Often when I am working with clients that have recently migrated or are deciding on migrating to Office 365, a concern and discussion arises around mail flow. In particular, how mail is processed and where any impactful changes can occur.
Microsoft does a fair job with outlining the overall mail flow process at a high level, but it takes some time to really dig into some of the new features and where they fit in the puzzle. I’m looking at you Advanced Threat Protection and Data Loss Prevention.
Typical Mail Flow
Microsoft’s mail flow documentation for Exchange Online Protection outlines the flow of inbound mail:
- Connection Filtering
- Transport Rules / Policy Filtering
- Content Filtering (SPAM)
When you see this outlined, the puzzle of mail flow starts to come into focus. A message will first be filtered based on the sending IP. This makes sense; if a sender is known as bad why would or should EOP waste any further resources?
It is possible to customize the IP sender’s ‘blocked and allowed list’ in the connection policy for your EOP subscription. It is also possible to request that your sending IPs be removed from bad sender lists if they are being erroneously blocked by EOP or Office 365. https://sender.office.com/ is the URL that can be used to make such a request.
The malware filter is the next step in the process. Often, I see this filter not fully configured to get the most out of the scanning agents. One of the first actions that can be beneficial is enabling the Common Attachment Types Filter. This will ensure that potential malware attachments based on common attachment types are quarantined.
Additionally, there are configuration options available to ensure that administrators are notified when an internal sender is sending possible malware. This is a great indicator of possible issues in the environment such as compromised credentials.
Transport Rules / Policy Filters
The next scanning engine will be the mail flow rules, data loss prevention (DLP) rules, and advanced threat protection (ATP) rules. ATP will always end last in the set of rules. DLP scanning for sensitive information in emails will occur first or in the priority of mail rules.
Content Filters / SPAM
The very last step will be the anti-spam filters. These content filters for anti-SPAM have lots of options that many organizations do not fully take advantage of. How many organizations block messages that come from different languages, or block URL links that are directing to an IP address? There are 15 different options that can be toggled on or off to mark messages as SPAM or increase the SPAM confidence level.
Oh . . . One More Thing
Many organizations don’t pay much attention to the Outbound SPAM configuration options. Outbound SPAM does two things. First, it will start looking for suspicious messages that could match typical finger prints of SPAM and send it out to a different set of servers. There is a configuration option that will notify an administrator email address of these messages and send a copy.
The second option is to send an administrator email address a notification if an internal sender is being prevented from sending out any new messages because they have sent out too many SPAM style messages. This is a valuable feature because it can be a first response indicator that an individual may have an infected machine or compromised credentials.
I strongly recommend that every organization regularly review their email filtering engines and ensure that all levers are pulled to provide the best email delivery protection. There are many other options like SPF that can be configured. I recommend checking out some of John Fedor’s blogs regarding SPF. Other options that can be configured are constantly changing, and if you need more assistance or information feel free to reach out to us at firstname.lastname@example.org. Don’t worry, we have our filters set up to make sure we will get your request for information!