Forum Discussion

Copper Contributor

Feb 09, 2024

Solved

Defender for Office Policy Assignment by Domain

Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a t...

configuration

detection

microsoft 365 defender

robinhailey
Feb 22, 2024
I just wanted to come back and post what I learned from my Microsoft case on this issue. Apparently, if you use multiple conditions for policy assignments - ie user, group and/or domain - those are AND conditions so the recipient must match all of the assignment types.

For example, if I add email address removed for privacy reasons and then the group email address removed for privacy reasons - where email address removed for privacy reasons includes 'user2' and 'user3'. An email sent to user1 will NOT be scanned by the policy because user1 is not also part of the group.

This is documented here (this is the malware doc but, you can find the same blurb in the others):

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide#recipient-filters-in-anti-malware-policies

I can't fully wrap my head around why the logic was setup that way but, at least I have an answer to my issue. Hopefully this will help someone in the future that may run into the same issue.

Thanks to Joe Stocker / MatejKlemencic for taking the time to respond.

MatejKlemencic

Brass Contributor

Feb 11, 2024

Is your setup based on an Exchange Hybrid environment? Are your MX records pointing directly to Exchange Online? Have you attempted applying the custom anti-malware policy to your onmicrosoft.com domain as well?

robinhailey
Copper Contributor
Feb 12, 2024
Hi MatejKlemencic
Thanks for replying. No, our Exchange is fully cloud based (no hybrid). For the accounts/domains in question, yes, the MX records are pointing directly to Exchange Online. I've not tried adding the onmicrosoft.com domain but will do that. If that were to work, what would that tell me about the associated primary domain?

Thanks,
Robin
- MatejKlemencic
  Brass Contributor
  Feb 12, 2024
  Hi robinhailey
  Give it a try despite the odds. I've encountered unusual email routing between onmicrosoft.com and customer owned domains. Consider creating a policy through PowerShell as well; it has proven helpful in the past > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide#use-powershell-to-create-anti-malware-policies
  
  Keep in mind that Anti-Malware is part of EOP not MDO > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide#how-eop-works
  - robinhailey
    Copper Contributor
    Feb 12, 2024
    Hi MatejKlemencic -
    Thanks - I haven't had a chance, yet, to try the onmicrosoft suggestion yet.
    I was thinking I should try recreating the policies (again) - maybe this time I'll do it via Powershell.
    
    Just as an FYI, it's not just the anti-malware that this is happening on. I've confirmed it's doing the same thing with the anti-phishing policy as well. I haven't tested the others, was just assuming they weren't going to behave in the same manner.