3OverviewThis module explores the various capabilities of the Exchange Online Protection service, including:Anti-Malware protectionAnti-Spam protection, including connection and content filteringQuarantining messagesReportingMicrosoft Exchange Online customers are automatically provided with anti-spam and anti-malware protection. The following topics (and their associated subtopics) provide overview information and configuration steps for customizing spam filtering and malware filtering settings so that they best meet the needs of your organization:Anti-Spam ProtectionDescribes anti-spam protection which is comprised of connection filtering, content filtering, and outbound spam processing. Among the information included are explanations about how spam confidence levels (SCL) and outbound spam processing work, how to submit spam messages and false positive messages to Microsoft, and details about how to configure anti-spam settings using the Exchange Administration Center (EAC).Anti-Malware ProtectionDescribes the multi-layered anti-malware protection provided by the service. Among the information included are an Anti-Malware FAQ and details about how to configure anti-malware settings using the EAC.QuarantineDescribes how you can search for quarantined messages, view details about quarantined messages, release specific messages to a recipient you specify, and also quickly report a quarantined message as a false positive. (Messages that are identified as spam or that match an Exchange transport rule can be sent to the quarantine in the EAC.)
4Exchange Online Protection What is Exchange Online Protection (EOP)?EOP is the new version of Forefront Online Protection for Exchange (FOPE), Microsoft’s hosted gatewayProvides comprehensive protection through multi-engine antivirus and continuously evolving anti-spam protectionBuilt on Exchange 2013 Transport architectureGeographically load-balanced datacentersQueuing capabilities to help ensure no mail is lostCurrently processes 1 billion messages per dayEOP is available:As a stand-alone cloud service for on-premises customersAs part of Office 365 subscriptions
5Simple to Deploy Add and verify domain ownership in Office 365 Change your MX record to point to <domain-com>.mail.protection.outlook.comCreate an SPF TXT record for your domain v=spf1 include:spf.protection.outlook.com -allFine tune anti-malware and anti-spam settingsCreate rules to meet business needsThe required DNS records customised for your domain will be available in the Office Admin Center once you add and verify your custom domain.The format for the MX record is always <domain-com>.mail.protection.outlook.com where <domain-com> is your custom domain.E.g. Contoso.com would point their MX record to contoso-com.mail.protection.outlook.com
6EOP AdministrationUnlike FOPE, Exchange Online Protection administration is incorporated into the Exchange Admin Center
10Definition of Malware What is Malware? Malware is any kind of unwanted software that is installed without your adequate consentWhat is Spyware?Spyware is a general term used to describe software that performs certain behaviors, generally without appropriately obtaining your consent first; such as:AdvertisingCollecting personal informationChanging the configuration of your computer
11Malware Filter Configuration What you can do in the Exchange Administration Center (EAC)?The Malware detection response (action)The custom alert text (deletion txt)The notifications (who to send to and the ability to customize the notifications)Malware Filter ConfigurationMalware filtering is automatically enabled company-wide via the default anti-malware policy. As an administrator, you can view and edit, but not delete, the default anti-malware policy so that it is tailored to best meet the needs of your organization.
13Multi-layered anti-spam protection Connection filteringBlocks up to 80% of all spam based on IP block/allow listsSender-recipient filteringBlocks up to 15% of all spam based on internal lists and sender reputationContent filteringBlocks up to 5% of all spam based on internal lists and heuristics
14Connection Filter What is Connection Filtering ? It is blocking or allowing inbound messages based on the originating IP addressThe connection filter checks IP Allow and IP Block lists prior to checking the content of each messageMessages from specifically allowed IP addresses bypass filteringMessages from senders in the IP Block list are blocked, except in cases where they also appear in the IP Allow listYou can add an IP address or address range to an IP Allow list or IP Block list in EACYou can also check Enable safe list to skip messages from trusted senders, derived from lists that Microsoft subscribes to.
15Content FilterContent Filtering- Content filtering examines each part of the inbound message, such as the header and message body, using a list of regular expressions. A score is then assigned to the message if a rule is matched. Several URL lists are also used to block messages that contain specific, suspicious URLs. You can configure actions for each confidence-threshold level by editing the default content filter policy. For example, you can send messages to the quarantine or to the Junk folder of each recipient. Content filtering includes international filtering, which means that you can choose to block messages written in specific languages or sent from specific countries or regions, and Advanced Spam Filtering Options, which inspects attributes in a message and acts upon the message if it matches a specific configured attribute. If you are concerned about phishing, some advanced options offer a combination of Sender ID and SPF-record technologies to authenticate and verify that messages are not spoofed.
16Content Filter Actions DeleteQuarantineAdd x-headerMove to Junk folderPrepend subject line with textRedirect to addressFilter messages from particular countries, or by languageDelete message Deletes the entire message, including all attachments.Quarantine messageSends the message to quarantine instead of to the intended recipients. If you select this option, in the Retain spam for (days) field input box, specify the number of days during which the spam message will be quarantined. (It will automatically be deleted after the time elapses. The default value is 15 days and you can specify a maximum of 30 days.) This is the initial default action for all confidence levels until you modify the default spam content filter policy, after which the default action will be changed to move messages to the Junk folder unless you specifically select one of the other actions.Move message to Junk folderSends the message to the Junk folder of the specified recipients.Add X-headerSends the message to the specified recipients but adds a special X-header to the message that identifies it as spam. This X-header is then added to the headers of all subsequent spam messages. You can create rules to filter messages that are marked with X-headers, if needed. You can customize the X- header text that is added to messages using the Add this X-header text input box.Prepend subject line with textSends the message to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box.Redirect message to addressSends the message to a designated address instead of to the intended recipients. Specify the “redirect” address in the Redirect to this address input box.IMPORTANT: Any changes to antispam policies can take up to an hour to replicate across all datacenters.
17Content Filter Advanced Options Increase Spam ScoreMark As SpamTest Mode OptionsContent Filter Advanced OptionsWhen an option is set to test mode, no action is taken on messages that meet the spam filter criteria. However, messages can be tagged with an X-header before they are delivered to the intended recipient; this X-header lets you know which ASF option was matched and what would happen if the option was set to on. If you specified Test for any of the advanced options, you can configure the following test mode settings to be applied when a match is made to a test-enabled option:None: Take no test mode action on the message. This is the default.Add the default test X-header text: Selecting this option sends the message to the specified recipients but adds a special X-header to the message that identifies it as having matched a specific advanced spam filtering option.Send a Bcc message to this address: Checking this option sends a blind carbon copy of the message to the address you specify in the input box.TIP: If you are concerned about phishing, it is recommended to turn on the SPF record hard fail and the conditional sender ID hard fail options.
18Spam Confidence Level SCL Rating Spam Confidence Interpretation Default Action-1Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner)Deliver the message to the recipients’ inbox.0, 1Non-spam because the message was scanned and determined to be clean5, 6SpamThe initial default is to deliver the message to the quarantine. However, if the default spam content filter policy is modified, by default the message will instead be delivered to the Junk folder.9High confidenceWhen an message goes through spam filtering it is assigned a spam score. That score is mapped to an individual Spam Confidence Level (SCL) rating and stamped in an X-header. Microsoft Exchange Online takes actions upon the messages depending upon the spam confidence interpretation of the SCL rating.The above table shows how the different SCL ratings are interpreted by the filters and the default action that is taken on inbound messages for each rating.SCL ratings of 2, 3, 4, 7, and 8 are not used by the service.An SCL rating of 5 or 6 is considered suspected spam, which is less certain to be spam than an SCL rating of 9.Different actions for spam and high confidence spam can be configured by editing the default content filter policy in the Exchange Administration Center.
19Outbound Spam Why do you need outbound spam filtering? Outbound spam filtering is needed because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your knowledgeOutbound spam filtering is always enabled, thereby protecting organizations using the service and their intended recipients. Similar to inbound filtering, outbound spam filtering is comprised of connection filtering and content filtering, however the outbound filter settings are not configurable. If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a customer continues to send outbound spam through the service, they will be blocked from sending messages. Although outbound spam filtering cannot be disabled or changed, you can configure several company-wide outbound spam settings via the default outbound spam policy
20QuarantineMessages are not quarantined by default. In order to start quarantining messages, you need to configure the content filter to stop sending messages to junk folder, and choose to redirect SPAM to quarantine queue.
21Quarantined MessagesMessages that are identified as spam or that match an Exchange transport rule can be sent to the quarantineIf you are an administrator, you can perform the following actions against quarantined messages via EAC: - Search for quarantined messages - View details about quarantined messages - Release specific messages to a recipient within your organization - Quickly report a quarantined message as a false positive
22Working with Quarantined Messages and PowerShell To retrieve information about quarantined s Get-QuarantineMessage -StartReceivedDate 02/13/ EndReceivedDate 02/14/2013To release a quarantined messageGet-QuarantineMessage -MessageID <5c695d7e a4b0- | Release-QuarantineMessage
23Junk ManagementUsers can now receive spam notifications for messages destined to them that were marked as junk and quarantinedUsers can choose to either release or report on quarantined messages
25Built-in ReportingProvides a clear view on spam filtering and malware attacks
26Testing changes to Malware and Content filters Testing Malware filterCreate a file called EICAR.txt with the following text: FILE!$H+H*Attach EICAR.TXT to a new mail message, and send it through the service.Confirm your antimalware filter settings have taken affect (policy changes can take up to an hour to replicate across datacenters)This “EICAR” test attachment will cause the message to be treated as malicious antivirus/antimalware enginesTesting Content filterTest Content filter using GTUBE message. A GTUBE message should always be detected as spam by the content filter, and the actions that are performed upon the message should match your configured settings. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST- *C.34X
27Module ReviewWhat are the three main topics which make up the suite in Exchange Online Protection ?Anti-Malware, Anti-Spam, QuarantineWhat are the three types of filtering available ?Malware Filtering, Content Filtering, Connection FilteringWhat does the outbound spam policy do ?If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a customer continues to send outbound spam through the service, they will be blocked from sending messages
31Types Of Rules Transport Rules Let you apply messaging policies to messages in the transport pipelineActions, such as redirecting a message or adding recipients, rights-protecting messages, and rejecting or silently deleting a message can be takenTransport Protection RulesAdministrators can use transport protection rules to implement messaging policies to inspect message content, encrypt sensitive content, and use rights management to control access to the contentOutlook Protection RulesIn Exchange Online, Outlook, and OWA users and administrators can apply Information Rights Management (IRM) protection to messages by applying an Active Directory Rights Management Services (AD RMS) rights policy template. This requires an AD RMS deployment in the organization
32Transport RulesUse transport rules to look for specific conditions on messages that pass through your organization and take action on themTransport rules allow you to: - Prevent inappropriate content from entering or leaving - Filter confidential organization information - Track or copy messages that are sent to or received from specific individuals - Redirecting inbound and outbound messages for inspection before delivery - Applying disclaimers to messages as they pass through the organizationYou can only create a maximum of 100 transport rules in Exchange OnlineExchange Transport Rules provide an additional level of mail flow control for Exchange Online Administrators. The basic goal of creating a transport rule is to have Exchange Online (EXO) inspect any messages sent to and received by the users in a tenant and complete a task against that message. These rules can help Exchange Online Administrators lessen security and compliance issues in their organization. For example, a common transport rule created by EXO Administrators is to apply a legal disclaimer to each message leaving their organization.Exchange Transport Rules will replace FOPE Wave 14 Policy rules. If a customer wants to have a policy to block all mail from a specific sender, or mail with a specific character set, they must use the Transport Rules.
33Transport Rule Components A transport rule consists of the following components:Conditions: identify the messages that you want the rule to apply toActions: specify what you want to do to the messages that are identified by the conditionsExceptions: override conditions and prevent the rule from acting on specific messagesChoose a mode for this rule: (Enforce, Test with Policy Tips, Test without Policy Tips)Exchange Transport Rules provide an additional level of mail flow control for Exchange Online Administrators. The basic goal of creating a transport rule is to have Exchange Online (EXO) inspect any messages sent to and received by the users in a tenant and complete a task against that message. These rules can help Exchange Online Administrators lessen security and compliance issues in their organization. For example, a common transport rule created by EXO Administrators is to apply a legal disclaimer to each message leaving their organization.Exchange Transport Rules will replace FOPE Wave 14 Policy rules. If a customer wants to have a policy to block all mail from a specific sender, or mail with a specific character set, they must use the Transport Rules.
34How to Create a New Rule?Transport Rules are created by using the New Rules Wizard. You can access the wizard by going to Mail Flow > Rules > New, and selecting the kind of rule that you want to create.
35Transport Rules via PowerShell How to create a New Transport RuleNew-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo "Sales Department" -PrependSubject "External message to Sales DG:“How to verify the Rule was createdGet-TransportRule "Mark messages from the Internet to Sales DG“How to view all rules in your Exchange Online TenantGet-TransportRule
37Delivery ReportsMessage tracking within your Exchange Organization onlyTrack delivery information about messages sent by or received from any specific mailbox in your organizationOptionally add words to search for in the subject lineSubject line is displayed in the results, not message contentTrack messages for up to 14 days after they were sent or receivedNote: It does not track messages sent from POP or IMAP clients, such as Windows Mail, Outlook Express, or Mozilla Thunderbird
39Message TraceThe message trace feature enables an administrator to follow messages as they pass through your Exchange Online or Exchange Online Protection serviceIt helps you determine whether a targeted message was received, rejected, deferred, or delivered by the service within the past 7 daysIt also shows what actions have occurred to the message before reaching its final statusObtaining detailed information about a specific message lets you efficiently answer your user’s questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance
40How to Run a Message Trace Navigate to Mail Flow > Message Trace in EACSelect Fields (to narrow search)Options include:SenderRecipientMessage was Sent or ReceivedDelivery Status or Message IDNone is also an allowed option, which will display the previous 7 days of information. Please note that only 7 days is retained by the ServiceClick Search to run the Message Trace*Message Trace information is available for up to 90 days
41View Message Trace Results After running a search, the results will be listed in the Message Trace Results pane below the search sectionThe following information is displayed about each message:DateSenderRecipientSubjectStatusEach column can be sorted by clicking on the column name. Clicking it will switch the current sort orderIf results exceed 500 entries there will be a page navigation section which will appear for useAfter running the message trace in the EAC, the results will be listed, sorted by date, with the most recent message appearing first. You can sort on any of the listed fields by clicking their headers. Clicking a column header a second time will reverse the sort order. When viewing message trace results, the following information is provided about each message:Date: The date and time at which the message was received by the service, using the Coordinated Universal Time (UTC) time standardSender: The address of the sender in the formRecipient: The address of the recipient or recipients. This should include the address from the To list as originally received before any DL expansion. There will be one To address per result. When a DL is expanded, and you have rights to see the expansion, then the expanded results will also be shown. (There will be a result shown for the DL as well as one per recipient within the expanded DL.)Subject: The subject line text of the message. If necessary, this is truncated to the first charactersStatus: This field specifies whether the message was Delivered to the recipient, Failed to be delivered to the recipient (either because it failed to reach its destination or because it was filtered), is Pending delivery (it is either in the process of being delivered or the delivery was deferred but is being re-attempted), was Expanded (there was no delivery because the message was sent to a DL that was expanded to the recipients of the DL), or has a status of None (there is no status of delivery for the message to the recipient because the message was either rejected or redirected to a different recipient)Note: The message trace results are displayed in a scrollable list that can display a maximum of 500 entries per page. Additional pages can be accessed by using the page navigation feature.
42Message Tracing via PowerShell Using Get-MessageTrace to see informationGet-MessageTrace -SenderAddress -StartDate 06/13/2012 -EndDate 06/15/2012Obtain more detailed information by pipelining the results to the Get- MessageTraceDetail cmdletGet-MessageTrace -Id 2bbad36aa4674c7ba82f4b307fff549f - SenderAddress -StartDate 06/13/2012 -EndDate 06/15/2012 | Get-MessageTraceDetail
44Connector TypesConnectors are used to control inbound and outbound mail flowWith connectors, you can route mail to and receive mail from recipients outside of your organization, a partner through a secure channel, or a message-processing applianceThe most commonly used connector types are Outbound connectors, which control outbound messages, and Inbound connectors, which control inbound messagesConnectors can be configured to enforce IP address and domain restrictions, as well as TLS encryption, for both inbound and outbound mail
45Using ConnectorsMail flows into and out of Exchange Online through EOP without the need to create any inbound or outbound connectors by defaultCreate connectors when you need to customize inbound and outbound mail flow between:Exchange Online and On-PremisesExchange Online and External RecipientsExchange Online and Partner OrganizationsAn example scenario where connectors using TLS are created to enforce encrypted mail flow between EOP and a partner
46On-Premises Organization Exchange Online Protection MX resolves to on-premises gatewayMX is switched to Exchange Online ProtectionOutbound Exchange Online traffic is delivered directYou can choose to route outbound on-premises mail via EOPSecure MailExternal RecipientOn-Premises OrganizationInternetThird Party Security SystemExchangeExchange Online ProtectionSecure MailEncrypted & Authenticated Mail Flow“David”On-premisesMailboxExchange Online“Chris”CloudMailbox
47Centralized Transport MX resolves to on-premises gatewayAll in and out of the Exchange Online tenant must go via on-premisesMX is switched to Exchange Online ProtectionCentralized TransportExternal RecipientOn-Premises OrganizationInternetThird Party Security SystemExchangeExchange Online ProtectionSecure MailEncrypted & Authenticated Mail FlowExchange Online“David”On-premisesMailbox“Chris”CloudMailbox