Exchange Online Protection: A Premium Protection and Policy Service for Email
Published Sep 18 2012 02:23 PM 58.6K Views

This summer, Microsoft introduced the new Office, including the new version of Exchange Server 2013 and Exchange Online, which provides businesses with robust communication and collaboration capabilities available on-premises or in the cloud.

When you talk about messaging and collaboration, especially within the larger context of cloud services, one of the questions to quickly follow is, how do we keep our organization safe from spam and malware? Today, many Exchange Server and Exchange Online customers use Forefront Online Protection for Exchange (FOPE) for messaging protection, policy enforcement, and mail-routing control. The next release of FOPE will be called Exchange Online Protection (EOP). EOP provides the protection and control you’ve become accustomed to with FOPE, but with new features too. EOP is available as a stand-alone cloud service if you run Exchange, or another messaging solution, on-premises. If you have an Office 365 subscription, EOP is directly integrated in the Exchange Administration Center, which provides a seamless experience for administrators managing and protecting their organization’s mailboxes.

Messaging Protection in the Exchange Administration Center

Forefront Online Protection for Exchange (FOPE) had a user interface separate from on-premises Exchange Server and Exchange Online. The new EOP user interface is identical in appearance with the Exchange Administration Center for on-premises customers, For Exchange Online customers, EOP features have been integrated directly.

image

EOP Features at a Glance

EOP provides inbound and outbound spam and malware filtering, reporting, message trace, and mail-flow configuration features. Some of these features were included with FOPE, and in many cases have they have been enhanced. EOP features include the following:

  • URL lists for spam filtering that block messages containing specific URLs within their message body. EOP includes additional lists beyond those available in FOPE.
  • The ability to skip spam filtering for trusted senders, based on subscription lists
  • The ability to filter messages written in specific languages, or sent from specific countries or regions
  • Malware filtering that can delete and strip unsafe attachments
  • The capacity to mark bulk email (such as advertisements) as spam through the user interface
  • The capability to search for, view, or release quarantined email messages in the EAC
  • Transport rules which you can use to control mail flow, based on a message’s content
  • Message tracing capability, which allows you to search for and view details about a specific message
  • Inbound connectors and outbound connectors you can use to enforce secure communication between you and a partner, or to make hybrid mail flow (where you host a portion of your mailboxes on-premises and a portion in the cloud) possible
  • New reports, which you can use to monitor your organization’s mail flow, available in the Office 365 portal, by using a Microsoft Excel download application, or by using a Web service.

Anti-Spam Protection

Anti-spam protection is comprised of connection filtering, content filtering, and outbound spam processing. You can configure settings so that they are tailored to best meet the needs of your organization.

Connection Filter

Connection filtering is based on blocking or allowing inbound messages, based on the originating IP address. The connection filter checks IP Allow and IP Block lists prior to checking the content of each message. Messages from specifically allowed IP addresses bypass filtering. Messages from senders in the IP Block list are blocked, except in cases where they also appear in the IP Allow list. In the EAC, you can add an IP address or address range to an IP Allow list or IP Block list without hassles. You can also check Enable safe list to skip messages from trusted senders, derived from lists that Microsoft subscribes to.

image

Content Filter

Content filtering examines each part of the inbound email message, such as the header and message body, using a list of regular expressions. A score is then assigned to the message if a rule is matched. Several URL lists are also used to block messages that contain specific, suspicious URLs. You can configure actions for each confidence-threshold level by editing the default content filter policy. For example, you can send messages to the quarantine or to the Junk Email folder of each recipient.

image

Content filtering includes international filtering, which means that you can choose to block messages written in specific languages or sent from specific countries or regions, and Advanced Spam Filtering Options, which inspects attributes in a message and acts upon the message if it matches a specific configured attribute. If you are concerned about phishing, some advanced options offer a combination of Sender ID and SPF-record technologies to authenticate and verify that messages are not spoofed.

Outbound Spam

Why do you need outbound spam filtering? Because malicious programmers and their malware are out there taking over computers inside corporate networks every day. This means that users in your organization can be sending large amounts of outbound spam without your knowledge.

EOP includes outbound spam filtering to protect your organization and your email recipients, including your customers and partners, from spam. You can configure outbound spam settings in the EAC.

Malware Filtering

Malware consists of viruses and spyware, and is used to harm computer operations and collect sensitive information from victims. EOP uses multiple anti-malware scan engines to protect against malware threats. In addition to this, EOP includes a real-time threat response. This means that when outbreaks occur, the anti-malware team can write specific policy rules that detect the threat and protect your organization even before definitions are available from the anti-malware engines used by the service. EOP’s malware filter in the Exchange Administration Center allows you to customize your default company-wide malware filter policy, including how to take action on detected malware and who to notify in case malware is detected. You can also customize these notification messages.

image

Transport Rules

Your organizations may be required by law, regulatory requirements, or company policies to apply messaging policies that limit the interaction between recipients and senders, both inside and outside the organization.

Using Exchange Transport rules, which replace Policy rules in FOPE, you can look for specific conditions on messages that pass through your organization and take action while messages are in transit. Transport rules let you apply messaging policies to email messages and prevent information leakage.

Interesting new features for Transport rules include new predicates and actions. New predicates include those that can check the name extension for an attachment, or check for a message that exceeds a specified size. New actions include how to notify a sender in case a Transport rule is invoked, or the ability to require Transport Layer Security (TLS) on messages routed outside of your organization.

Quarantine

Messages that are identified as spam or that match and Exchange transport rule can be sent to the quarantine. If you are an administrator, you can search for quarantined messages, view details about quarantined messages, release specific messages to a recipient within your organization and also quickly report a quarantined message as a false positive.

Message Trace

What happened to the email I sent you? It’s a common question heard in any organization, from end users and IT folks. The message trace feature enables you as an administrator to follow email messages as they pass through your EOP service. It helps you determine whether a targeted email message was received, rejected, deferred, or delivered. This lets you efficiently answer your user’s questions and troubleshoot mail flow issues, and alleviates the need for users to contact technical support for assistance.

Connectors

You may have a situation that requires secure transmission of messages to a specific partner, or one where you have specific policies for mail traveling from your cloud mailboxes to your on-premises Exchange mailboxes, in a hybrid environment. With Inbound connectors and outbound connectors, you get fine-tuned control of mail flow, including the ability to apply security policies based on the IP address and domain of a sender or recipient.

image

Reporting

EOP offers a variety of reporting features both in and out of the Exchange Administration Center (EAC). Audit logging and reports are included in the EAC. Audit logging reports track specific changes made by administrators in order to help you meet regulatory, compliance, and litigation requirements.

Additional reports are available with the Excel Download Application. You can use the Mail Protection reports for Office 365 reporting workbook to gather messaging statistics and details, if you are part of a Microsoft Office 365 Enterprise organization. After you download the workbook to your local computer and configure it, the workbook connects to your organization and retrieves messaging data. The data includes information about message traffic, spam, malware, and messages affected by transport rules.

For Exchange Online customers, additional reports are available in the Office 365 portal. These include a report that shows the number of active and inactive mailboxes. (A mailbox is considered active if a user has accessed it at least once in the last 30 days.) Another shows the number of groups created and deleted by day, week, month, or year.

There are also plans for additional reports, available via Web services, slated for the general availability (GA) release.

Conclusion

The new and improved EOP service brings anti-spam and anti-malware protection settings directly into the new EAC. EOP features include filters, reports, quarantine, troubleshooting tools, and connectors that enable you to protect your users and fine-tune your email messaging environment.

Tony Trivison

12 Comments
Not applicable

Interesting.  I will definetly check it.

Thank you.

Not applicable

Message Trace didn't had much options to search for a message e.g. it should search using domain name only instead of full email address.

Not applicable

So if I have an on-premise exchange 2010 environment, how does EOP help me to scan my internal emails now that FPE has been discontinued or is EOP only for 2013? Even so, I don't want to be sending all my internal mail traffic over the wire to an external scanning engine. I know 2013 has building malware protection - but that is referred to as "Basic" everywhere...

Not applicable

Hi Rao - Use can search for messages using wildcards. There is more information at Run a Message Trace (technet.microsoft.com/.../jj200712(EXCHG.150).aspx)

in the Exchange Online Preview documentation. Hope that helps. Tony

Not applicable

Hi KennyG - For incoming mail, EOP works with legacy Exchange versions (and non-Exchange environments).

For internal mail (mail from a sender in your organization to a recipient in your organization) you can continue to use FPE 2010 to scan for malware on premises, if you use Exchange Server 2010. If you use Exchange Server 2013 Preview, it has full-featured

anti-malware scanning that is described at Anti-Malware Protection (technet.microsoft.com/.../jj150547(EXCHG.150).aspx).

Not applicable

Hi. How is licensing likely to work with all of this? For office 365 specifically.

Tks

Not applicable

Wow, they cut two whole words out of the name and one whole letter out of the acronym. A step in the right direction, but these names are still terribly unwieldy.

Not applicable

what about database scanning? fpe2010 is due to be retired from dec 2012 .

Not applicable

Questions:

1)  Is there user-by-user whitelisting as opposed to enterprise-wide?  Blacklisting?

2)  Can the administrator manage the enterprise-wide whitelist and user whitelists? Blacklists?

3)  Is there a provision for excepting individual senders or whole domains from SPF testing while leaving it in place for other senders?

4)  Is there a greylisting feature?

5)  Is there AD lookup of valid recipient addresses?  If so is filtering done at the SMTP level or later?

6)  If there is a compliance requirement to not throw away ANY email (for example an email that has some invaled recipients along with valid ones or one sent to a misspelled address) can we send filtered emails to public folders or some other quarantine destination?

7)  When exactly will EOP be available?  Will it work in on-premise XS2K10 as well as on-premise XS2K13 environments?

8)  What about database scanning?  How can we scan for malware that might not have been detected on receipt?

Not applicable

What new functionality will current FOPE users get with the new Exchange Online Protection?   with on prem Exch2010 deployment.  Is Exchange Encryption offering changing at all or will still be standalone offering?

Not applicable

CarlJ - We don't have all the details regarding licensing yet, but EOP will be part of an Office 365 subscription.

Not applicable

sukh - I don't personally have details regarding on-premises filtering products. The following blog post provides some details, however: Important Changes to Forefront Product Roadmaps (blogs.technet.com/.../important-changes-to-forefront-product-roadmaps.aspx)

Version history
Last update:
‎Jul 01 2019 04:08 PM
Updated by: