Feb 09 2024 11:43 AM - edited Feb 09 2024 11:43 AM
Hello -
Sorry, this is a little bit long...
We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a ticket open with MS but, that's moving along very slowly as they're insistent on re-doing all the troubleshooting I've already done. But, I digress...
The problem we've found is in the MDO policy assignment - confirmed in anti-phish and anti-malware. If I assign the policy to a user and/or group/DL, the policy works as expected. However, if I use the domain assignment (as we were hoping to do for the full deployment), the assigned policy is being ignored and the message(s) is being passed on to the Default policy.
For example, I have a custom anti-malware policy that's my priority 0 policy. In it, I have assigned a specific group with some test accounts. I also assigned a domain (one of my owned/registered tenant domains). I also added a specific file extension to the disallowed list so that I could test. Then, I send a test email, with an attachment with that extension, to an account that's a member of the assigned group as well as another account that's a member of the assigned domain. The expectation is that both of those messages should be blocked.
However, that's not the case. The message to the account that's part of the assigned group is blocked (as expected) but, the message to the accounts that's part of the assigned domain is successfully delivered (attachment and all). It doesn't seem to matter which accounts, groups or domains I use, I can readily repeat the issue everytime.
As an additional test, I added a random extension to the block list of the Default malware policy - one that's not included in my custom policy - and sent test emails again with an attachment of that file type. The expectation being that all accounts should receive the message. But, nope, that's not what happened. The account(s) assigned to the custom policy by group/account received the message (as expected) and the one assigned by domain was blocked.
To me, that's pretty clear evidence that there's some kind of issue with domain assignment in the policies. That particular message basically bypassed the policy to which it was assigned and was handled by the Default policy.
As mentioned, I haven't found any other similar reports online, and to this point, Microsoft hasn't alluded to any issues. Surely others are using domains to assign their MDO policies. Has anyone run into this and, if so, have you found some sort of resolution for it?
Thanks,
Robin
Feb 10 2024 04:48 PM
Feb 11 2024 02:18 AM
Is your setup based on an Exchange Hybrid environment? Are your MX records pointing directly to Exchange Online? Have you attempted applying the custom anti-malware policy to your onmicrosoft.com domain as well?
Feb 12 2024 10:49 AM
Feb 12 2024 10:54 AM
Feb 12 2024 11:50 AM
Hi @robinhailey
Give it a try despite the odds. I've encountered unusual email routing between onmicrosoft.com and customer owned domains. Consider creating a policy through PowerShell as well; it has proven helpful in the past > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-c...
Keep in mind that Anti-Malware is part of EOP not MDO > https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-wor...
Feb 12 2024 01:30 PM
Feb 12 2024 01:34 PM
Feb 15 2024 01:54 PM
Feb 22 2024 11:48 AM
SolutionFeb 24 2024 05:55 AM
Feb 22 2024 11:48 AM
Solution