Home

Quarantine phishing mails?

%3CLINGO-SUB%20id%3D%22lingo-sub-81435%22%20slang%3D%22en-US%22%3EQuarantine%20phishing%20mails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81435%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20receive%20lots%20of%20phishing%20mails%20and%20they%20are%20never%20ever%20blocked%20automatically.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20EOP%20be%20capable%20of%20blocking%20(some%20of)%20them%20automatically%26nbsp%3Bor%20do%20we%20always%20have%20to%20manually%20add%20transport%20rules%20to%20try%20filtering%20those%20messages%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20best%26nbsp%3Bway%20to%20protect%20our%20users%20from%20these%20mails%3F%20I%20find%20it%20strange%20that%20even%20after%20a%20year%20similar%20phishing%20mails%20still%20aren't%20recignized%20and%20blocked%20automatically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20ATP%20is%20not%20an%20option%20financially.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-81435%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81495%22%20slang%3D%22en-US%22%3ERe%3A%20Quarantine%20phishing%20mails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81495%22%20slang%3D%22en-US%22%3E%3CP%3ECheck%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj723164%2528v%3Dexchg.150%2529.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBest%20practices%20for%20configuring%20EOP%3C%2FA%3E%26nbsp%3Band%20make%20sure%20these%20are%20being%20adhered%20to.%20Also%2C%20have%20a%20look%20at%20the%20%3CA%20href%3D%22https%3A%2F%2Fchannel9.msdn.com%2FEvents%2FIgnite%2F2016%2FBRK3222%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EImplement%20Microsoft%20Exchange%20Online%20Protection%3C%2FA%3E%20presentation%20(from%20last%20year)%20for%20tips%20on%20spam%2Fphishing%20prevention.%20%26nbsp%3BFor%20more%20background%20info%20check%20out%20%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Ftzink%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ETerry%20Zink%3A%20Security%20Talk%3C%2FA%3E%20he%20has%20a%20lot%20of%20good%20info%2C%20like%20%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Ftzink%2F2014%2F09%2F12%2Fwhy-does-spam-and-phishing-get-through-office-365-and-what-can-be-done-about-it%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWhy%20does%20spam%20and%20phishing%20get%20through%20Office%20365%3F%20And%20what%20can%20be%20done%20about%20it%3F%3C%2FA%3E%2C%26nbsp%3Bthough%20not%20a%20recent%20article.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBefore%20we%20moved%20to%20a%20third%20party%20email%20threat%20protection%20system%2C%20we%20found%20EOP%20to%20do%20a%20reasonable%20job%20at%20catching%20spam%2Fphishing%20but%20the%20consistency%20wasn't%20always%20high%20enough.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81445%22%20slang%3D%22en-US%22%3ERe%3A%20Quarantine%20phishing%20mails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81445%22%20slang%3D%22en-US%22%3EHi%20Bart%2C%3CBR%20%2F%3EDo%20you%20have%20SPF%2C%20DKIM%20and%20DMARC%20configured%3F%3CBR%20%2F%3EYou%20should%20not%20have%20to%20resort%20to%20transport%20rules%20to%20block%20phishing%20emails.%3CBR%20%2F%3EATP%20just%20added%20blacklisting%20capability%20so%20that%20you%20can%20add%20URL's%20into%20the%20ATP%20blacklist%2C%20avoiding%20the%20need%20to%20create%20transport%20rules.%3CBR%20%2F%3EI%20understand%20that%20is%20not%20in%20your%20budget%20though.%3CBR%20%2F%3EAnother%20option%20is%20you%20can%20report%20these%20phishing%20emails%20to%20Microsoft.%20In%20the%20OWA%20interface%2C%20there%20is%20a%20junk%20menu%20-%20click%20that%20and%20in%20the%20drop%20down%20select%20Phishing.%3CBR%20%2F%3EAnother%20thing%20you%20can%20try%20is%20to%20make%20sure%20that%20'Enable%20safe%20list'%20is%20not%20checked%20in%20the%20EOP%20Connection%20Filtering%20option.%20This%20is%20because%20some%20spammers%20will%20use%20legitimate%20websites%20like%20Godaddy%20to%20send%20emails%20which%20are%20technically%20in%20that%20safe%20list%2C%20so%20you%20may%20see%20a%20reduction%20of%20spam%2Fphishing%20emails%20if%20you%20uncheck%20that%20box.%3CBR%20%2F%3EIn%20the%20EOP%20Spam%20Filter%20%22Bulk%20email%22%20settings%2C%20I%20recommend%20setting%20the%20threshold%20at%20'5'%3CBR%20%2F%3ELastly%2C%20in%20the%20EOP%20Spam%20filter%20advanced%20options%2C%20I%20recommend%20setting%20'SPF%20record%3A%20hard%20fail%3A%20to%20ON%22%20as%20this%20will%20make%20it%20harder%20for%20those%20sending%20phishing%20emails%20to%20get%20through%20SPF%20checks.%3CBR%20%2F%3E%3CBR%20%2F%3ETry%20those%20out%20for%20a%20few%20days%20and%20let%20us%20know%20if%20that%20helps.%20I%20had%20another%20client%20try%20these%20settings%20and%20they%20said%20it%20was%20a%20big%20help%20for%20them.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
bart vermeersch
Super Contributor

We receive lots of phishing mails and they are never ever blocked automatically. 

 

Should EOP be capable of blocking (some of) them automatically or do we always have to manually add transport rules to try filtering those messages?

 

What is the best way to protect our users from these mails? I find it strange that even after a year similar phishing mails still aren't recignized and blocked automatically.

 

Unfortunately ATP is not an option financially.

2 Replies
Hi Bart,
Do you have SPF, DKIM and DMARC configured?
You should not have to resort to transport rules to block phishing emails.
ATP just added blacklisting capability so that you can add URL's into the ATP blacklist, avoiding the need to create transport rules.
I understand that is not in your budget though.
Another option is you can report these phishing emails to Microsoft. In the OWA interface, there is a junk menu - click that and in the drop down select Phishing.
Another thing you can try is to make sure that 'Enable safe list' is not checked in the EOP Connection Filtering option. This is because some spammers will use legitimate websites like Godaddy to send emails which are technically in that safe list, so you may see a reduction of spam/phishing emails if you uncheck that box.
In the EOP Spam Filter "Bulk email" settings, I recommend setting the threshold at '5'
Lastly, in the EOP Spam filter advanced options, I recommend setting 'SPF record: hard fail: to ON" as this will make it harder for those sending phishing emails to get through SPF checks.

Try those out for a few days and let us know if that helps. I had another client try these settings and they said it was a big help for them.


Check out the Best practices for configuring EOP and make sure these are being adhered to. Also, have a look at the Implement Microsoft Exchange Online Protection presentation (from last year) for tips on spam/phishing prevention.  For more background info check out Terry Zink: Security Talk he has a lot of good info, like Why does spam and phishing get through Office 365? And what can be done about it?, though not a recent article. 

 

Before we moved to a third party email threat protection system, we found EOP to do a reasonable job at catching spam/phishing but the consistency wasn't always high enough.

Related Conversations
Quarantine Digest
Jerry Gonzalez in Microsoft 365 on
2 Replies
Spam Filtering too strong?
Tim Hunter in Security, Privacy & Compliance on
2 Replies
Quarantine Expiration Date
Tim Hunter in Security, Privacy & Compliance on
2 Replies
Outlook is sending duplicated mails
Growwing in Office 365 on
1 Replies
Office365 ATP - Phishing - Many false positives
Stephan G in Office 365 on
1 Replies
Tenant policy (verdict override) Exchange Online
ewinonait in Microsoft 365 on
3 Replies