Exchange Online Protection

4 Topics

Use Exchange Online Protection to block emails from senders with no SPF record
Is it possible to drop or send to Junk any messages where the sender domain either does not have an SPF record, or if they do and it's set to softfail can it also be sent to Junk or dropped?
stewartriley
Sep 17, 2024 Place Exchange
552Views
0likes
3Comments
URL Detonation Reputation - How do you like it?
I personally have found this detection technology to be a huge pain in the buttocks. To me, this feature doesn't really look at specific threats or risks, it just says "You cannot do anything that involves this domain name". And with that analogy, "involves" translates to any of the following: Domain is in the subject or body One of the included recipient addresses to which the message is addressed uses the domain. One of the recipients who show in the body of the email due to it being a conversation/thread, uses that domain in their address. An attachment includes that domain within its text (PDF, Word, Excel, TXT, all personally observed by me). These things get blocked as "High confidence phish". To me, they are not that whatsoever, until the message itself is doing some of the "phish" verb. This feels like an overstep on the verdict and I'd prefer they come up with a new name for the detection type, as well as a new drop down box for us to choose between MoveToJunk or Quarantine. Most times I've observed this feature "saving" clients, it's a pain in the butt for the client. I will point out the one improvement I've seen since I started belly-aching over this - it is that Microsoft now puts the bad URL/domain from within the attachments, into the list of URLs in the email entity page within M365 Defender portal. So there is at least that there now, which adds the improvement of not having to go through MS Support to find out what is the supposed bad-rep URL. Would like to know if anyone else finds this feature as a pain for the most part, and hear any other suggestions, or just confirmations about my suggestion (new category of detection so we don't have to treat these things like (HC)phish).
Solved
JeremyTBradshaw
Jul 16, 2024 Place Exchange
48KViews
2likes
31Comments
Reporting on EOP/MDO Spam Confidence Levels of "Moved to Junk" and Quarantined messages
I'm working with a client who use customized Anti-Spam policy settings, and are considering moving over to the Standard Preset Policies instead. One difference between the two things is that their current config only does MoveToJmf for HighConfidenceSpam, while Standard preset does Quarantine. They would like to know how many spam vs highconfidencespam they're getting. I find no report options (GUI/PowerShell) that offer this visiblity. I know that Get-QuarantineMessage / Quarantine GUI both show this level of detail. But nothing else does. Since the Quarantine is only good for Quarantined messages (doesn't help with MoveToJmf'd messages), I'm hoping there is some way to retrieve the SCL score or just the classification of spam or highconfidencespam. Does anyone know of a way to get this info at scale?
JeremyTBradshaw
Jan 19, 2023 Place Exchange
1.8KViews
0likes
3Comments
Office 365 ATP in conjunction with a Third Party spam filter
Hi, I'm just after any advice, experience, comments, lessons learned, etc in relation to using Office 365 Advanced Threat Protection to enhance anti-spam capabilities for Exchange Online.....but in a scenario where the anti-spam is being handled by an external service and not EOP. * Should we do this? * Does ATP lose some of it's capabilities when the filtered mail from the external spam filter is treated as clean (SCL -1 or equivalent)? * If there is no sender rewrite by the third party spam filter, does ATP mailbox intelligence or anti-phishing policies even work? * Anything to add would be welcome here really Regards
Solved
bdelamotte83
Mar 25, 2021 Place Exchange
5.9KViews
1like
4Comments