When an organization finally decides to make the move to Office 365 / Exchange Online, the question of spam protection invariably comes up — at least it should. In this article, we’ll walk through the Exchange Online Protection (EOP) offering that comes as part of Exchange Online. We’ll review many of the key features of EOP and how they fit into the overall protection of end users from email threats.
We’ll cover such topics as safe sender lists and blocked sender lists. Other topics that we will cover include connection filtering as well as content filtering and outbound email protection. Because false positives and false negatives are always a concern, we will touch on those topics as well — along with quarantine and how to report false positives/negatives to Microsoft.
An overview of anti-spam protection
The very first spam email was sent back in 1978 — to several hundred users on ARPANET. Thirty years later, spam continues to be a problem. However, today’s spam emails are far more dangerous than their early ancestors. Today’s unsolicited (and typically unwanted) email messages often consist of malware, viruses, and spyware. Such infected emails can wreak havoc for a company. Luckily, all mailboxes hosted in Microsoft Exchange Online are automatically protected against spam and malware through Microsoft’s “Exchange Online Protection” suite. This suite is also known as EOP.
Office 365 features built-in spam filtering and malware protection capabilities that help protect both inbound and outbound emails from malicious software threats. Users are also protected from vanilla spam emails. These features are built in and enabled by default, so administrators don’t even need to set them up. Nor do they need to maintain them. Although anti-spam features do not need to be expressly setup, they can be customized by the administrator, via the Exchange Admin Center (EAC).
In this article, we’ll discuss the guts of the anti-spam protection offered via the Exchange Online Protection suite.
Safe sender and blocked sender lists
No anti-spam product is perfect. That’s just a fact of life. Out of the box, all anti-spam solutions will either falsely flag some subset of legitimate emails as spam or simply miss some legitimate spam and allow it through. There is no getting around it. However, Exchange Online administrators you can help mitigate these issues by fine-tuning the service through safe sender lists and blocked sender lists.
Configuring a safe sender list allows the administrator to exempt certain senders from spam filtering, ensure that emails from those senders are always delivered. Conversely, blocked sender lists can be used to ensure that emails from certain senders are never delivered. These lists are applied to users organization-wide.
In addition to safe sender lists and blocked sender lists, administrators can also leverage connection filtering to manage mail delivery. However, connection filtering works differently than safe/block lists because connection filtering is based on originating IP addresses, meaning that the administrator can control inbound email delivery by IP address.
For example, if OrgA (hosted in O365) has a business relationship with OrgB (hosted on-prem), the administrator for OrgA can create a connection filter that always allows emails from OrgB’s mail server by specifying the IP address from where OrgB’s emails originate in a safe sender list. Conversely, the OrgA administrator can ensure no emails are ever delivered from OrgB by creating a block list that contains OrgB’s IP address. Email messages sent from OrgB are then rejected outright. The emails are not marked as spam, nor is any additional filtering performed.
The Exchange Online Protection suite offers, out of the box, basic spam filter settings that include the ability to filter messages written in specific languages or even sent from specific countries or regions. These settings are applied to inbound messages only. However, the administrator can edit these default settings and even create custom policies, which can then be applied to the entire organization, specific users, specific groups, or specific domains in the organization. Custom content policies will always take precedence over the default policy; however, the administrator can change the order in which the custom policies are applied by changing the priority of each custom policy.
An often-overlooked aspect of spam protection is outbound spam filtering. While inbound spam protection is critical for protecting users from inbound email threats, outbound protection is necessary to ensure the organization’s email system doesn’t wind up on blacklists, which negatively impact deliverability of outbound emails. Being labeled a spammer is never good.
Because of the importance of outbound protection, outbound spam filtering is always enabled in O365. As such, all O365 customers that send outbound emails are protected — as are the recipients of those outbound emails.
In much the same fashion that inbound filtering is configured, outbound spam filtering consists of both connection filtering options and content filtering options. However, outbound filter settings are not configurable (nor can they be disabled) by the administrator. As such, outbound messages determined to be spam are routed through a higher-risk delivery pool. This process reduces the probability of the organization being added to a block list.
If an O365 customer continues sending outbound emails that are identified as spam, the customer will be blocked from sending messages altogether. If a significant amount of spam is sent from an O365 user, the user is prohibited from sending email messages. The administrator is then informed of the situation.
False positives are annoying
No anti-spam solution is perfect — including O365 Exchange Online Protection. As such, it’s just a fact of life that users will occasionally have to deal with spam that finds its way through or with legitimate emails that don’t make to their inboxes. That said, Microsoft makes it easy to “report” false positives and false negatives so that they can improve the anti-spam protection offered. With the data reported by end users and administrators, Microsoft continually fine-tunes its spam filters to ensure a more positive user experience
Managing spam in Exchange Online
Office 365 offers the ability to configure quarantine for inbound messages identified as spam, phishing, bulk, etc. By sending potentially problematic emails to quarantine instead of end-user junk folders, those emails can be reviewed later and either discarded or kept. As such, quarantine is yet another tool to ensure end users are protected from email threats.
Quarantined messages can be managed by end users and, obviously, by administrators. However, while admins can manage quarantined emails for all users, end users can only manage their own quarantined items. Administrators can search for all quarantined items, using the Exchange admin center, and then view details for those quarantined messages. Messages that are deemed safe can then be released to the users to which they were sent. It is within this process where administrators can report false positives to the Microsoft Spam Analysis Team for review. End users can manage their own quarantined messages via the spam quarantine user interface — provided those end users have a valid Office 365 user ID and password.
Per Microsoft’s FAQ, spam-quarantined messages are kept, by default, in quarantine for 15 days (which is configurable). Messages matching a specific transport rule, and quarantined as a result, are kept in quarantine for 7 days (not configurable). In both cases, quarantined messages are automatically deleted (and are not retrievable) when the retention periods expire
Working with quarantine
Administrators have wide latitude when dealing with quarantined messages. An admin can delete quarantined messages and report false positives to Microsoft. Admins can also view quarantined data and download it. Policies can also be configured so that Office 365 sends questionable emails to quarantine when they are identified as spam, bulk mail, phishing mail, containing malware, etc.
End users can manage their own quarantined messages in two ways. They can either respond directly to the spam notification received when a message is tagged or they can use the Security & Compliance Center. By allowing end users to manage their own quarantine messages, administrators are freed up to deal with more pressing issues.
Exchange Online Protection: A good choice
As we have seen, Exchange Online Protection is a flexible anti-spam / anti-malware solution that automatically protects all mailboxes hosted in Exchange Online / O365. This anti-spam solution offers the ability to not only detect spam and other email threats, but to also manage whitelists and blacklists via connection filtering, safe sender lists, and blocked sender lists. Exchange Online Protection also offers the ability to protect outbound emails as well.
Quarantine management is another flexible offering with Exchange Online Protection. Instead of simply discarding suspicious emails that “might” be legitimate, Exchange Online Protection offers administrators and users alike the ability to review such messages before purging them. The ability to report such false positives and false negatives to Microsoft also allows admins and users to continually improve the accuracy of the offering.
While many organizations prefer to leverage third-party anti-spam solutions, such as Mimecast and Proofpoint, the built-in offering of Exchange Online Protection that comes with every O365-hosted mailbox certainly holds its own when it comes to email threat protection. When planning an O365 / Exchange Online deployment, it makes sense to review the performance of EOP before shelling out additional money for a third-party anti-spam solution.
Featured image: Shutterstock