SOLVED

Office 365 ATP in conjunction with a Third Party spam filter

%3CLINGO-SUB%20id%3D%22lingo-sub-1124067%22%20slang%3D%22en-US%22%3EOffice%20365%20ATP%20in%20conjunction%20with%20a%20Third%20Party%20spam%20filter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1124067%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20just%20after%20any%20advice%2C%20experience%2C%20comments%2C%20lessons%20learned%2C%20etc%20in%20relation%20to%20using%20Office%20365%20Advanced%20Threat%20Protection%20to%20enhance%20anti-spam%20capabilities%20for%20Exchange%20Online.....but%20in%20a%20scenario%20where%20the%20anti-spam%20is%20being%20handled%20by%20an%20external%20service%20and%20not%20EOP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20Should%20we%20do%20this%3F%3C%2FP%3E%3CP%3E*%20Does%20ATP%20lose%20some%20of%20it's%20capabilities%20when%20the%20filtered%20mail%20from%20the%20external%20spam%20filter%20is%20treated%20as%20clean%20(SCL%20-1%20or%20equivalent)%3F%3C%2FP%3E%3CP%3E*%20If%20there%20is%20no%20sender%20rewrite%20by%20the%20third%20party%20spam%20filter%2C%20does%20ATP%20mailbox%20intelligence%20or%20anti-phishing%20policies%20even%20work%3F%3C%2FP%3E%3CP%3E*%20Anything%20to%20add%20would%20be%20welcome%20here%20really%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1124067%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEOP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThird%20party%20spam%20filter%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1124402%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20ATP%20in%20conjunction%20with%20a%20Third%20Party%20spam%20filter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1124402%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EOfficially%20it%E2%80%99s%20not%20recommended%20or%20supported.%20See%20article%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fmanage-mail-flow-using-third-party-cloud%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fmanage-mail-flow-using-third-party-cloud%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20because%20it%20can%20impact%20functionality%20with%20EOP%20such%20as%20track%20and%20trace%2C%20spam%20and%20phishing%20filtering%20and%20reporting.%20As%20ATP%20works%20with%20EOP%20this%20would%20have%20a%20knock%20on%20effect%20to%20ATP.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20sure%20that%20organisations%20have%20implemented%20it%20in%20this%20way%20but%20referring%20to%20the%20document%20above%20it%E2%80%99s%20not%20recommended%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1136326%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20ATP%20in%20conjunction%20with%20a%20Third%20Party%20spam%20filter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1136326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20feedback%2C%20cheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335797%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20ATP%20in%20conjunction%20with%20a%20Third%20Party%20spam%20filter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F401884%22%20target%3D%22_blank%22%3E%40bdelamotte83%3C%2FA%3E%26nbsp%3BSo%20I%20don't%20know%20if%20you're%20still%20looking%20for%20an%20answer%20to%20this%2C%20but%20it%20certainly%20is%20possible%20and%20it%20works%20well.%20Microsoft%20has%20even%20built%20functionality%20in%20to%20Office%20365%20to%20allow%20for%20this%2C%20they%20just%20don't%20recommend%20it%20because%20(of%20course)%20they%20prefer%20you%20use%20their%20product%20as%20opposed%20to%20someone%20else's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20writing%20this%20assuming%20you%20route%20your%20email%20through%20a%20third-party%20email%20security%20gateway%2C%20which%20then%20passes%20email%20along%20to%20Office%20365.%20The%20feature%20you%20are%20looking%20for%20is%20called%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fuse-connectors-to-configure-mail-flow%2Fenhanced-filtering-for-connectors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnhanced%20Filtering%20for%20Connectors%20in%20Exchange%20Online%3C%2FA%3E%3A%20%22Enhanced%20Filtering%20for%20Connectors%20(also%20known%20as%20%22skip%20listing%22)%20allows%20you%20to%20filter%20email%20based%20on%20the%20actual%20source%20of%20messages%20that%20arrive%20over%20the%20inbound%20connector.%22%20In%20fact%2C%20this%20feature%20is%20designed%20just%20for%20the%20scenario%20you're%20describing%3A%20%22Enhanced%20Filtering%20for%20Connectors%20is%20meant%20to%20show%20the%20value%20of%20Exchange%20Online%20Protection%20(EOP)%20and%20Advanced%20Threat%20Protection%20(ATP)%20...%20Although%20it%20is%20possible%20to%20keep%20Enhanced%20Filtering%20enabled%20as%20a%20permanent%20solution...%22%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20use%20Proofpoint's%20email%20security%20gateway%20and%20wondered%20the%20same%20thing%20as%20you%20-%20can%20we%20layer%20on%20Exchange%20EOP%20protection%20in%20order%20to%20increase%20email%20security%20for%20our%20end%20users%3F%20The%20answer%20is%20yes%2C%20and%20we've%20just%20rolled%20this%20out%20to%20our%20entire%20organization.%20Using%20this%20feature%20also%20allows%20you%20to%20see%20what%20sort%20of%20emails%20EOP%20would%20have%20blocked%20%3CEM%3Ewithout%20actually%20blocking%20them.%26nbsp%3B%3C%2FEM%3EEOP%20still%20analyzes%20the%20emails%2C%20but%20if%20you%20have%20a%20rule%20bypassing%20this%20filtering%2C%20it%20won't%20actively%20block%20them%20until%20this%20rule%20is%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20happy%20to%20give%20you%20more%20details%20on%20how%20exactly%20this%20works%20and%20how%20you%20can%20perform%20phased%20testing%20for%20some%20users%20-%20let%20me%20know%20if%20you're%20interested.%20There%20is%20not%20a%20lot%20of%20documentation%20on%20the%20mechanics%20of%20enhanced%20filtering%2C%20but%20I%20can%20attest%20to%20the%20fact%20that%20it%20works%20well%2C%20blocking%20a%20lot%20of%20additional%20phishing%2C%20BEC%2C%20and%20junk%20email%20that%20Proofpoint%20doesn't%20catch.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

I'm just after any advice, experience, comments, lessons learned, etc in relation to using Office 365 Advanced Threat Protection to enhance anti-spam capabilities for Exchange Online.....but in a scenario where the anti-spam is being handled by an external service and not EOP.

 

* Should we do this?

* Does ATP lose some of it's capabilities when the filtered mail from the external spam filter is treated as clean (SCL -1 or equivalent)?

* If there is no sender rewrite by the third party spam filter, does ATP mailbox intelligence or anti-phishing policies even work?

* Anything to add would be welcome here really

 

Regards

3 Replies
Highlighted
Best Response confirmed by bdelamotte83 (New Contributor)
Solution
Hi

Officially it’s not recommended or supported. See article

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-part...

This is because it can impact functionality with EOP such as track and trace, spam and phishing filtering and reporting. As ATP works with EOP this would have a knock on effect to ATP.

I am sure that organisations have implemented it in this way but referring to the document above it’s not recommended

Hope that answers your question

Best, Chris
Highlighted

@Christopher Hoard Thanks for the feedback, cheers

Highlighted

@bdelamotte83 So I don't know if you're still looking for an answer to this, but it certainly is possible and it works well. Microsoft has even built functionality in to Office 365 to allow for this, they just don't recommend it because (of course) they prefer you use their product as opposed to someone else's.

 

I'm writing this assuming you route your email through a third-party email security gateway, which then passes email along to Office 365. The feature you are looking for is called Enhanced Filtering for Connectors in Exchange Online: "Enhanced Filtering for Connectors (also known as "skip listing") allows you to filter email based on the actual source of messages that arrive over the inbound connector." In fact, this feature is designed just for the scenario you're describing: "Enhanced Filtering for Connectors is meant to show the value of Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) ... Although it is possible to keep Enhanced Filtering enabled as a permanent solution..."

We use Proofpoint's email security gateway and wondered the same thing as you - can we layer on Exchange EOP protection in order to increase email security for our end users? The answer is yes, and we've just rolled this out to our entire organization. Using this feature also allows you to see what sort of emails EOP would have blocked without actually blocking them. EOP still analyzes the emails, but if you have a rule bypassing this filtering, it won't actively block them until this rule is in place.

 

I'm happy to give you more details on how exactly this works and how you can perform phased testing for some users - let me know if you're interested. There is not a lot of documentation on the mechanics of enhanced filtering, but I can attest to the fact that it works well, blocking a lot of additional phishing, BEC, and junk email that Proofpoint doesn't catch.