So far, we’ve talked about connection filtering, malware filtering, and mail flow rules in Exchange Online Protection. Let’s continue now to talk about content filtering, or spam filtering, as it’s also known. There’s a lot going on here with spam filtering as far as email content analysis goes. EOP is looking at the contents of the mail and its attachments for spam-like content, as well as bulk mail like newsletters so that EOP can handle those properly compared to full on spam and also, things like international spam, giving you the chance to just outright block email in certain languages or from certain countries.

Email that is processed by the spam filter is given a score. The Spam Confidence Level, or SCL, which is an indicator of how spammy that message is.

Spam Confidence Level:

  • SCL (-1) –> A score of -1, means the email is considered safe and is coming from a trusted source. Emails scored -1 will be seen if you add a sender’s IP address to your IP Allow list in EOP or if you have a mail flow rule that marks email to bypass the spam filter.
  • SCL (0-1) –> A score of either 0 or 1 means the email is not considered spam.
  • SCL (5,6) –> A score of 5 or 6 means the email is likely spam. This is where you’ll see a lot of graymail, things like newsletters and marketing communications from businesses that you’d probably have some prior relationship with. It tends to be that annoying, but not harmful, type of email.
  • SCL (7,8,9) –> A score of 7, 8, or 9 means that EOP has a high confidence that the email is spam. 

Now you might notice there’s no 2, 3, or 4 in that list and basically, EOP will never set a score of 2, 3, or 4. In fact, it won’t set 7 or 8 as well. It will only set 9 for high confidence spam. You can set any of those values yourself using a mail flow rule, but unless you set it to at least 5, it won’t be considered likely spam. And then anything you set at 7 or higher will be considered high confidence spam

EOP Actions

EOP has several spam filter actions available for us to use.

  • Messages moved to Junk folder by default –> The default action, when your Office 365 tenant is first created, is for any likely or high confidence spam to be sent to the Junk Email folder of the mailbox. So right out of the box, EOP won’t delete any spam. It will only junk it. Keep in mind that we’re talking about spam here, not malware or phishing.
  • Quarantine messages –> This send the mail to a quarantine bucket for that user, and the recommendation is to enable quarantine summary emails so that the user is sent a regular report of what’s new in their quarantine. They can log in to the quarantine at any time to release items if they suspect something has not been delivered.
  • Delete the messages –> You can also choose to delete messages. Perhaps this is a little risky, but for high confidence spam, I don’t particularly see any problems with deleting the messages, but that’s up to you. If you don’t want to run the risk of a legitimate email being deleted, and yes, some legitimate emails end up with an SCL score of 9, use quarantine instead.
  • Add X-Header –> if you just want EOP to add the header and then let something else in your environment such as a mail flow rule handle that email depending on that header value, then at least the option exists here.
  • Prepend subject line –> We can also prepend the subject line with some text. Think of this like tagging the subject line to draw the recipient’s attention to the spam score. Maybe you decide to just tag the subject line with the words possible spam instead of junking it.
  • Redirect message to email address –> Finally, you can choose to redirect the message to another email address. Now maybe you want to delete emails that are high confidence spam, but you’re not 100% sure of that decision and you want to see what EOP would be deleting. Well, you can use this option and redirect them to another mailbox for a while. Then you look through the messages in that mailbox and you get a sense of whether there’s any false positives.

 

Other Spam Filter Options

  • We can configure Block lists based on sender addresses or entire domains of senders, and also do the same with Allow lists. In both cases, we’re making a decision entirely based on the sender’s domain or email address without that extra granularity that mail flow rules provide us to add other criteria to the decision.

 

  • We can filter, which means treat as spam, emails written in specific languages. So if you’re not a multinational company receiving legitimate emails in foreign languages, you can just go ahead and treat them all as spam.

 

  • We can filter email from specific countries as well.

 

  • We can also increase the spam score of messages that have spammy indicators. Some of those indicators are things like having remote images in the email content. Most marketing and newsletters have these, so that’s stuff that some people think of as spam. URLs containing IP addresses or nonstandard TCP ports is another example of a spammy indicator. But there’s also times when those might be legitimate, such as email alerts from things like UPS or monitoring systems.

 

  • We can also mark as spam any messages that have certain properties. This is not a minor adjustment of the spam score. This is a complete mark as spam outcome. The message will get ramped up to the maximum spam score, an SCL of 9. Those message properties are things like uncommon HTML objects in email or JavaScript’s in the email, stuff that commonly isn’t used and could be an attempt at exploit or an indicator of spam.

 

  • Finally, with all of those spam filtering options available to us, we can turn them on, we can turn them off, or we can put them in test mode. For example, let’s say you’re considering turning on the option to increase the spam score for emails containing IP addresses in URLs, but you’re concerned about false positives. Well we can set that option to test mode, then configure the test mode options on the policy to insert a special header or to BCC the message to an address so we can see the impact of the policy before we turn it on completely.

 

OUTBOUND SPAM FILTER OPTIONS

Everything we’ve talked about in spam filtering so far is related to inbound spam filtering, emails that have been sent by external senders to recipients inside your organization. It’s also possible that spam will originate from your organization out to recipients on the internet. For outbound spam, we have two options to configure.

  • Send a copy of all suspicious outbound email messages to the following email address or addresses -> We can send a copy of any suspicious outbound spam to another email address in your organization where a human can monitor for suspicious email, or you might even have a system monitoring that mailbox and logging a ticket in your support system for one of your team to investigate.
  • Send a notification to the following email address or addresses when a sender is blocked for sending outbound spam –> The other option is to send a notification if Office 365’s outbound spam algorithms take the step of blocking one of your senders entirely for sending too much spam. Again, you can send those alerts to a mailbox or a distribution list for someone to investigate.

 

SPAM VS GREYMAIL AND BULK EMAILS

Some people view all unwanted email as spam, and that includes things like newsletters and marketing emails from businesses that they have maybe purchased something from, but now they’re hearing from them every week with the latest discount and things like that. A lot of that stuff doesn’t meet the legal definition of spam, and you’ll hear it referred to as graymail instead. From our perspective, as EOP administrators, these are considered bulk email. Microsoft can recognize bulk email senders because they tend to have certain recognizable sending patterns and because bulk mail senders use specific pools of IP addresses to send out their customers mail. We have one basic control that we can apply to bulk email in EOP, and that is to choose the Bulk Complaint Level, where bulk email should be treated as spam.

Let’s go ahead and see how we can configure all of these settings. Login to your office 365 tenant and go to Security and Compliance center. Click on Threat Management –> Anti-Spam

2019-05-29 14_16_25-Microsoft Edge.png

The standard settings are enabled by default in a new tenant, and if you customize the settings, you can come back here and flip this switch back to ON to restore the Standard settings.

2019-05-29 14_18_39-Microsoft Edge.png

The Standard policy will move spam and bulk email to the Junk folder, and it will also quarantine phishing emails.

2019-05-29 14_20_54-Microsoft Edge

There are no entries in the Allow or Blocks lists, but you can also edit those yourself if you need to.

2019-05-29 14_22_01-Microsoft Edge.png

Spoof intelligence

Now we’ve also go this Spoof intelligence setting here. This is when Exchange Online Protection detects someone spoofing your domain. We can review those senders and if it turns out that they’re legitimately supposed to be sending with our domain, perhaps an externally hosted Sass application that sends emails to your users, then we can approve them here.

2019-05-29 14_24_10-Microsoft Edge.png

I you want to change something you can customize this policy by clicking on Custom and switching to ON

EDIT DEFAULT POLICY

2019-05-29 14_26_07-Microsoft Edge.png

Once enabled, you can go ahead and change these settings so that it meet your requirements. We can have multiple spam filter policies in Exchange Online Protection. When you create a new one,  at the bottom is Applied to section where you can scope the policy to specific users. I will not create a new one. Let’s edit the default one. Click on Edit Policy

2019-05-29 14_27_26-Microsoft Edge.png

Once done, new window will open and we can expand the sections and customize it.First, let’s deal with the spam and bulk email.

SPAM AND BULK ACTIONS

I will leave SPAM as default but I will change HIGH CONFIDENCE SPAM to Quarantine and I will leave PHISHING as is.

2019-05-29 14_38_24-Microsoft Edge.png

By default, a new tenant’s bulk email is sent to the Junk Mail folder if it comes from senders with a Bulk Complaint Level of 7 or higher, with 9 being senders who attract the highest number of bulk mail complaints.

2019-05-29 14_41_43-Microsoft Edge.png

Quarantine –> Default option is 15 days, max is 30

Moving on, there are options here to add an X-header or Prepend subject lines or Redirect to an email address. These options stay grayed out if you haven’t chosen that action for any of the previous settings. If you want to enable it, you will need to edit for example Bulk Email section from Move message to Junk Email to Prepend Subject line with text. Once done, this option will be available for you.

OBS!!! Now, what if we also want to mark the Phishing email with some text in the subject line? Well, now we’ve got a little problem because only one text string can be defined here in this setting, but we’ve got two different types of email that we want to tag with different subject lines. So you’d need to choose a different option, like adding an X-header, and then use a mail flow rule in Exchange Online to detect that header and use the mail flow rule to prepend the subject line accordingly.

SAFETY TIPS –> Safety tips are little messages that are inserted into the beginning of email messages to alert the user for things like an email from a trusted sender or that remote images have been blocked or that an email looks suspicious and might be a phishing email. It’s best to leave these on as they are useful to catch the user’s attention to possible issues.

2019-05-29 14_45_11-Microsoft Edge.png

We have Allow and Block List as well. If you have specific sender email addresses or entire domains that you want to allow or block, which means by-passing spam filtering or treating as spam, then you would configure those here.

2019-05-29 14_54_59-Microsoft Edge.png

INTERNATIONAL SPAM SECTION

This is where we can use Exchange Online Protection to filter email that is written in specific languages or sent from specific countries. Let’s say that you’re getting spammed with email that’s written in Chinese and your business has no legitimate need to receive email written in that language. Well you can just go ahead and filter those emails and when you filter emails with the International spam options, they’ll be treated as high confidence spam.

2019-05-29 14_57_58-Microsoft Edge.png

2019-05-29 14_59_00-Microsoft Edge.png

SPAM PROPERTIES SECTION

There are two groups of options here, those that will Increase the spam score and those that will Mark as spam.

2019-05-31 20_49_47-Window.png

INCREASE SPAM SCORE

The options that will increase the spam score will cause the email to be treated as spam, not high confidence spam. The triggers are Image links to remote sites, which a lot of marketing emails use, URLs that redirect to nonstandard ports; numeric IP address URLs; and then. biz and. info websites. It is a good idea to turn testing on so that you see impact.

2019-06-01 16_23_12-Mail filtering - Security & Compliance

MARK AS SPAM

These ones will mark an email as spam if they are detected. The SCL score on the email will be bumped right up to 9, and that means they’ll be treated as high confidence spam. I will turn on testing on these as well.

2019-06-01 16_45_55-Mail filtering - Security & Compliance.png

Now there are three final settings here that we can enable on EOP to mark email as spam, which again means high confidence spam with an SCL score of 9. This first two are for SPF and Sender ID hard fails. If someone has an SPF record set up for their domain and the SPF lookup for an inbound email from that domain fails, and the failure is a hard fail (meaning they were sent from an IP address not specified in the SPF record), not a soft fail, then EOP will mark it as spam.

The third option is NDR backscatter. This basically means that if someone else on the internet is spoofing emails from your domain and those spoofed emails go to nonexistent recipients resulting in a non-delivery report, or an NDR for short, then those NDRs that are caused by the spoof email are called backscatter. You don’t want users to receive the non-genuine NDRs. But if you’re using Exchange Online for your outbound mail, you don’t actually need to turn this on. It’s already being detected and blocked for you. This option is really for hybrid environments where outbound email is going out to the internet via other routes, such as directly from an on-premises Exchange Server.

2019-06-01 16_55_52-Mail filtering - Security & Compliance

Now last option in Spam properties is Test mode option. This is where we control what happens when those criterias are detected in an email. We can add an X-header, and then use that X-header in a mail flow rule in Exchange Online to do something with that email, or we can simply Bcc their emails to another email address for inspection, which is a nice, simple option. Just add in the SMTP address of a shared mailbox or a group that your team has access to for inspecting those emails.

2019-06-01 17_01_14-Mail filtering - Security & Compliance.png

End-user spam notification

The last option we are going to check is the end-user spam notification. When we turn on quarantining of spam in the Spam policy, we want users to be able to manage their own quarantined email. To improve the user experience, we should enable the end-user spam notifications. So make sure that this is enabled, and then choose how often you want the users to receive a summary email of their quarantine items. To enable end user spam notification, expand Default spam filter policy and click on the link configure end user spam notification

2019-06-01 17_12_44-Mail filtering - Security & Compliance

Mark Enable end-user spam notification, select how often user will receive report and select the language.

2019-06-01 17_13_44-Mail filtering - Security & Compliance

That’s it.

I hope this has been informative for you. With this post we will finish our EOP journey and move to the next chapter where I will write about Advanced Threat Protection.

Stay Tuned!

Cheers,

Nedim