User Profile
ExMSW4319
Steel Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Direct action quietly dropped
Has anyone else noticed that underMC788953 / roadmap 393937 we lose the ability to run remediations direct from Threat Explorer? Instead, the action goes to the Action Center where I have to (a) wait for it to appear, (b) find it amongst all of the automated clutter with none of the information I originally input in the Threat Explorer and (c) approve it. Is the rest of the civilised universe all on third-party tools working through the APIs? https://www.microsoft.com/en-GB/microsoft-365/roadmap?filters=&searchterms=393937465Views0likes0CommentsExchange Online patterns - what is the latest?
For many years various O365 documents contained the fallacy that EXO uses .Net regular expressions in mail flow rule predicates; here is the predicate article from May that could do with an update: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions(look for patterns toward the end) Oh no it fscking well doesn't, as any experienced admin will ruefully tell you. And no, MS customer support won't help with patterns because it's "customer configuration" (and I suspect they know perfectly well what they would be getting into if they did). Thankfully we now have a Learn page from August with an alternative take on the topic: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/regular-expressions-usage-transport-rules This offers a much smaller subset of metacharacters to work with. Round brackets replace square ones for sets (termed "groups" in New Patterns terminology) and we no longer have occurrences. If I follow the new syntax correctly, regular expression\w{4,8} can be written as: (\w\w\w\w|\w\w\w\w\w|\w\w\w\w\w\w|\w\w\w\w\w\w\w|\w\w\w\w\w\w\w\w) Which can then be reduced (because our limit is by character for the whole tenancy) as: \w\w\w\w(|\w|\w\w|\w\w\w|\w\w\w\w) \w\w\w\w(|\w(|\w|\w\w|\w\w\w)) \w\w\w\w(|\w(|\w(|\w|\w\w))) \w\w\w\w(|\w(|\w(|\w(|\w)))) The final reduction offers no practical reduction in length, so\w{4,8} should be written as: \w\w\w\w(|\w(|\w(|\w|\w\w))) Do I understand correctly? Any other observations on patterns would be extremely welcome, but please note that this question is tagged just for Exchange Online; the rules for on-premises transport rules are probably subtly different.755Views0likes1CommentWhat's up with GTUBE?
The following MS Learn page recognises GTUBE as a test resource to provoke a spam detection from Exchange Online. It's in the last section: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide However, if I send from Live mail to our tenancy, I receive an NDR with error550 5.7.520 “Message blocked because it contains content identified as spam (AS 4810)”. It looks as if the bounce was from EOP rather than Live / consumer Outlook.com blocking my mail on "exit". Yes, the GTUBE string is correctly recognised and blocked but there is absolutely nothing in Threat Explorer to show that a spam was blocked or even attempted. It is as if the message had bounced off of EOP edge protection. If I send the same string on an intra-org basis, it is delivered! As a method of testing if a particular anti-spam policy is engaging, it's a complete flop and I would welcome any suggestions on how best to discover that. Threat Explorer doesn't show which policy acted, though it does show the detection technology if you wait for a real spam to come along.Solved1.6KViews0likes2CommentsChecking anti-malware policies on containers
Do we have an up-to-date list of the container types that Exchange Online Protection traverses to inspect the contents? The documentation describes the file types EOP recognises but the later FAQ only confirms that ZIP containers are traversed. A few years ago there was documentation confirming this was one of six types that were handled. Given that some of the other types now in the recognised list are somewhat ambiguous, I find it hard to believe that all of them are traversable.727Views0likes1Commenttracking abuse of BCC
Apologies once again for the cross-post, but there are some aspects of this case that may have been more applicable to Exchange Online than to MDO specialists. I am looking at the BCC problem, where an attacker will send mail from the sending system to a third domain (often with an address chosen to make the deception convincing) BCC the victim address. Where a sending domain represents an obvious and sustained problem (not mentioning any Mountain View freemail providers here) it is easy to construct a mail flow rule: if sender domain is {problem domain} do {action} except if To or CC includes a member of {your internal global distribution list} {action} should of course be non-intrusive until you are sure that the rule is not going to be a problem. You may need also exceptions for acceptable spoofing, forwarding and any distribution groups accepting external mail. That is why testing is essential. My problem is how to track the success of this rule. Both the PowerShellget-maildetailtransportrulereport commandlet and the equivalent KQL (Advanced Hunting) EmailEvents table give actual recipient address after BCC and distribution groups are resolved rather than the address of the third party that the detected item was primarily sent to. For the numbers in question, the GUI is impractical for anything other than spot checks. Is there any way to programmatically list the external primary recipient of an inbound BCC?tracking abuse of BCC
Apologies once again for the cross-post, but there are some aspects of this case that may be more applicable to Exchange Online than to MDO specialists. I am looking at the BCC problem, where an attacker will send mail from the sending system to a third domain (often with an address chosen to make the deception convincing) BCC the victim address. Where a sending domain represents an obvious and sustained problem (not mentioning any Mountain View freemail providers here) it is easy to construct a mail flow rule: if sender domain is {problem domain} do {action} except if To or CC includes a member of {your internal global distribution list} {action} should of course be non-intrusive until you are sure that the rule is not going to be a problem. You may need also exceptions for acceptable spoofing, forwarding and any distribution groups accepting external mail. That is why testing is essential. My problem is how to track the success of this rule. Both the PowerShellget-maildetailtransportrulereport commandlet and the equivalent KQL (Advanced Hunting) EmailEvents table give actual recipient address after BCC and distribution groups are resolved rather than the address of the third party that the detected item was primarily sent to. For the numbers in question, the GUI is impractical for anything other than spot checks. Is there any way to programmatically list the external primary recipient of an inbound BCC?504Views0likes0CommentsChange to Advanced Hunting portal query limit
Not sure if this belongs here or over in the Defender for Office discussions, but it looks as if there has been another rearrangement of the Advanced Hunting page and I am now reduced to 6 queries in the My Queries folder. I had rather more. Is this just a temporary thing, are my other queries just lost behind an interface change or have they gone for good? Yes, I should have kept an off-tenancy copy and fortunately I've been active enough to have copies elsewhere that I can recover most of the innovation, but it looks as if a lot of the fiddly chart-rendering I had done has gone.714Views0likes1CommentASF Advanced Spam Filter roadmap
For the last year or so I have been seeing notes in Microsoft documentation advising that Exchange Online ASF is being deprecated. Do we have a roadmap for this, and more importantly any news about the replacement features elsewhere in the product. I am particularly interested in-IncreaseScoreWithNumericIps; the capability to spot and act on hyperlinks identifying a host by its numeric IP address. Failing clarity on that question, does anyone have a "pattern" they can recommend that can survive the depredations of Safe Links? I apologise for the cross-post from the Exchange community, but it is not completely clear where this topic should be discussed.ASF Advanced Spam Filter roadmap?
For the last year or so I have been seeing notes in Microsoft documentation advising that Exchange Online ASF is being deprecated. Do we have a roadmap for this, and more importantly any news about the replacement features that might appear elsewhere in the product. I am particularly interested in-IncreaseScoreWithNumericIps; the capability to spot and act on hyperlinks identifying a host by its numeric IP address. Failing clarity on that question, does anyone have a "pattern" they can recommend that can survive the depredations of Safe Links? I hope it does not break any community rules if I cross-post this to the MDO space on Security, Compliance and Identity.722Views0likes0CommentsMatching the Received header
I'm looking to match a Received header and am running into the usual problems achieving a match. In the case of the Received header, there are six examples in a typical single message and I am wondering which one would be examined. I am using the "includes any of these words" predicate, rather than "matches these text patterns" which would have difficulties with a trailing wildcard. The wording of the predicate and theGitHubdefinition of the Words property seem to make it fairly clear that I do not have to match the entire header exactly. Merely having one phrase match part of the header should be sufficient as long as no other characters directly abut the phrase I am testing for. Should this be possible, or does EOP in fact just check the first Received header?1KViews0likes2Comments