Exchange Online Protection & Mail FlowJayant Gupta

Premier Field Engineer200 E, Randolph StAon center, Chicago -IL

Conditions and Terms of UseMicrosoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.

The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks © 2013 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/

Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

3

Overview This module explores the various capabilities of the Exchange Online Protection service, including:

• Anti-Malware protection

• Anti-Spam protection, including connection and content filtering

• Quarantining messages

• Reporting

4

Exchange Online Protection

What is Exchange Online Protection (EOP)?

• EOP is the new version of Forefront Online Protection for Exchange (FOPE), Microsoft’s hosted email gateway

• Provides comprehensive email protection through multi-engine antivirus and continuously evolving anti-spam protection

• Built on Exchange 2013 Transport architecture

• Geographically load-balanced datacenters

• Queuing capabilities to help ensure no mail is lost

• Currently processes 1 billion messages per day

EOP is available:

• As a stand-alone cloud service for on-premises customers

• As part of Office 365 subscriptions

5

Simple to Deploy

1. Add and verify domain ownership in Office 365

2. Change your MX record to point to <domain-com>.mail.protection.outlook.com

3. Create an SPF TXT record for your domainv=spf1 include:spf.protection.outlook.com -all

4. Fine tune anti-malware and anti-spam settings

5. Create rules to meet business needs

6

EOP Administration

Unlike FOPE, Exchange Online Protection administration is incorporated into the Exchange Admin Center

7

EOP inbound filtering

8

EOP outbound filtering

9

Anti-Malware

10

Definition ofMalware

• What is Malware?

• Malware is any kind of unwanted software that is installed without your adequate consent

• What is Spyware?

• Spyware is a general term used to describe software that performs certain behaviors, generally without appropriately obtaining your consent first; such as:

• Advertising

• Collecting personal information

• Changing the configuration of your computer

11

Malware Filter Configuration

What you can do in the Exchange Administration Center (EAC)?

• The Malware detection response (action)

• The custom alert text (deletion txt)

• The notifications (who to send to and the ability to customize the notifications)

12

Anti-Spam

13

Multi-layered anti-spam protection

Connection filtering

• Blocks up to 80% of all spam based on IP block/allow lists

Sender-recipient filtering

• Blocks up to 15% of all spam based on internal lists and sender reputation

Content filtering

• Blocks up to 5% of all spam based on internal lists and heuristics

14

Connection Filter

What is Connection Filtering ?

• It is blocking or allowing inbound messages based on the originating IP address

• The connection filter checks IP Allow and IP Block lists prior to checking the content of each message

• Messages from specifically allowed IP addresses bypass filtering

• Messages from senders in the IP Block list are blocked, except in cases where they also appear in the IP Allow list

• You can add an IP address or address range to an IP Allow list or IP Block list in EAC

15

Content Filter

16

Content Filter Actions

• Delete

• Quarantine

• Add x-header

• Move to Junk Email folder

• Prepend subject line with text

• Redirect to email address

• Filter messages from particular countries, or by language

17

Content Filter Advanced Options

• Increase Spam Score

• Mark As Spam

• Test Mode Options

18

Spam Confidence Level

SCL Rating Spam Confidence Interpretation Default Action

-1Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner)

Deliver the message to the recipients’ inbox.

0, 1Non-spam because the message was scanned and determined to be clean

Deliver the message to the recipients’ inbox.

5, 6 Spam

The initial default is to deliver the message to the quarantine. However, if the default spam content filter policy is modified, by default the message will instead be delivered to the Junk Email folder.

9 High confidence

The initial default is to deliver the message to the quarantine. However, if the default spam content filter policy is modified, by default the message will instead be delivered to the Junk Email folder.

19

Outbound Spam

Why do you need outbound spam filtering?

• Outbound spam filtering is needed because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your knowledge

20

Quarantine

21

Quarantined Messages

• Messages that are identified as spam or that match an Exchange transport rule can be sent to the quarantine

• If you are an administrator, you can perform the following actions against quarantined messages via EAC:

- Search for quarantined messages- View details about quarantined messages - Release specific messages to a recipient within your organization - Quickly report a quarantined message as a false positive

22

Working with Quarantined Messages and PowerShell

• To retrieve information about quarantined emails

Get-QuarantineMessage -StartReceivedDate 02/13/2013 -EndReceivedDate 02/14/2013

• To release a quarantined message

Get-QuarantineMessage -MessageID <5c695d7e-6642-4681-a4b0-9e7a86613cb7@contoso.com> | Release-QuarantineMessage

23

Junk Email Management

• Users can now receive spam notifications for messages destined to them that were marked as junk and quarantined

• Users can choose to either release or report on quarantined messages

24

Reporting

25

Built-in Reporting

• Provides a clear view on spam filtering and malware attacks

26

Testing changes to Malware and Content filters

Testing Malware filter

• Create a file called EICAR.txt with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

• Attach EICAR.TXT to a new mail message, and send it through the service. • Confirm your antimalware filter settings have taken affect (policy changes

can take up to an hour to replicate across datacenters)• This “EICAR” test attachment will cause the message to be treated as

malicious antivirus/antimalware engines

Testing Content filter

• Test Content filter using GTUBE message. A GTUBE message should always be detected as spam by the content filter, and the actions that are performed upon the message should match your configured settings. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:

• XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

27

Module Review

1. What are the three main topics which make up the suite in Exchange Online Protection ?

• Anti-Malware, Anti-Spam, Quarantine

2. What are the three types of filtering available ?

• Malware Filtering, Content Filtering, Connection Filtering

3. What does the outbound spam policy do ?

• If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a customer continues to send outbound spam through the service, they will be blocked from sending messages

Exchange Online Mail Flow

29

Overview This module covers the mail flow capabilities of Exchange Online, including

• Transport rules

• Delivery reports and message tracing

• Inbound and outbound connectors

30

Rules

31

Types Of Rules

Transport Rules

• Let you apply messaging policies to messages in the transport pipeline

• Actions, such as redirecting a message or adding recipients, rights-protecting messages, and rejecting or silently deleting a message can be taken

Transport Protection Rules

• Administrators can use transport protection rules to implement messaging policies to inspect message content, encrypt sensitive email content, and use rights management to control access to the content

Outlook Protection Rules

• In Exchange Online, Outlook, and OWA users and administrators can apply Information Rights Management (IRM) protection to messages by applying an Active Directory Rights Management Services (AD RMS) rights policy template. This requires an AD RMS deployment in the organization

32

Transport Rules

• Use transport rules to look for specific conditions on messages that pass through your organization and take action on them

• Transport rules allow you to:- Prevent inappropriate content from entering or leaving- Filter confidential organization information- Track or copy messages that are sent to or received from specific individuals- Redirecting inbound and outbound messages for inspection before delivery- Applying disclaimers to messages as they pass through the organization

• You can only create a maximum of 100 transport rules in Exchange Online

33

Transport Rule Components

A transport rule consists of the following components:

• Conditions: identify the messages that you want the rule to apply to

• Actions: specify what you want to do to the messages that are identified by the conditions

• Exceptions: override conditions and prevent the rule from acting on specific messages

• Choose a mode for this rule: (Enforce, Test with Policy Tips, Test without Policy Tips)

34

How to Create a New Rule?

35

Transport Rules via PowerShell

• How to create a New Transport RuleNew-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo "Sales Department" -PrependSubject "External message to Sales DG:“

• How to verify the Rule was created

Get-TransportRule "Mark messages from the Internet to Sales DG“

• How to view all rules in your Exchange Online Tenant

Get-TransportRule

36

Delivery Reports

37

Delivery Reports

• Message tracking within your Exchange Organization only

• Track delivery information about messages sent by or received from any specific mailbox in your organization

• Optionally add words to search for in the subject line

• Subject line is displayed in the results, not message content

• Track messages for up to 14 days after they were sent or received

• Note: It does not track messages sent from POP or IMAP email clients, such as Windows Mail, Outlook Express, or Mozilla Thunderbird

38

Message Tracking

39

Message Trace

• The message trace feature enables an administrator to follow email messages as they pass through your Exchange Online or Exchange Online Protection service

• It helps you determine whether a targeted email message was received, rejected, deferred, or delivered by the service within the past 7 days

• It also shows what actions have occurred to the message before reaching its final status

• Obtaining detailed information about a specific message lets you efficiently answer your user’s questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance

40

How to Run a Message Trace

• Navigate to Mail Flow > Message Trace in EAC

• Select Fields (to narrow search)

• Options include:

• Sender

• Recipient

• Message was Sent or Received

• Delivery Status or Message ID

None is also an allowed option, which will display the previous 7 days of information. Please note that only 7 days is retained by the Service

• Click Search to run the Message Trace

• *Message Trace information is available for up to 90 days

41

View Message Trace Results

• After running a search, the results will be listed in the Message Trace Results pane below the search section

• The following information is displayed about each message:

• Date

• Sender

• Recipient

• Subject

• Status

• Each column can be sorted by clicking on the column name. Clicking it will switch the current sort order

• If results exceed 500 entries there will be a page navigation section which will appear for use

42

Message Tracing via PowerShell

• Using Get-MessageTrace to see information

Get-MessageTrace -SenderAddress john@contoso.com -StartDate 06/13/2012 -EndDate 06/15/2012

• Obtain more detailed information by pipelining the results to the Get-MessageTraceDetail cmdlet

Get-MessageTrace -Id 2bbad36aa4674c7ba82f4b307fff549f -SenderAddress john@contoso.com -StartDate 06/13/2012 -EndDate 06/15/2012 | Get-MessageTraceDetail

43

Connectors

44

Connector Types

• Connectors are used to control inbound and outbound mail flow

• With connectors, you can route mail to and receive mail from recipients outside of your organization, a partner through a secure channel, or a message-processing appliance

• The most commonly used connector types are Outbound connectors, which control outbound messages, and Inbound connectors, which control inbound messages

• Connectors can be configured to enforce IP address and domain restrictions, as well as TLS encryption, for both inbound and outbound mail

45

Using Connectors

• Mail flows into and out of Exchange Online through EOP without the need to create any inbound or outbound connectors by default

• Create connectors when you need to customize inbound and outbound mail flow between:

• Exchange Online and On-Premises

• Exchange Online and External Recipients

• Exchange Online and Partner Organizations

An example scenario where connectors using TLS are created to enforce encrypted mail flow between EOP and

a partner

46

Secure Mail

On-Premises Organization

External Recipient

Exchange

Exchange Online

Exchange Online Protection

Inte

rnet

Third Party Email

Security System

“Chris”Cloud

Mailbox

“David”On-premises

Mailbox

Secure Mail

Encrypted & Authenticated Mail Flow

MX resolves to on-

premises gateway

MX is switched to Exchange

Online Protection

Outbound Exchange

Online traffic is delivered

direct

You can choose to

route outbound

on-premises mail via EOP

47

Centralized Transport

Exchange Online

Exchange Online Protection

On-Premises Organization

Exchange

Third Party Email

Security System

External Recipient

Inte

rnet

“Chris”Cloud

Mailbox

“David”On-premises

Mailbox

Secure Mail

Encrypted & Authenticated Mail Flow

MX resolves to on-

premises gateway

All email in and out of the

Exchange Online tenant must go via on-premises

MX is switched to Exchange

Online Protection

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Contact

Jayant Gupta Office 365, Premier Field EngineerJayant.Gupta@Microsoft.com© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks

in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Who Wants to Ask Questions??