User Profile
JeremyTBradshaw
Iron Contributor
Joined Jun 24, 2017
User Widgets
Recent Discussions
Re: Marking Quarantine Notice senders as safe for entire tenant
Definitely room for lots of subjectivity but I like to use Transport Rules for things like this (org-wide, system like stuff, such as quarantine notifications), and stick to the TABL for allows/blocks otherwise. You could make a transport rule that when messages from that sender come in, it bypassed spam filtering (which will bypass the basic stuff, apart from things like URL reputation, file reputation, malware, and other high-confidence-by-default detection techs. You can also use the same or another transport rule to make sure some messages are always in the Focused view for Focused Inbox users.Re: user-reported phishing emails
Less than concreteness to offer here, but here goes... Typically when the Inbox is greyed out, the message is thought to already be in Inbox. Sometimes that's not the case and the UI is clearly flawed. They introduced that "Show all response actions" slider sometime in the last year or two, and that helped to unlock the options when the UI is confsued. Even still the UI is confused often. But it totally could be that the emails in your screenshot's case, are already sitting in Inbox (or some other folder that is not Junk/Deleted Items). When somebody reports a message as Junk/Phish, the message is moved to the Deleted Items folder. When the verdict comes back as "No threats found", the message is NOT moved back to Inbox. As it relates to the Take Action menu where we can move items, to Inbox for example - I believe (cannot guarantee) it will only let you move to Inbox if the system hard previously moved it to Junk or Quarantine.Re: Expose ResourceDelegates in OWA Settings > Calendar > Resource Scheduling
Those are OK suggestions, however #1 and #2 are for admins. The solution I'm after is trying to let us delegate control over the "Resource Scheduling" settings that are exposed in OWA, to regular users who we refer to as "owners" of rooms. #3, and #6 are giving out calendar folder permissions but that's not what I'm after either. I'm after exposing the settings from your #2, but in the "resource scheduling" section of OWA > Settings > Calendar > Resource Scheduling. They've already exposed many of the settings there which you can administratively control via Set-CalendarProcessing. But they've yet to expose the ResourceDelegates over in the OWA settings UI. That's what I'm trying to suggest/request here.Expose ResourceDelegates in OWA Settings > Calendar > Resource Scheduling
Expose ResourceDelegates in OWA Settings > Calendar > Resource Scheduling · Community I'm posting this here in hopes of getting votes over at the feedback site. What I'm after as a solution is this: 1.) Room "Owners" be granted FullAccess (ideally with AutoMapping disabled). 2.) Room "Owners" open room mailboxes in OWA and manage both Calendar permissions, and Resource Scheduling options (a.k.a., Booking Options), entirely themselves. 3.) Admins are relieved of the burden of having to do all this work for Room "Owners" because some of the settings are hiding in PowerShell only. We're almost there in EXO's OWA options > Calendar > Resource Scheduling. We're just missing ResourceDelegates: I suppose additional checkboxes could also be added to cover off all the other settings available in Get-/Set-CalendarProcessing, but for me ResourceDelegates is the most vitally important one. In large orgs, the ability to truly hand off responsibility of these settings to a room owner will be a huge administrative overhead relief.Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android
Here's a quick screenshot from my current lab env. Still looks mostly the same. Once you turn on Work Accounts only, you will see the AllowedAccountUPNs configuration key show up. In the view I am showing below, the value type is just "string" (not "valueString"), so that is different from what I described back in 2020. Nonetheless, it is the {{UserPrincipalName}} area which I was referring to that takes semi-colon-delimited UPNs: I should state, I'm a little out of touch on this topic right now and it is 5 years later so things may have changed some. I'm scratching my head on this one a little bit trying to remember the exact use case I had. I feel like it must have been a decidated app configuration profile to deploy to a specific set of users who need to have a specific additional mailbox(es) added to their mobile Outlook. Hope this answer clears up what you were after.Re: Using the Get-RecoverableItems Cmdlet to Report Recoverable Items
You know, I just realized this morning that the output of Get-RecoverableItems actually stores "LastModifiedTime" as a string, rather than as a datetime object. This makes sorting in PowerShell a game of text twist. Really annoying to see this kind of thing happen in real life: At one point in time, the Exchange team were almost like the pioneers of PowerShell.Re: SMTP XOAUTH suddenly failing for Outlook personal with '535 5.7.3 Authentication unsuccessful'
Actually no. I'm currently working on learning MailKit usage in PowerShell, but using EXO/M365/Entra to do this, rather than personal Outlook. I just came across this page as I was earlier having the same 535 5.7.3 Authentication Unsuccessful error. I got past it, and it was unrelated to your original issue's solution. But couldn't help but notice how you were getting actively deflected and want to let you know I could see that and thought it was ridiculous.Re: Bad actors impersonating Microsoft Billing using rogue on-prem. Exchange > M365 tenants
FYI, this attack technique is now being used to successfully spoof DocuSign.net senders. They're using very commonly used DocuSign sender addresses, have the mail from/return-path using the Sender Rewrite Scheme format of bounces+SRS=12345abcde@<compromised-tenant>.onmicrosoft.com. I'm not sure if the entire tenant and on-premises Exchange are being stood up as fake legit tenants and then used purely for this, or if it is unknowing legitimate customers' on-premises Exchange being abused without them knowing. The tenant names look legitimate, sort of maybe / hard to tell. But this technique is letting people spoof both Microsoft.com and DocuSign.net and pass DMARC, DKIM, somehow. Unable to fathom exactly how EOP is passing DKIM/DMARC other than that I think MS' implementation of ARC is being taken advantage of, and earlier DKIM passes are being observed in the headers, then faultily leading to final DMARC pass. Something like that. The best way I have seen to stop these messages is to just use a Transport Rule. TABL is not good enough! We need these 2 conditions: Microsoft spoofs: 1.) Sender address is email address removed for privacy reasons 2.) Return-Path header contains word "onmicrosoft.com" DocuSign.net spoofs: 1.) Sender domain is DocuSign.net 2.) Return-path header contains word "onmicrosoft.com" Then either block/quarantine, increase SCL - do whatever is your preferred approach. These are rather broad criteria so I would advise Quarantine at most to start just to be able to observe and be sure not to impact the legitimate emails from these 2 sources.Re: Exchange online migration fails with various errors
Sankaperera thanks for the tip. My issue ended up being super simple and the on-prem object's ExchangeGuid needed to be set to match the EXO mailbox'. This problem used to get a nice and easy error message but now gets this new odd and unhelpful one. Nonetheless I was stung by my own weak blinders.Re: Exchange online migration fails with various errors
Seeing this week all of a sudden that offboard migrations aren't working for us. Similar error except our migration endpoint is fine, works for onboarding and passes with "SUccess" on the Test-MigrationServerAvailability in EXO PowerShell "rror: CommunicationErrorTransientException: The call to 'net.tcp://yt2pr01mb10469.canprd01.prod.outlook.com:9821/Microsoft.Exchange.MailboxReplicationService YT2PR01MB10469.CANPRD01.PROD.OUTLOOK.COM (15.20.8069.20 ServerCaps:FFFFFFFF, ProxyCaps:1FFFFFFFFFFFFFFFC7DD2DFDBF5FFFFFCB07EFFF, MailboxCaps:, legacyCaps:FFFFFFFF)' failed. Error details: . -->"Bad actors impersonating Microsoft Billing using rogue on-prem. Exchange > M365 tenants
Everyone should be aware and watch out for these very believable spoofs coming from microsoft-noreply_at_microsoft.com. If you have Threat Explorer (Defender Portal > Email & Collaboration > Explorer) or Advanced Hunting (EmailEvents table) available, you can find these messages by looking for these criteria: - Sender From Address: microsoft-noreply_at_microsoft.com (note the @ / _at_ swap) - Sender MailFrom Domain: Not equal to Microsoft.com (will be <something>.onmicrosoft.com) If you're getting these, you'll notice the MailFrom domain is an ever-changing long list of rogue tenants (e.g., <rogueTenant123>.onmicrosoft.com). The MailFrom address will be starting with "bounces+srs", like this "bounces+srs=<12345567890abcxyz>@<rogueTenant123>.onmicrosoft.com", letting us see that these bad actors are using an on-premises Exchange server, SMTP receive Connector and then a Send Connector up to and out via EXO/EOP. These things pass SPF, DKIM, and DMARC and so only get detected via General/Advanced filter and/or Fingerprint Matching (which only means loose match, there's no specific fingerprint/ID involved). The subject seems to always be "Your Microsoft order on September 23, 2024", and will be for the current date. Some people have raised this on Reddit, for example: email address removed for privacy reasons - Suspicious email : r/DefenderATP (reddit.com) I've been working with MS Support to try and get this addressed. We're seeing a lot of these, and so far it's be many many different rogue tenants, so it seems like the bad actors are working overtime and successfully standing up tenant after tenant to get these things out successfully.Re: How to KQL query *live* EmailEvents table and NOT the streaming API
I tried Bing Chat today to see if it might help me. It has already seen and uses this very post to confirm my theory as fact (i.e., time range in query = streaming API / time range set via selector dropdown in UI = live table). I guess me and Copilot are taking the cake on this one. It's now "documented" as truth :).
