Exchange Online Protection: Complete Email Security and Protection

Author

Reads 6.2K

Close-up of two people exchanging US dollars and currency with wallets on a table.
Credit: pexels.com, Close-up of two people exchanging US dollars and currency with wallets on a table.

Exchange Online Protection offers robust email security and protection to safeguard your business communications. This comprehensive solution includes a sophisticated spam filter that can block up to 99% of spam emails, keeping your inbox clutter-free.

With Exchange Online Protection, you can also set up advanced threat protection to detect and block zero-day threats and malware. This feature uses machine learning algorithms to analyze emails in real-time, ensuring that even the most sophisticated attacks are caught.

Exchange Online Protection also provides data loss prevention to prevent sensitive information from being sent outside your organization. This feature can detect and block emails containing sensitive data, such as credit card numbers or social security numbers, to prevent data breaches.

What Is EOP

Exchange Online Protection, or EOP, is a cloud-based email security service from Microsoft that filters your emails to protect your organization against spam, malware, and other email-based threats.

It was initially focused on filtering out spam and bulk email but has since evolved to use various detection techniques to identify phishing and spear phishing emails, as well as emails containing malicious payloads.

For another approach, see: Spam Bully

Credit: youtube.com, Exchange Online Protection (EOP)

EOP is now included across all license types within the annual or monthly subscription price, making it a valuable feature for organizations of all sizes.

FrontBridge Technologies Inc. created the precursor to EOP, Microsoft Forefront Online Protection for Exchange, which was later acquired by Microsoft in 2005.

Microsoft rebranded the service multiple times, with the most recent iteration being Exchange Online Protection, launched on March 1, 2013.

EOP uses multi-scanning and anti-virus scanning to identify threats, drawing on a large corpus of data from worldwide email traffic and corporate end users reporting of false positives and false negatives.

It's worth noting that while EOP has improved its detection rates over time, it can still be susceptible to misses when dealing with targeted, personalized attacks or phishing campaigns occurring at lower volumes.

Email Security Features

Exchange Online Protection offers several email security features to keep your inbox clean. Secure Email Gateway Solutions, for example, use threat intelligence feeds, heuristic rules, and sandboxing to identify and prevent malicious traffic from reaching your mailbox.

Recommended read: Email Filtering

Credit: youtube.com, Microsoft E-mail Security Management Webinar | Exchange Online Protection | Defender 365

Policy filtering and mail flow rules are also essential in managing email security. These rules can be customized to automatically delete emails from a specific sender or warn users of potentially harmful content based on keywords.

Mail flow features, such as mail flow rules, accepted domains, and connectors, provide flexibility in managing messages. Mail flow rules, in particular, are a powerful tool for identifying and taking specific actions on emails that enter your organization's mailbox.

Here are some key mail flow features:

Domainkeys Identified Mail

DomainKeys Identified Mail (DKIM) is a digital signature added to email messages in the header, providing authenticity and integrity. It relies on DNS records, so its deployment depends on how an agency manages its DNS.

Enabling DKIM is crucial for all domains, as it helps detect spoofed emails and verify email content integrity. This is especially important to prevent phishing attacks where an adversary modifies the FROM field to appear as a legitimate email.

See what others are reading: Microsoft DNS

Credit: youtube.com, What is DomainKeys Identified Mail (DKIM)?

To enable DKIM, you should follow the instructions listed on Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal | Microsoft Learn.

DKIM helps prevent phishing attacks by allowing recipients to verify the integrity of email content. It does this by adding a digital signature to the email message header.

An adversary may modify the FROM field to appear as a legitimate email, but enabling DKIM makes it harder for them to succeed. This is because DKIM provides a layer of authenticity and integrity to emails.

Here are some key references for implementing DKIM:

  • Binding Operational Directive 18-01 - Enhance Email and Web Security | DHS
  • Trustworthy Email | NIST 800-177 Rev. 1
  • Use DKIM to validate outbound email sent from your custom domain | Microsoft Learn
  • Support for validation of DKIM signed messages | Microsoft Learn
  • What is EOP? | Microsoft Learn

Secure Email Gateway

Secure Email Gateway solutions have been around for about two decades, but their architectural design reflects their age, often limiting their efficacy. They operate by redirecting mail flow to their service, which can be delivered as a hosted or cloud-based appliance.

SEGs typically utilize threat intelligence feeds, heuristic rules, and sandboxing to identify and prevent malicious traffic from reaching end users' mailboxes. This approach is similar to the detection methodologies employed by Exchange Online Protection.

Credit: youtube.com, What is a Secure Email Gateway?

The overall time-to-value of SEGs is long, as deployment, initial tuning, and ongoing administrative review of quarantined emails can take significant time for MSPs or organizations. Altered mail flow can also be required if new services and/or domains are added.

SEGs often require a web-based portal for users to release quarantined traffic, but this can be a hassle for end users. As an alternative, API-based solutions like Hornetsecurity's 365 Total Protection can be deployed in minutes, without the need for an MX record change.

Here are some key differences between SEGs and API-based solutions:

SEGs may not be the most effective solution for email security, but they can still be a useful tool in a layered security approach. By understanding the limitations of SEGs, organizations can make informed decisions about their email security needs.

Security Policies and Rules

Security policies and rules are crucial in Exchange Online Protection to safeguard your organization's email. Policy filtering and mail flow rules are used to check emails against custom rules set by your organization. For example, you can configure EOP to automatically delete emails from a specific sender or warn users of potentially harmful content based on keywords.

Credit: youtube.com, How to Configure an Anti Phishing Policy in Microsoft 365

Automatic forwarding to external domains can be disabled on a per-domain basis, which prevents adversaries from gaining persistent access to a victim's email. This can be done by configuring EOP to only enable automatic forwarding to external domains on a per-domain basis.

Mail flow rules, also known as transport rules in Exchange Online, help identify and take specific actions on emails that enter your organization's mailbox. You can configure mail flow rules to include conditions, exceptions, and actions that give you greater flexibility in managing messages.

On a similar theme: Mail Abuse Prevention System

Policy Filtering and Mail Flow Rules

Policy filtering is the first step in checking incoming emails against mail flow rules or transport rules set by your organization. These rules can be custom-made to suit your organization's needs, such as automatically deleting emails from a specific sender or warning users of potentially harmful content based on keywords.

Your organization can create custom rules for incoming emails, which can be configured in Exchange Online Protection (EOP). These rules can be used to identify and take specific actions on emails that enter your organization's mailbox.

Credit: youtube.com, What are Mail Flow rules in Office 365 | How to create Transport rules in Office 365

Mail flow rules, also known as transport rules in Exchange Online, help identify and take specific actions on emails that enter your organization's mailbox. These rules include conditions, exceptions, and actions that give you greater flexibility in managing messages.

Here are some key points to consider when creating mail flow rules:

  • Accepted domains: These are domains that are added to Microsoft 365 or Microsoft 365 and are called accepted domains. Accepted domain users can send and receive email messages.
  • Connectors: These are a collection of instructions that customize the way your email flows to and from your Microsoft 365 or Microsoft 365 organization.
  • Mail flow rules can be used to identify and take specific actions on emails that enter your organization's mailbox.

Data Loss Prevention

Data Loss Prevention is a crucial aspect of securing your Microsoft Exchange Online. A DLP solution SHALL be used to prevent accidental leakage of sensitive information.

Data loss prevention solutions help detect the presence of sensitive information in Exchange Online and block access to unauthorized entities. This is essential to prevent users from inadvertently disclosing sensitive information to others.

To ensure the effectiveness of your DLP solution, it SHALL protect personally identifiable information (PII) and sensitive information, as defined by your agency. This includes protecting sensitive information such as credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs).

Credit: youtube.com, How Do I Create Data Loss Prevention Policies? - Be App Savvy

At a minimum, your DLP solution SHALL restrict sharing credit card numbers, U.S. ITINs, and U.S. SSNs via email. This is a requirement outlined in the baseline policy.

Any product meeting the requirements outlined in this baseline policy may be used. If your agency uses Microsoft Defender, see the implementation steps for DLP for additional guidance.

The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. This ensures that your DLP solution is capable of detecting and blocking sensitive information.

To display user warnings comparable to the user safety tips included with EOP, your DLP solution SHOULD display user warnings. This helps users understand the risks associated with sensitive information.

For more insights, see: What Is Azure Information Protection

IP Allow Lists

IP allow lists can be used to prevent blocking emails from specific senders, but be aware that emails from these senders will bypass important security mechanisms like spam filtering and sender authentication checks.

To create an IP allow list in Microsoft Defender, you'll need to specify the IP addresses of trusted senders, but keep in mind that this can leave your system vulnerable to potential threats.

Credit: youtube.com, Whalebone ISP — Admin's Guide: Security Policies

The Microsoft Defender portal warns against using IP allow lists, as they can circumvent security mechanisms.

IP block lists, on the other hand, block email from listed IP addresses, which can be used to block mail from known spammers.

Here are some key points to consider when working with IP allow lists:

  • Rationale: Messages sent from IP addresses on an allowlist bypass important security mechanisms, including spam filtering and sender authentication checks.
  • Last modified: August 2024
  • MITRE ATT&CK TTP Mapping:

Safelists, which are dynamic lists of "known, good senders", can also be used to bypass security mechanisms, so it's recommended to avoid enabling them.

To modify the connection filters and ensure safe lists are not enabled, follow these steps:

  1. Sign in to Microsoft 365 Defender portal.
  2. From the left-hand menu, find Email & collaboration and select Policies and Rules.
  3. Select Threat Policies from the list of policy names.
  4. Under Policies, select Anti-spam.
  5. Select Connection filter policy (Default).
  6. Click Edit connection filter policy.
  7. Ensure no addresses are specified under Always allow messages from the following IP addresses or address range.
  8. Ensure Turn on safe list is not selected.

Security Measures

Exchange Online Protection has several security measures in place to safeguard your email communications.

Secure Email Gateway Solutions are a well-known technology implemented to address email security, operating by redirecting mail flow to their service, which is delivered as a hosted or cloud-based appliance. This architectural approach can limit the efficacy of gateways.

One of the key features of SEGs is their detection methodology, which utilizes threat intelligence feeds, heuristic rules, and sandboxing to identify and prevent or quarantine malicious traffic from reaching end users' mailboxes.

Credit: youtube.com, Microsoft 365 Email Security Limitations You Should Know

To scan emails for malware, you can use a solution like Microsoft Defender, which filters emails based on attachment file types. This service can block a list of common executable files, such as .exe, .cmd, and .vbe, to mitigate the risk of adversarial exploitation.

Emails may also be filtered by attachment file types, which can prevent the spread of malware distributed via click-to-run email attachments. The attachment filter should attempt to determine the true file type and assess the file extension to detect instances where the file extension was changed.

A Data Loss Prevention (DLP) solution is also essential to prevent both accidental leakage of sensitive information as well as intentional exfiltration of data. A capable DLP solution should detect the presence of sensitive information in Exchange Online and block access to unauthorized entities.

The DLP solution should protect personally identifiable information (PII) and sensitive information, as defined by the agency. At a minimum, the DLP solution should restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs) via email.

Here are some key security measures to consider:

  • Secure Email Gateway Solutions with threat intelligence feeds, heuristic rules, and sandboxing
  • Malware scanning with Microsoft Defender or a comparable solution
  • Attachment file type filtering, including blocking common executable files
  • Data Loss Prevention (DLP) solutions to prevent sensitive information leakage

Antimalware

Credit: youtube.com, Top 5 Antivirus Programs to Protect Your Devices in 2023

Antimalware is a critical security measure that involves scanning emails for malware. Emails identified as containing malware should be quarantined or dropped to prevent infections.

Scanning emails for malware is essential to prevent infections. Emails can be used as a mechanism for delivering malware, and scanning can detect malware, reducing the risk for end users.

Emails SHALL be scanned for malware, according to the CISA M365 Secure Configuration Baseline. This includes scanning emails after delivery to reduce the number of malware-infected emails in users’ mailboxes.

Malware scanning should be capable of reviewing emails after delivery. This is because known malware signatures are updated, and an email can be retroactively identified as containing malware after delivery.

Emails identified as containing malware should be quarantined or dropped. This is because email can be used as a mechanism for delivering malware, and preventing emails with known malware from reaching user mailboxes helps ensure users cannot interact with those emails.

Credit: youtube.com, Logical Protection Measures - Anti-Malware & Firewalls

Here are some key points to consider when implementing antimalware measures:

  • Emails SHALL be scanned for malware.
  • Emails identified as containing malware SHALL be quarantined or dropped.
  • Email scanning SHALL be capable of reviewing emails after delivery.

Any product meeting the requirements outlined in the baseline policy may be used. If the agency uses Microsoft Defender, see the implementation steps for enabling preset security policies, which include anti-malware protection.

Sender Policy Framework

Sender Policy Framework is a mechanism that allows domain administrators to specify which IP addresses are approved to send email on behalf of the domain. This helps detect spoofed emails.

To set up SPF, you need to maintain a list of approved IP addresses for sending mail. Failing to do so may result in spoofed email messages or failure to deliver legitimate messages when SPF is enabled.

You should publish an SPF policy for each domain that fails all non-approved senders. This mitigates forged FROM fields and phishing attacks.

SPF defines two different "fail" mechanisms: fail (indicated by -, sometimes referred to as hardfail) and softfail (indicated by ~). Fail, as used in this baseline policy, refers to hardfail (i.e., -).

Credit: youtube.com, What is SPF? Sender Policy Framework and SPF records explained (in under 3 mins)

You can indicate approved senders by IP address or CIDR range, but SPF also allows you to include the IP addresses indicated by a separate SPF policy, referred to by domain name.

To test your SPF configuration, consider using a web-based tool or the PowerShell tool Resolve-DnsName. For example: Resolve-DnsName example.onmicrosoft.com txt.

MS.DEFENDER.1.3v1 | CISA M365 Secure Configuration Baseline for Defender for Office 365.

User click tracking SHOULD be enabled.

365 Communications

Microsoft 365 communications are available for issues and new features. For information about requirements, important limits, and feature availability, see the Exchange Online Protection service description.

You can reach out through various channels, including the Exchange Online Protection service description. This is a great resource to understand the details of Microsoft 365 communications.

EOP is included in all Microsoft 365 plans with Exchange Online mailboxes. This means you can rely on EOP for protection in your online mailbox.

EOP is also available for on-premises mailboxes and hybrid environments. This gives you flexibility in how you use EOP to protect your mailboxes.

The EOP plans include EOP standalone, EOP features in Exchange Online, and Exchange Enterprise CAL with Services.

Here's an interesting read: Onedrive Available When Online

Superior Data Coverage

Credit: youtube.com, Guarded Growth Understanding the Risk of Third Party Breaches

Microsoft 365 is the most popular target for phishing attacks, with about 90% of incidents that end in a data breach starting with a phishing email.

To safeguard your data, it's essential to back up your Microsoft 365 data. Spanning Backup for Microsoft 365 safeguards all your data from Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams with cloud-to-cloud backup and recovery.

Data loss prevention (DLP) solutions can help prevent accidental leakage of sensitive information. A DLP solution SHALL be used to protect personally identifiable information (PII) and sensitive information.

Some examples of sensitive information that should be protected include credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs). At a minimum, the DLP solution SHALL restrict sharing of these types of information via email.

The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. If the agency uses Microsoft Defender, see the implementation steps for DLP for additional guidance.

A fresh viewpoint: Voice Phishing

Credit: youtube.com, Should I Get Data Security Insurance For My Convention? - Conventions Network

Here's a list of some of the key requirements for a DLP solution:

  • Data Loss Prevention | CISA M365 Secure Configuration Baseline for Defender for Office 365
  • A DLP solution SHALL protect personally identifiable information (PII) and sensitive information
  • The DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs) via email
  • The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft

Spam and Phishing Protection

Exchange Online Protection (EOP) is a robust security solution that helps safeguard your organization's email infrastructure against spam and phishing threats. EOP's multilayered malware protection identifies and stops viruses, spyware, and ransomware.

Spam filtering is a crucial aspect of EOP, protecting your users from junk emails and fraudulent threats. EOP's anti-spam technology blocks spam emails, ensuring your users stay focused on legitimate communications. Spam filters can be enabled, and high-confidence spam can be moved to either the junk email folder or the quarantine folder.

EOP also includes anti-phishing features, which can be enhanced with AI-based tools like Defender for Office 365. These tools help detect phishing attempts and reduce the risk of successful attacks. Impersonation protection checks can be used to flag look-alike addresses and user warnings can be displayed for new senders.

Credit: youtube.com, Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks

If you're using Microsoft Defender, you can enable preset security policies that include mailbox intelligence for detecting phishing attacks using AI. These policies can also be configured to move high-confidence spam to the junk or quarantine folder.

Here are some key features of EOP's spam and phishing protection:

  • Spam filter: Blocks junk emails and fraudulent threats.
  • Anti-phishing: Detects phishing attempts and reduces risk of successful attacks.
  • Impersonation protection: Flags look-alike addresses and displays user warnings.
  • AI-based tools: Enhance detection capabilities and reduce false positives.
  • Preset security policies: Enable mailbox intelligence and move high-confidence spam to junk or quarantine folder.

By leveraging EOP's spam and phishing protection features, you can significantly reduce the risk of successful attacks and keep your users safe from malicious emails.

Monitoring and Alerts

Monitoring and Alerts are crucial components of Exchange Online Protection. EOP helps you monitor, report, and trace messages, providing detailed information on what happened to an email and the actions taken on it.

Message trace shows if a message was received, rejected, deferred, or delivered, giving you a clear picture of email activity. Email and collaboration reports provide detailed information on how anti-spam, anti-malware, and encryption features in Microsoft 365 help protect your organization.

You can create alert policies or use default alert policies to keep a tab on activities like phishing attacks, unusual file deletion, or external sharing. Alert policies can be configured to notify administrators of suspicious or malicious activity in Exchange Online.

Intriguing read: New Relic Trace

Credit: youtube.com, Secure Office 365 with Exchange Online Protection - Comprehensive Security Checklist

At a minimum, the following alerts should be enabled:

  • Suspicious email sending patterns detected.
  • Suspicious Connector Activity.
  • Suspicious Email Forwarding Activity.
  • Messages have been delayed.
  • Tenant restricted from sending unprovisioned email.
  • Tenant restricted from sending email.
  • A potentially malicious URL click was detected.

These alerts should be sent to a monitored address or incorporated into a security information and event management (SIEM) system.

Implementation and Configuration

To implement Exchange Online Protection, you'll need to sign in to the Exchange admin center. Select Mail flow, then Remote domains. From there, you'll select Default and edit the reply types to disallow automatic forwarding to external domains.

To do this, clear the checkbox next to Allow automatic forwarding, then click Save. It's essential to review each additional remote domain in the list to ensure automatic forwarding is only allowed for approved domains.

Exchange Online Protection is easy to set up and configure, making it an attractive option for businesses that want to quickly implement an email filtering and security solution. It integrates with other Microsoft cloud services, such as Exchange Online and Microsoft Defender for Office 365.

Credit: youtube.com, What is Exchange Online Protection (EOP) | Architecture of EOP | Office 365 email security

Some use cases for Exchange Online Protection include:

  • Standalone email filtering and security: Businesses can use EOP as a standalone email filtering and security solution for their on-premises email servers or third-party email services.
  • Office 365 email filtering and security: Businesses can use EOP as an integrated email filtering and security solution for their Office 365 email service.
  • Hybrid email environment: Businesses can use EOP to provide a consistent email filtering and security experience across both on-premises and cloud-based email users.
  • Advanced threat protection: Businesses can use EOP's advanced threat protection features to protect against advanced email-based threats, such as phishing and ransomware.

Alternatives and Comparison

Alternatives to EOP email security have emerged, utilizing Microsoft 365 APIs to extract data, perform analysis, and take automated action without changing mail flow.

These solutions typically have a short time-to-deployment, allowing MSPs to quickly operationalize across their entire client base.

From a maintenance perspective, these technologies employ similar detection methodologies as SEGs, including threat intelligence feeds, heuristic rules, and URL/attachment sandboxing and analysis.

The API-based architecture offers improved detection rates due to real-time analysis, which is less reliant on static intelligence.

Alternatives to EOP Email Security

API-based solutions offer a viable alternative to traditional email security gateways. These solutions can be deployed quickly, often in minutes, and require minimal maintenance.

One such solution is Hornetsecurity's 365 Total Protection, which layers with and complements Exchange Online Protection. It can be deployed without the need for an MX record change.

API-based solutions like Hornetsecurity's 365 Total Protection perform real-time analysis of emails, catching threats that Microsoft might miss. This is a significant advantage over traditional SEGs, which rely on static intelligence.

These solutions also provide a seamless experience for administrators and end-users, requiring fewer third-party apps or portals.

EOP vs. ATP

Credit: youtube.com, Office 365 Exchange Online Protection EOP vs Advanced Threat Protection ATP

EOP is the security service that comes by default with Microsoft 365, while ATP is an add-on service that requires an extra cost.

ATP is included in Microsoft 365 Enterprise E5 and Microsoft 365 Business Premium plans, making it a more comprehensive option for those with higher-tier subscriptions.

EOP and ATP work together to provide an extra layer of protection, with ATP leveraging Microsoft 365 Threat Intelligence to enhance its capabilities.

ATP is designed to provide an additional layer of security beyond what EOP offers, making it a worthwhile investment for those who need advanced threat protection.

Discover more: Zero-knowledge Service

Oscar Hettinger

Writer

Oscar Hettinger is a skilled writer with a passion for crafting informative and engaging content. With a keen eye for detail, he has established himself as a go-to expert in the tech industry, covering topics such as cloud storage and productivity tools. His work has been featured in various online publications, where he has shared his insights on Google Drive subtitle management and other related topics.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.