Microsoft Support is excited to continue a blog series that will demystify how Microsoft 365 email protection works. This is the second part of the series, in which we will cover two common types of email threats—spam and phish. In part one of this series, we discussed the basic protection concepts, anti-spam message headers, and bulk email filtering.
Click here to view additional posts in this series. Would you like us to cover more topics? Let us know in the comments.
In contrast to bulk, which is often associated with grey mailings that some recipients may want in their inbox, spam and phish messages are unsolicited and malicious, and trick your users into sharing personal or company information. Interacting with phish can lead to financial impact, identity theft, or user compromise.
Determine if a message is legitimate
To be on the safe side, always avoid opening attachments or URLs (links) in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, exercise caution before interacting with its content. Learn how to protect against phishing attacks for common telltale signs of a phishing email.
To learn more about phishing trends and techniques, see this article.
Safe Links in Defender for Office 365 is another layer of protection against malicious links, which scans and rewrites links during mail flow. It also verifies links at time-of-click, which is particularly important, since some links that may seem benign at first, might be weaponized and redirect to malicious websites with a delay.
Identify and train vulnerable users
With threat investigation and response capabilities in Microsoft Defender for Office 365, you can use attack simulation training to run realistic attack scenarios in your organization. These simulated attacks can help you find vulnerable users before a real phishing or ransomware attack impacts your organization.
Simplify security configurations
Security settings and policies may seem overwhelming to some users. This is especially true for smaller companies, which do not have expert Security Operations (SecOps) teams. That’s why it is highly recommended that you opt-in to our preset threat protection policies—Standard or Strict. These out-of-the-box policies are optimized for a simple and secure configuration experience. You can always add and use custom policies later.
To learn more, visit the step-by-step guide on preset policies.
Find what happened to a message and its verdict
During anti-spam checks, we inspect message content, senders’ reputation and sending patterns, correlate them to trillions of signals using heuristic clustering, apply artificial and human intelligence with machine learning, evaluate your policies and custom overrides, validate email authentication (SPF, DKIM, DMARC, ARC), and more. The resulting spam filtering verdict (SFV) is a combination of all these checks. Company administrators review the SFV and other details to identify what happened to messages during or after delivery and act if needed. Try the following methods to find messages and verify why they ended up in an unexpected location:
- Submissions in Microsoft 365 Defender is the most recommended way to scan your message sample (or file, or URL) and know whether a policy you control allowed or blocked the message, or Microsoft verdicts. For example, you may discover that a restrictive policy routed an email to quarantine.
- Anti-Spam Message Headers contain Microsoft Spam Filtering Verdicts (SFV) and authentication results. Look out for the usual suspects—SFV:SFE (the recipient allowed the sender address in Outlook) and SFV:BLK and SCL:6 (the recipient blocked the sender address in Outlook), CAT:SPOOF (the sender failed anti-spoofing checks), or CAT:UIMP/DIMP (the sender failed anti-impersonation checks).
- Message Trace in the updated Exchange Admin Center displays the message events that include where it ended up (delivered to inbox, or quarantined, or in another folder in the recipient’s mailbox, or in the deleted items folder) and why it ended up there (mail flow transport rules, or Outlook rules, or administrator policies, etc.). Review the rules or policies, and if the block was unintentional, change them accordingly.
- Quarantine in Microsoft 365 Defender shows messages blocked due to Microsoft verdicts or your organization’s configuration. After you locate the message in quarantine and review why it was blocked, choose whether you’d like to release, temporarily allow similar messages, or report it to Microsoft for analysis.
Figure 1: Use the review feature in Quarantine
Spam confidence levels
When we find a message clean, the X-Forefront-Antispam-Report headers will include a Spam Confidence Level (SCL) value of “1”. You are most likely to find such messages in your inbox. SCL:5 usually means the message was filtered as spam or phish, and you will find the category CAT:SPM / CAT:PHISH in the message headers. You would commonly locate these types of messages either in the junk folders or in the quarantine, depending on your default or custom anti-spam inbound policy settings.
If we identify a message is spam or phish with a high degree of confidence, we’ll mark it accordingly as CAT:HSPM (High Confidence Spam) or CAT:HPHSH (High Confidence Phish) and assign SCL:9, the highest possible spam confidence level. By default, and in preset policies, these are always quarantined.
Important: Exchange Online Protection and Microsoft Defender for Office 365 are now secure by default and keep high confidence phish messages out of your inbox. Such messages are always quarantined, just like malware.
Customize policies
Microsoft 365 Defender portal offers a great deal of customization. This is particularly helpful when you need to apply differentiated sets of actions to certain groups or users, such as your c-suite. In part 1 of the blog series, we have covered how anti-spam inbound policies control the actions applied to bulk email from the Microsoft 365 Defender portal, and spam and phish actions follow the same principle. Select an action from the list, and for Quarantine, decide whether to notify your users about their quarantined messages, and how long to retain them. Follow this step-by-step guide for help with quarantine policies and notifications.
Figure 2: Select an action from a dropdown for spam, phishing, and bulk in anti-spam inbound policies
|
Figure 3: Overview of selected actions and quarantine settings for spam, phishing, and bulk
|
Tip: Select AdminOnlyAccessPolicy to keep high confidence phish out of end-users’ quarantine notifications. With this quarantine policy, this type of phish will only be visible to administrators.
Minimize overrides
Data shows that overly permissive configurations often allow spam and phishing messages that Exchange Online Protection and Microsoft Defender for Office 365 would otherwise filter. Using legacy overrides, such as Exchange transport rules (mail flow rules), allowed senders, allowed domains, and allowed IP settings could be tricky and unsafe. The risk is even bigger when you add overrides for accepted domains in Microsoft 365 which you own.
You are most likely to find messages in your inbox that were overridden by a user or administrator setting with SCL: -1. In addition, check the X-Forefront-Antispam-Report message headers for the most common override reasons—SFV:SKN when the admin had used a mail flow rule spam bypass, SFV:SKA when the admin had added the sender in the Anti-spam policy allow list, or IPV:CAL when an IP was allowed in the connection filter policy.
Administrators set up these legacy overrides to address emails that were blocked in error. However, this often leads to bad emails inadvertently delivered to the inbox. This is especially true for domain allows.
To learn more about how to create safe overrides, see cautions against bypassing Office 365 spam filters. We will cover more best practices for safe allow/block list management in a later part of this series.
Another common reason for overrides is phishing tests. If you’re running a non-Microsoft simulation, or require high-confidence phishing messages to be received unfiltered to a SecOps mailbox, configure Advanced Delivery.
Tip: If you have previously configured transport rules to bypass spam scanning for phishing simulations, check your vendor documentation for new guidance, which should now include Advanced Delivery for a more secure delivery of simulations.
Finally, if your organization uses another spam filtering solution in addition to Exchange Online Protection, turn on Enhanced Filtering for Connectors. This will significantly improve the filtering accuracy. As with anti-spam policies, you can limit Enhanced Filtering to certain users or groups for testing.
Advanced spam filter
Advanced spam filter (ASF) controls are more aggressive and allow you to assign higher Spam Confidence Levels if messages contain certain elements, such as HTML tags. Similar to other user and admin overrides, we highly recommend that you do not use them, because our protection stack filters such messages without any additional customizations required on your part. If configured incorrectly, they may lead to more email marked as spam than you intended.
If you do choose to enable an ASF setting, remember you can scope a custom anti-spam inbound policy and test these settings on a limited set of users or groups before you enable them company-wide. Also, they’re easy to track: if an ASF rule marks the message as spam, X-CustomSpam will be included in the message headers.
For example, you will see X-CustomSpam: Empty Message when you enable filtering for messages with no subject, no content in the message body, and no attachments. This is a great way to identify and prevent ASF false positives, and it is fully within your control to remediate, in case of unexpected blocks.
Report a false positive or false negative to Microsoft
Although Microsoft 365 comes with a variety of anti-spam and anti-phishing features that are enabled by default, it's possible that some spam or phishing messages could still get through to your mailboxes.
When good emails are marked as bad and end up in quarantine or in your junk folder by mistake, they’re referred to as false positives. When a new and malicious email variant targets your mailbox, your anti-spam and anti-phish filters start working, but some messages may end up in the inbox. These emails are referred to as false negatives. For more information, see Report false positives and false negatives in Outlook.
Use Submissions in Microsoft 365 Defender to report email messages, files, and URLs to Microsoft for analysis. The submissions page shows if a message is blocked or delivered due to Microsoft filtering verdicts or for other reasons, such as end-user rules or your organization policies. If this isn’t a policy you control, and you disagree with a restrictive verdict, report it as a false positive and temporarily allow emails with similar attributes. This will create a safe and temporary override within the Tenant Allow/Block List only for the respective attribute that was detected as malicious—the sender or sending domain, the attachment, or the URL.
Figure 4: Submit messages to Microsoft for analysis
Tip: Enable the report message or report phishing add-ins for your end-users to easily report false positives and false negatives directly from Outlook. Messages that users report are then made available for administrators across submissions, automated investigation and response (AIR), messages reports, and Explorer.
Benefits of reporting messages to Microsoft
It’s simple! The more issues you report, the more accurate the filters become over time. Your report can help improve the detection quality of similar messages or campaigns in future updates.
If you find the verdict is a result of configurations within your control, you’ll be able to identify the exact policy to review or change common overrides for domains or sender addresses, links, or files. This includes user (Outlook) junk filter overrides, Exchange transport rules, anti-spam, anti-phishing, or other policies.
Example 1:
A user reports that a spam message was received in the inbox. You report it on Submissions and review the Result column (additional columns are available under the “Customize columns” option). You find that the user had allowed the sender address in Outlook. With this information, you can educate the user about the risks of overrides, they can remove the entry in Outlook, or you can remove the entry for them using PowerShell.
Figure 5: Review Submissions results for reported messages.
Example 2:
You’re expecting to receive an email from joe@fabrikam.com—an address that belongs to the company Fabrikam. You find that emails from fabrikam.com are blocked because a security administrator added the domain to the anti-spam policy block list. With this knowledge, you may want to either remove the domain from the block list or create a limited or temporary override.
Example 3:
You received a phishing email and reported it on Submissions. The result shows the phishing URL is now blocked and Zero-hour auto-purge (ZAP) removed all relevant threats from the organization retroactively. Later, you can review the URL protection report in the Microsoft 365 Defender portal and find if anyone had clicked the malicious link. You may also want to consider blocking the sender, or running a phishing simulation to promote awareness among your end-users about the risks of phishing.
We hope that this information helped you understand better how Microsoft 365 email protection stack works, how-to reduce false positives and false negatives, misconfigurations and overrides, report verdict disagreements to Microsoft, and consider a user training strategy to prevent phishing attacks.
Important Resources
Anti-spam inbound policy settings
Cautions against bypassing Office 365 spam filters
Manage the Tenant Allow/Block List
Quarantine policies step-by-step guide
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.