Exchange Online Protection

41 Topics

URL Detonation Reputation - How do you like it?
I personally have found this detection technology to be a huge pain in the buttocks. To me, this feature doesn't really look at specific threats or risks, it just says "You cannot do anything that involves this domain name". And with that analogy, "involves" translates to any of the following: Domain is in the subject or body One of the included recipient addresses to which the message is addressed uses the domain. One of the recipients who show in the body of the email due to it being a conversation/thread, uses that domain in their address. An attachment includes that domain within its text (PDF, Word, Excel, TXT, all personally observed by me). These things get blocked as "High confidence phish". To me, they are not that whatsoever, until the message itself is doing some of the "phish" verb. This feels like an overstep on the verdict and I'd prefer they come up with a new name for the detection type, as well as a new drop down box for us to choose between MoveToJunk or Quarantine. Most times I've observed this feature "saving" clients, it's a pain in the butt for the client. I will point out the one improvement I've seen since I started belly-aching over this - it is that Microsoft now puts the bad URL/domain from within the attachments, into the list of URLs in the email entity page within M365 Defender portal. So there is at least that there now, which adds the improvement of not having to go through MS Support to find out what is the supposed bad-rep URL. Would like to know if anyone else finds this feature as a pain for the most part, and hear any other suggestions, or just confirmations about my suggestion (new category of detection so we don't have to treat these things like (HC)phish).
Solved
JeremyTBradshaw
Oct 03, 2023 Place Exchange
48KViews
2likes
31Comments
How to create addition Encryption option in permissions tab in outlook. Can I change it using IRM
How can I achieve the options from the 2nd picture. I have m365 Enterprise Demo Tenant.
Solved
rhotrix
Oct 19, 2023 Place Microsoft 365
7.1KViews
0likes
5Comments
Office 365 ATP in conjunction with a Third Party spam filter
Hi, I'm just after any advice, experience, comments, lessons learned, etc in relation to using Office 365 Advanced Threat Protection to enhance anti-spam capabilities for Exchange Online.....but in a scenario where the anti-spam is being handled by an external service and not EOP. * Should we do this? * Does ATP lose some of it's capabilities when the filtered mail from the external spam filter is treated as clean (SCL -1 or equivalent)? * If there is no sender rewrite by the third party spam filter, does ATP mailbox intelligence or anti-phishing policies even work? * Anything to add would be welcome here really Regards
Solved
bdelamotte83
Jan 23, 2020 Place Exchange
5.8KViews
1like
4Comments
License requirement for EOP Quarantine for On-Prem users in Hybrid
If MX is switched to Office 365 in a Hybrid environment and we want to use EOP and Quarantine for On prem mailboxes, what licenses are required? We are in the process of moving all of the mailboxes to Office 365. We have E3 Licenses but i do not want to assign the EXO licenses before they are migrated.
Solved
Tom Gould
May 04, 2018 Place Microsoft 365
5.6KViews
0likes
7Comments
Disable Direct Send in Exchange Online to Mitigate Ongoing Phishing Threats
Direct Send allows devices and applications to send unauthenticated emails over port 25 directly to Exchange Online. While this may support legacy devices like printers or scanners, it also opens the door for threat actors to deliver spoofed emails without authentication. These messages often appear to come from trusted internal sources, making them especially dangerous. To reduce your organization’s exposure to this threat, it's strongly recommended to disable Direct Send using Microsoft’s newly introduced RejectDirectSend setting. You can quickly enable this setting using PowerShell: Connect-ExchangeOnline Set-OrganizationConfig -RejectDirectSend $true If you still have devices or applications that need to send emails, use authenticated SMTP submission or set up connector-based routing with certificate or IP restrictions.
Kavya
Jul 19, 2025 Place Microsoft 365
5KViews
0likes
2Comments
Exchange Online Protection modifying MIME parts of inbound messages
Is it normal for Exchange Online Protection to modify the body of messages in transit? It seems like this would break DKIM, S/MIME, and PGP signatures, among other concerns. Body of message in transit, as enqueued to Exchange Online Protection --f403043c34cc657e800562729e22 Content-Type: text/plain; charset="UTF-8" test 123 --f403043c34cc657e800562729e22 Content-Type: text/html; charset="UTF-8" <div dir="ltr">test 123</div> --f403043c34cc657e800562729e22-- Body of message after processed by Exchange Online Protection --f403043c34cc657e800562729e22 Content-Type: text/plain; charset="UTF-8" X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4 X-Microsoft-Antispam-Message-Info: fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/ test 123 --f403043c34cc657e800562729e22 Content-Type: text/html; charset="UTF-8" X-Microsoft-Exchange-Diagnostics: 1;BN6PR05MB2833;27:Kggba7aJSKdGRUbWQbPxXD6C/Sek7kTm9NiDQTjQ4dXJqlkZ74IZBgkd+mj0Y+pXNC/C5iEbJImUyYsMJ4cZzQcKg3+bNgqEWYXZIQb7hV7hnAr4EPNNG+G8E3Mr4Jh4 X-Microsoft-Antispam-Message-Info: fRiLCE20IMgZ5HIhJaOajYDVyoaLHNGwogh7E3vvNj1oJoMf114SUWJlNk7kgN1/ <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">test 123</div> --f403043c34cc657e800562729e22--
Jesse Thompson
Jan 11, 2018 Place Microsoft 365
4.2KViews
0likes
3Comments
Meaning of 365 Mail Security's "SFS" Header Field
I've seen quite a few threads in various forums with this question. I'm trying to troubleshoot a message that was quarantined. The provided information doesn't contain any justification for the spam verdict. There is one field that might have an answer, however I can't find any official documentation on it. That's the SFS field. This page: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-headers-eop-mdo?view=o365-worldwide contains definitions for all of the header fields *except* the SFS field. The SFS field contains nothing but a long list of numerical codes. I'm inclined to think that these codes represent the reasons a message was marked spam. I saw a request for a list of definitions for the SFS codes in GitHub that was marked "resolved," "merged," and then deleted. That's concerning because the ticket it was merged into had a link to the document, but did not contain the requested information after all. I'm going to just assume it was an oversight on the part of tech working on the documentation: https://webcache.googleusercontent.com/search?q=cache:bMqVZtmJ-eUJ:https://github.com/MicrosoftDocs/microsoft-365-docs/issues/740&hl=en&gl=us Any chance we can get some information on the SFS field in order to properly troubleshoot quarantined messages? It seems pretty important, and really strange that the info is so hard to find.
BochulainCV
Jan 18, 2024 Place Microsoft 365
2.7KViews
1like
2Comments
Reporting on EOP/MDO Spam Confidence Levels of "Moved to Junk" and Quarantined messages
I'm working with a client who use customized Anti-Spam policy settings, and are considering moving over to the Standard Preset Policies instead. One difference between the two things is that their current config only does MoveToJmf for HighConfidenceSpam, while Standard preset does Quarantine. They would like to know how many spam vs highconfidencespam they're getting. I find no report options (GUI/PowerShell) that offer this visiblity. I know that Get-QuarantineMessage / Quarantine GUI both show this level of detail. But nothing else does. Since the Quarantine is only good for Quarantined messages (doesn't help with MoveToJmf'd messages), I'm hoping there is some way to retrieve the SCL score or just the classification of spam or highconfidencespam. Does anyone know of a way to get this info at scale?
JeremyTBradshaw
Jan 17, 2023 Place Exchange
1.7KViews
0likes
3Comments
Does it possible to know the emails that's rejected at the edge/perimeter of EOP(Defender for o365)?
Does it possible to know the emails that's rejected at the edge/perimeter of EOP(Defender for o365)? As the email get rejected at edge level, does it possible to know from which sending IP emails got rejected in Defender for o365 portal ?
vinay2010
Aug 19, 2023 Place Microsoft 365
1.7KViews
0likes
2Comments
Exchange/Azure AD higher risk security roles
Aside from organisation management, which other admin roles in Exchange Online (or AAD that grant access to manage aspects within ExO) would generally be considered the higher risk roles that should only ever be granted to authorised/senior email admins? There are tons of default roles available, but organisation management seems to have the most permissions out-of-the-box, I just wondered which other admin roles are generally considered 'higher risk' from a systems integrity/data protection perspective, so we can run some checks on current memberships. i.e. a 'top 5' higher risk admin roles.
Solved
CRIB111
Dec 07, 2023 Place Microsoft 365
1.7KViews
0likes
3Comments