Exchange Online Protection is included with every Exchange Online plan or every Office 365 plan that includes Exchange Online licenses. EOP gives us connection filtering, which is filtering based on the IP address of the server out there on the internet that is making an SMTP connection to EOP to try and send email to you. Anti-malware, this is the familiar signature and heuristics-based antivirus protection that’s been around and evolving for a long time through a range of third-party products, as well as Microsoft’s own EOP and Forefront Online Protection services in the past. With Mail flow rules you can create your own filtering rules based on characteristics of messages, such as the domain of the sender or text patterns in the body of the message and content filtering, which is spam filtering based on analysis of the content of the email message itself. That’s just at a high level. There’s a lot of detail to those features, and we’ll get into that detail as we go through this and the future posts. When mail comes into your organization, Exchange Online Protection features process the mail in order. Connection filtering is first, followed by malware scanning; mail flow rules; content filtering, or spam filtering as it’s often referred to; and then finally the Advanced Threat Protection features of EOP are applied. We’re going to look at those ATP features in the future post.

Now there are two places where we can manage Exchange Online Protection settings. The first is the Exchange Admin Center, or EAC for short and the Security and Compliance Center, or SCC for short. If you browse to admin.microsoft.com and if you expand admin centers you will be able to find both EAC and SCC

2019-05-05 09_51_50-Microsoft 365 admin center - Home.png

Just to point that Microsoft is investing heavily and adding security and compliance-related features to the SCC, even going so far as to deprecate the management interfaces for some of those features from other admin portals. Everything in EOP can be configured in the SCC.

In the EAC, the EOP configuration is found in the protection area. You can access it directly from the dashboard or you can click on the Protection Link in the left pane.

2019-05-05 09_57_30-Welcome - Microsoft Exchange.png

The Security and Compliance Center has the EOP settings under Threat management in the Policy section (We will talk about safe links and safe attachments as well in the future post and you will find them here as well. The reason why there are missing is that I don’t have E5 license in my test tenant. I will take care of that later)

2019-05-05 10_02_12-Policy - Security & Compliance.png

 

CONNECTION FILTERING IN EOP

Connection filtering comes first in the Exchange Online Protection processing of inbound mail flow. Why is it first? Because it’s one of the most effective, efficient, and lowest resource cost methods of preventing spam. If you can block spam by blocking that initial SMTP connection before the mail message itself is actually allowed to be transmitted to your server, you save a lot of time, you save a lot of network bandwidth, and you also don’t need to waste server resources doing analysis of any attached malware files or spam content. Connection filtering protects you at the very edge of Exchange Online Protection. It looks at the source IP address of the server that is sending the mail. Does that IP address come from a bad neighborhood, the kind of network ranges where known spammers live or that are used for ISP customers or an infected PC might be trying to send out a spam or malware campaign? IP-based filtering, like this, accounts for a very high level of blocked spam. It’s very effective. And you can also configure, custom, allow, and block lists for specific IP addresses such as the IP address of an application server you host in the cloud that needs to send mails to your staff. And if you want to be sure they’re not blocked by the spam filter, you would just add them to your IP Allow list.

If you put an IP in the Allow list or the Block list, there are two different outcomes.

ALLOW LIST

  • The message is scored with a Spam Confidence Level, or SCL, of -1. This means that the message is treated as non-spam from a trusted source and bypasses further spam content filtering.
  • The message is still checked for malware, and if you have Advanced Threat Protection features enabled, those scans are also still performed.

BLOCK LIST

  • The message is scored with an SCL of 9. This means the message is treated as high confidence spam. This is basically the spammiest rating for a message.
  • Even though it’s already found to be spam, the malware and ATP scans are still performed because your high confidence spam configuration might be to allow the mail through to the quarantine or to the Junk Mail folder where the user can still access it.

SPAM SCORING TABEL

-1 –> Non-spam from a trusted source

0-1 –> Non-Spam

5,6 –> Likley Spam

7,8,9 –> High confidence spam

Let’s see how we can configure this in Office 365. Login to Office 365 portal and click on Exchange

2019-05-07 11_33_23-Inkorg - nedim.mehic@ixx.se - Outlook

In Exchange Admin Center –> Dashboard –> Connection Filter (Another option is to click on Protection and Connection Filter)

2019-05-07 11_33_46-Welcome - Microsoft Exchange

 

There’s only one connection filter policy in your tenant, and we can’t create additional policies like we can with the malware and spam filters. The thing about connection filtering that is nice is that Microsoft is already doing it for you automatically. You don’t need to turn it on or configure specific IP reputation lists to use, but you can still do some customization of the connection filtering.

Click on the pen to edit the policy.

2019-05-07 11_38_40-connection filter - Microsoft Exchange.png

Once done, click on the Connection Filtering. Here we have posibility to add IP addresses to Allow or Block List.

2019-05-07 11_41_27-Configuring and Managing Office 365 Security.png

Enable Safe List –> this is a list of senders that is sourced from various third parties, as well as Microsoft’s own data, and those senders are considered to be trusted. If you enable this option, these senders are never marked as spam. You can’t see this list. It’s a matter of trusting Microsoft to use all the data that’s at their disposal to make a judgement call for you. Microsoft recommend selecting this option because it should reduce the number of false positives (good mail that’s classified as spam) that you receive.

That’s it. This is the first feature and the first protection layer we have in EOP. Next post will focus on Malware Filtering which comes after Connection filtering.

Cheers,

Nedim