with Exchange Online mailboxes has Exchange Online Protection (EOP), the cloud-based email anti-spam and anti-malware service. All inbound and outbound mail for Exchange Online mailboxes travels through EOP and is scanned for spam and malicious content, even if you use a third party scanning service or route mail through an on-premises Exchange server.
Although your Exchange Online mailboxes are protected by EOP automatically, the default configuration might not be suitable for your organization. The effectiveness of EOP is often debated. Some customers think it works fine, others are disappointed with the bad email that gets past it. Usually the missed emails are spam or phishing, but zero-day malware is also a risk.
At 400,000,000,000 messages scanned per month (according to Microsoft at Ignite 2017), even a small percentage of missed email adds up to a lot. Perfection is the goal, but realistically we'll probably never achieve it. EOP is just one layer of defence after all. What we can do, as customers, is tune our EOP configurations to be as effective as we need them to be.
In this article I'll walk through the EOP configuration options and demonstrate how I configure EOP for my customers. You should make your own decisions. You don't need to agree with all of my advice. But I encourage you to review the settings and continue to adjust them over time until you're happy with the results.
Accessing Exchange Online Protection Settings
The EOP configuration options are found in the Exchange admin center, in the Protection section. Different components of EOP are found in sub-sections of Protection. You can configure these options as a Global administrator or as an Exchange administrator for the tenant.
In each of the policy sections you'll find a default policy that applies to your entire tenant. In some policy sections you can add your own policies that are scoped to specific recipients, specific domains, or members of a group. This allows you to have granular policies that apply different controls to different parts of your user population.
When you configure multiple policies they are given a relative priority. If no higher priority policy exists that matches an email, the default policy will be applied. For many customers just a single policy for each of the protection types is required. However, even in smaller organizations some exceptions to policies are desirable. For example, an inbound customer service address might want to have more lenient content filtering to avoid the risk of blocking a customer email, whereas higher risk parts of the organization may need more aggressive protection to reduce the risk of phishing and other attacks.
Also keep in mind as you're reviewing your settings, it's possible that your default settings are different to someone else's default settings due to minor changes over the years in how new tenants are provisioned. Again, this highlights the importance of reviewing your EOP configuration and making decisions about what settings to apply.
Configuring Malware Policies
Exchange Online Protection scans email attachments for malware using multiple anti-malware engines, as well as Microsoft's own detection rules based on their analysis of malware outbreaks.
The malware policy settings in EOP mainly provide for customization of notifications. There is an additional setting for blocking file types that are likely to be harmful. This setting might be disabled in your tenant by default. You can turn it on, and then review the default list of files types to be blocked. If you like you can also add or remove file types to customize the list. In the default list, the file type most likely to cause a problem at customers I've worked with is .docm (Macro-enabled Word document), due to the heavy use of Word macros in the industries I deal with most.
Removing file types from the list is not ideal, but some customers insist. The preferred approach, in my opinion, is to change from emailing macro-enabled Word documents around, and instead use the file sharing capabilities of OneDrive. But if a customer does insist on flinging macros around in email attachments, we can look at securing Office macros using Group Policy. This is a whole separate adventure of trying to come to grips with macro signing, trusted locations, and all the rest. It's not easy, but it addresses a significant risk, and also protects against other sources of macro-based attacks such as file downloads from the internet.
For malware notifications, I generally don't turn on the notification to recipients. Malware tends to be malware, with very few false positives. Some customers have enabled it though, with the default notification text.
As notifications start to roll in, the customer can then craft a custom notification text that addresses the most common concerns or questions that their users ask when they receive a notification. The notification text is seen by the user in the text file attachment that replaces the infected file attachment.
For sender notifications, I recommend enabling notifications to internal senders only.
You can further customize the sender notifications as well, to provide more useful information to any senders in your organization who are the source of outbound malware.
Configuring Connection Filtering
Exchange Online Protection uses connection filtering to allow or block email based on the source IP address. Connection filtering is a good way to prevent spam and malware being received from known bad neighborhoods, such as the IP address ranges of residential ISPs where home computers can be infected by spam botnets.
There is one connection filtering policy that you can modify with specific IPs to allow or block.
In most cases I don't make any changes to these settings. If the customer has an externally hosted system that sends inbound email, and IP address is the only characteristic of the emails that we can use to allow it, then we'll add the IP to the allow list in the connection filtering policy. From time to time there will also be a need to add IP addresses to the block list if there's a sustained attack that other layers of spam or malware protection are not accurately blocking.
There is also the option to enable the safe list. Microsoft subscribes to various third party lists of trusted senders. There's not much more detail available, and if your security teams don't like to trust unknown lists of senders, then you can ignore this setting. I've found it useful to enable this option as a way to decrease the risk of legitimate email being blocked when other spam filtering settings are configured more aggressively.
IP allow/block lists configured in connection filtering apply to your entire tenant, and EOP doesn't allow you to create additional connection filtering policies. If you have more granular IP-based filtering requirements, use a mail flow rule (transport rule) instead.
As a final note on connection filtering, if you're using a third party email security service to filter email before it arrives in EOP, then you might be reducing the effectiveness of EOP. You can find out more in this discussion with Microsoft MVP Brian Reid.
Configuring Spam Filtering
Spam filtering in EOP makes decisions based on the content of emails. The spam filtering options provide some of the most detailed customization available to you in EOP.
Incoming email is assigned a “spam confidence level” (SCL) when it has been scanned by EOP. The SCL ratings are published on TechNet, and are as follows:
- -1 for non-spam coming from a trusted source (e.g. IP allow list)
- 0-1 for email determined to be non-spam
- 5, 6 for email determined to be likely spam
- 7, 8, 9 for email determined to be high confidence spam
The default for likely spam and high confidence spam is to deliver to the recipient's junk email folder. However, there are multiple actions you can choose from when spam is detected:
- Move message to Junk Email folder (default setting)
- Add X-Header (adds a entry to the message headers that you can then use for mail flow/transport rules)
- Prepend subject line with text (useful for flagging to end users that an item is suspected spam)
- Redirect message to email address (useful if you want to look at all the spam you're blocking)
- Delete message (when you're really sure you won't miss legitimate email)
- Quarantine message (when you're not confident enough to delete the messages)
Customers tend to fall into two categories:
- Those who want to send suspected spam to Junk Email, and quarantine the high confidence spam
- Those who want to quarantine suspected spam email, and delete the high confidence spam
Very few customers that I work with mess around with X-Header or subject line insertion. If you do choose to quarantine spam, it's recommended that you configure end-user spam notifications, which we'll look at shortly.
The next spam filtering setting to review is the handling of bulk email. Bulk email is usually not spam. It's often referred to as “grey mail”. Bulk email is things like newsletters, marketing emails, anything that is sent out in bulk to a large audience. Transaction email such as receipts for online shopping is usually not considered bulk email, but might be treated as such if it comes from the same IP address pools.
I recommend treating bulk email as spam, and setting a high BCL value. The BCL (Bulk Complaint Level) is the number of spam complaints that a bulk email service generates. When recipients of newsletters and other marketing materials hit the equivalent of a “This is spam” button in their mail client, a spam complaint is registered against that sender. Bulk email services that allow their customers to generated a lot of complaints without terminating their service will end up with a poor reputation in the eyes of filtering systems like EOP. Reputable bulk email services work very hard to maintain their reputation, but there are others that are happy to take money from the less than ethical marketers of the world.
I generally leave the bulk email threshold to the default value of 7. Most customers operate in industries that have some form of marketing or professional newsletters that they want to receive. Users can be encouraged to add senders to their safe list if any of the newsletters that they want to receive are getting marked as spam. In a few cases I've worked with customers who discourage the use of work email addresses for any type of marketing or newsletter, and configure the bulk email threshold to a lower value to block as much of it as possible. Users are encouraged to use a personal email address for any newsletters they want to receive. I would argue that this doesn't really solve the problem, since users can usually still access their personal email from work anyway.
For quarantined item retention, you can set this to whatever you like really, since it's Microsoft's job to store it all. The maximum duration is 15 days, but you don't save any money by changing it to a lower value.
Spam filtering also has block lists and allow lists available for you to explicitly allow/block email addresses or domains. Using block lists is a game of whack-a-mole, but I've had customers who blocked emails from the major social networks (Facebook, LinkedIn, Twitter, etc). The goal was to reduce distractions if an employee happened to sign up to one of those networks using their work email. Allow lists are a little more useful for making sure that emails from a domain or specific sender are not blocked by the spam filters. Customers of mine tend to use this for any emails that they absolutely must receive emails from, such as emails with new bids or grants notifications.
The international spam filter options have been quite effective in reducing spam for local businesses that I have worked with. If they have no global operations at all, and don't speak or read any other languages, then there's usually no reason to accept email written in other languages. Filtering email from other countries or regions gets a little tricker, because there's always the possibility that a local customer is using an email server hosted in some other part of the world. For region blocking I usually recommend to build the list up over time as any problematic spam is analyzed.
The advanced spam options have some additional controls that can be turned on/off, or placed in test mode as way to measure the impact of turning them on. The first set of controls will increase the spam score for an email if the condition is matched. This doesn't mean that the email will be marked as spam, but it will increase the likelihood. The conditions are
- Image links to remote sites – these are commonly used in email signatures, so increasing the spam score might result in more false positives if the sender has other issues with their mail. If you start to see too much missed spam with remote images, then you should turn this on.
- Numeric IP address in URL – I always turn this on. It can cause problems with things like UPS alert emails, but those can be fixed in other ways such as connection filtering or mail flow rules.
- URL redirect to another port – I always turn this on, there's no good reason for regular users to be clicking links that go to non-standard HTTP ports. Again, this might cause problems with systems that use non-standard ports for admin interfaces, if they happen to send emails containing links to those URLs. But that can be fixed in other ways.
- URL to .biz or .info domains – these are almost never legitimate websites, so I find it safe to turn this option on.
The next set of controls will mark an email as spam if the condition is matched. The conditions are:
- Empty messages – I enable this option on the basis that an empty message is useless anyway, so there's no real risk of blocking legitimate email.
- Frame or iFrame tags in HTML – I always turn this on.
- Object tags in HTML – I always turn this on.
- Embed tags in HTML – I usually turn this on. Most of the time it isn't a problem, but if you're concerned about some edge case of embedded media being blocked then you should try this one in test mode first.
- Form tags in HTML – I always turn this on.
- Web bugs in HTML – I always leave this turned off. Web bugs are basically remote images, a single pixel in size usually, that let a sender know whether an email has been opened. Most clients block remote image loading by default anyway, so web bugs are not entirely effective, but they're still widely used for legitimate emails.
- Apply sensitive word list – I usually turn this on as I've never had an issue with spam being blocked due to the use of “sensitive” words. If “sensitive” words are a normal part of your email communications and you're unsure of the impact of this setting, then you can just try it in test mode for a while first.
- SPF record: hard fail – I like to turn this on, but in some industries and small business sectors there is still a huge shortfall in proper use of SPF and other measures. There is no test mode for this setting, so if you prefer to err on the side of caution, leave it turned off.
- Conditional Sender ID filtering: hard fail – if the SPF setting is on, turn this on too. If not, leave it off.
- NDR backscatter – if you use Exchange Online for outbound mail then this is not required to be turned on at all. If you have outbound email from on-premises servers that does not route via EOP, then you can turn this on.
If you're using any settings in test mode, you can choose an action to take on messages that match those conditions. Sending a Bcc message to another mailbox is the simplest way to keep an eye on hits for your test mode items.
Finally, after configuring your desired spam filtering options, if you have enabled the quarantine action for spam, you should configure the end-user spam notifications.
I prefer to leave the notifications to be sent every day, but as you get your EOP settings tuned for greater effectiveness over time, and your users tell you that the spam notifications do not contain any legitimate email, then you can consider reducing the frequency of the notifications to every 2-3 days.
Configuring Outbound Spam Preferences
Exchange Online Protection will detect and block outbound spam, which is spam that is sent by users in your own organization. Most of the time the spam is not intentionally being sent by your own users, but is being sent by someone who has compromised one of your accounts. Other times the spam is due to an over-eager marketing person using Outlook to send bulk email out to the world, which is a bad idea.
In the outbound spam preferences you can set notifications so that you receive a copy of any suspicious outbound email. I usually find the email is not actually spam, but has some spam-like characteristics like awkward phrasing or an invitation to click on a link to login somewhere. A little user education can usually prevent those incidents from being repeated.
You can also configure a notification for any time one of your senders is blocked for sending spam. This is almost always an account compromise, as I mentioned earlier, so make sure these alerts are going to people who can take prompt action.
So far we've covered the basic features of Exchange Online Protection. After you've taken those steps to configure EOP, there are some additional items to look at. One of them is DKIM, which I'll explore in a separate article in future. The others that I recommend are:
- Deploy the Junk mail reporting add-on for Outlook, and train your users and help desk how to report junk email to Microsoft in Outlook and OWA.
- Familiarize yourself with quarantine management.
- Bookmark to the anti-spam headers reference, as you'll be using it a lot.
- If you are in a hybrid environment, configure the transport rules in your on-premises Exchange org for handling email marked as spam by EOP.
- Add mail flow rules to mitigate other email threats.
- For even more effective email filtering, look at Advanced Threat Protection.