Protect communications Multi-engine anti-malware and enhanced spam filtering to help protect your environment from threats Enforce policy Flexible tools for policy enforcement that provide the right level of control Streamlined management Flexible administration of anti-spam, anti-malware and policy rules

SPAM Protection Outlook Safe Sender/Recipient Content scanning Bulk Mail filtering Content Filter Advanced Options Customer Feedback False Positive/Negatives Customer Feedback False Positive/Negatives Corporate Network Policy Quarantine Policy Quarantine Edge Blocks is routed to EOP DC’s based on MX record resolution IP-based edge blocking URL Block lists Policy Enforcement Custom Rules Allows/Rejects SPAM Quarantine SPAM Quarantine Spam Analysts Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3

NDR Delivery Pool Bulk Delivery Pool Outbound Pool Higher Risk Delivery Pool Higher Risk Outbound Pool Normal Score SPAM Protection Content scanning and Heuristics Content Filter Advanced Options Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3 Policy Enforcement Custom Rules Quarantine Corporate Network Internet Encryption Spam Analysts

Step 1: Verify prerequisites Step 2: Configure mail flow (connectors) Step 3: Add and validate domains Step 4: Customize spam and policy settings Step 5: Enable mail flow Step 6: Monitor and fine tune

Exchange Server 2013 Exchange Online EOP Stand Alone

On-Prem Mail Environment Exchange Online Protection Partner Environment

On-Prem Mail APAC Exchange Online Protection On-Prem Mail AMER On-Prem Mail EMEA

Spam and policy customization

Spam and policy customization (ESN)

EOP and the Junk Mail folder Two rules Two rules need to be added to the on premise environment. Set-OrganizationConfig –SCLJunkThreshold 4 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SPM" -SetSCL 6 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SKS" -SetSCL 6 End users need to be educated about the use of the Junk Mail folder in Outlook

Enable mail flow DNS changes MX record (domain-suffix.mail.protection.outlook.com) SPF record (v=spf1 include:spf.protection.outlook.com –all) Do not change CNAME DNS entries for stand alone customers On-premise changes Create smart host from on premise environment to EOP Restrict on premises firewall to only accept port 25 traffic from EOPEOP

Monitor and fine tune Goals Is the service operating as expected? Make adjustments to rules or settings as needed Evaluate effectiveness of spam settings Tools Reports (Office 365 Portal or Mail Protection Reports for Office 365) Submitting spam and false positive messages to Microsoft Junk Mail Reporting ToolJunk Mail Reporting Tool for Outlook

Do this Use a test domain, subdomain or low volume domain for trying different service features Create O365 connectors before adding domains Use the Remote Connectivity Analyzer to troubleshootRemote Connectivity Analyzer Restrict inbound SMTP access to allow ONLY from EOP IP rangesEOP IP ranges Don’t do this Daisy chain services Use EOP for sending bulk mail Enable all Content Filter Advanced Options out of the box

Automated user/group management Ease of administration for CBRs or other rules based on user address Synchronize Outlook safe/block sender lists On-premisesExchange Online Protection Office 365 Directory Sync

Educate users Avoid using links in s to access secure online services Do not respond to requests for sensitive information via Unsubscribe from legitimate bulk mail – e.g. known online retailers Use the Junk mail reporting tool to submit spam samplesJunk mail Resources to help educate users – Outlook Phishing Detection, Crabby Office LadyOutlook Phishing DetectionCrabby Office Lady Publish an SPF record (Sender Policy Framework) Include EOP IPs and on-premises public IPs Use the Microsoft Configuration WizardMicrosoft Configuration Wizard Turn on the SPF check Content Filter Advanced Options

Other considerations Enable the Bulk Mail Content Filter Advanced Options Utilize Regular Expression (Reg-Ex) capability of ETRs to fine tune filtering of bulk mail e.g. Header field name match “List-Unsubscribe” sets SCL to 6 More details posted on Terry Zink’s Cyber Security BlogTerry Zink’s Cyber Security Blog Scope Inbound Allow rules by IP where possible Avoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness

Prevent Spam Notification Delivery to DLs Use DirSync and a custom Content Filter Apply custom Content Filter to that OU or OUs with “Enable end-user spam notifications” de-selected Block using Transport rule on-premises: Create a contact object (e.g. EOP ESN) with the address of In PowerShell: Get-DistributionGroup -ResultSize Unlimited -IgnoreDefaultScope | where { !$_.RejectMessagesFrom - and !$_.RejectMessagesFromDLMembers } | Set-DistributionGroup -IgnoreDefaultScope - RejectMessagesFrom " EOP ESN"

Coming soon - end user access to Spam Quarantine  End users manage spam via end user spam quarantine notifications which may be scheduled for daily delivery  Administrator only access to quarantine Viewer only supports up to 500 messages More can be viewed via PowerShell Get-QuarantineMessage CmdletGet-QuarantineMessage Can only release in bulk through Release-QuarantineMessage CmdletRelease-QuarantineMessage Limits Max message size for EOP delivering to stand-alone customers is 150 MB Max message size for EOP delivering to Office 365 hosted mailboxes is 35 MB Max 100 Transport Rules per tenant – DLP policies consume part of this quota

Failover configuration Using a second MX record to accomplish failover Contoso.com has 3 on-premises IPs: Site A , Site B , Site C Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort. contoso.com MX preference = 10 contoso-com.mail.protection.outlook.com (routes all mail for contoso.com) onprem.contoso.com MX preference = 10 mail-a.contoso.com onprem.contoso.com MX preference = 20 mail-b.contoso.com onprem.contoso.com MX preference = 30 mail-c.contoso.com mail-a.contoso.com A mail-b.contoso.com A mail-c.contoso.com A *Specify onprem.contoso.com in the outbound connector smart host field

Match Sub-domains DKIM for inbound Support for IPV6

What they offer Exchange Online Protection implementation and configuration assistance 1 – 5 days of engagement over a period of 90 days Administrator training on Exchange Online Protection Advise customer on service best practices Eligibility Net new customers who purchase seats EOP stand alone, O365D Exception basis for O365 Hybrid How to Engage an IPM Contact your Technical Account Manager for more information.

SessionTitleTimingRoom SPR.202Encryption in ExchangeTue 10:45 AM - 12:00 PMBallroom E SPR.201 Eliminate the Regulatory Compliance NightmareTue 9:00 AM-10:15 AMMR 19ab SPR.UN.305 Exchange Online Protection: Notes from the fieldWed 10:15 AM – 11:30 AMBallroom G SPR.UN.304 Experts Unplugged: EOP & Encryption Wed 8:30-9:45 AM Wed 1:00-2:15 PM MR 18d MR 17b SPR.401 Extending Data Loss Prevention For Your BusinessWed 4:45 PM- 6:00 PMMR 18bc SPR.203 Protect your Organization with Exchange Online Protection (EOP)Mon 4:30 PM - 5:45 PMMR 18bc SPR.301 So how does Microsoft handle my spam?Tue 4:45 PM – 6:00 PMMR 19ab SPR.401Using Connectors & Mail RoutingWed 2:45 PM - 4:00 PMMR 18bc ARC.304 Exchange Server 2013 Transport ArchitectureTues 9:00 AM - 10:15 AMBallroom F EDC.302 Advanced Data Loss Prevention in ExchangeTues 1:30 PM-2:45 PMBallroom F EDC.UN.301 Experts Unplugged: Data Loss Prevention Tue 3:00 PM-4:15 PM Wed 10:15 AM-11:30 AM MR 18d MR 13ab EDC.204 Data Loss Prevention in Exchange, Outlook, OWAMon 2:45 Pm-4:00PMMR 18bc MNG.304 Reporting On O365 Mail flow and Mailbox DataWed 1:00 PM-2:15 PMMR 17a