Exchange Online Protection Troubleshooting Guide

Article
01/28/2016

Below you will find various links necessary to troubleshoot Exchange Online Protection issues. The list has been compiled to go over various areas of expertise that you will run into when dealing with Exchange online Protection.

Exchange Online Protection Complete Guide:

1. Customize your SPF record

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

2. Find and release quarantined messages as an end user

https://technet.microsoft.com/en-us/library/dn683870%28v=exchg.150%29.aspx

(Access: https://admin.protection.outook.com/quarantine)

3. SPF Hard Fail On

https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

4. High Risk Delivery Pool

https://technet.microsoft.com/en-us/library/jj200746(v=exchg.150).aspx

5. Outbound spam

https://technet.microsoft.com/en-us/library/dn600434(v=exchg.150).aspx

6. Connect to PowerShell

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

7. Get Transport Rules

https://technet.microsoft.com/en-us/library/aa998585(v=exchg.150).aspx

8. Export Content Filtering Policy

https://technet.microsoft.com/en-us/library/jj200764(v=exchg.150).aspx

9. Rules to block executable files

https://support.microsoft.com/kb/2959596

10. Information on EOP improvements.

https://blogs.office.com/2014/10/15/evolving-exchange-online-protection-eop-protect-tomorrows-threats/ https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/

11. Submitting false positives to Microsoft + Outlook Junk Add-in

https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

12. Blocked Sender / Safe Senders in Office 365

https://support.microsoft.com/kb/2545137?wa=wsignin1.0

13. Virus

1) Submit it here: https://www.microsoft.com/security/portal/submission/submit.aspx.

2) Submit the samples AS A PASSWORD-PROTECTED ATTACHMENT (and send the password in the body of your email) to our junk@office365.microsoft.com alias per the spam submission process here: https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx for an additional anti-spam protection from this message (the spam analysts could then mark it as spam).

3) Make sure you have a rule in EOP that blocks executable content. https://support.microsoft.com/kb/2959596

4) Keep your Operating Systems and 3rd party software (such as Adobe Acrobat Reader, Flash, Java etc.) updated with the latest security updates.

14. DMARC:

Introduction: https://blogs.msdn.com/b/tzink/archive/2014/11/04/a-brief-introduction-to-dmarc.aspx

Use DMARC in Office 365: https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

Use DKIM + DMARC in O365: https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/

Use DMARC to Prevent Spoofing: https://blogs.technet.com/b/eopfieldnotes/archive/2015/02/26/using-dmarc-to-prevent-spoofing.aspx

Strategies to mitigate Phishing attempts (video): https://blogs.technet.com/b/eopfieldnotes/archive/2015/05/29/support-hot-topics-strategies-to-mitigate-phishing-attempts.aspx

15. Malware and ATP:

Enable notifications when malware is detected and deleted: https://technet.microsoft.com/en-us/library/jj200745(v=exchg.150).aspx.

Find answer to common anti-malware questions on the FAQ: https://technet.microsoft.com/en-us/library/jj200664(v=exchg.150).aspx.

Go over these tips to prevent Zero-Day malware: https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/08/tips-to-prevent-zero-day-malware-with-eop.aspx and reduce Zero-Day threats (video): https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/26/support-hot-topics-reducing-the-threat-of-zero-day-malware.aspx.

Advanced Threat Protection is now GA: https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/, and to add Safe Links and Safe Attachments layers ATP offers. Once you’re set up with ATP, here’s the technical reference on ATP you should find useful: https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx.

When submitting zero-day malware samples to Microsoft, it’s important to do it as soon as possible to the time of detection to get anti-virus definitions up-to-date. Use your Microsoft (Live ID) Account to be notified once the definition updates are in place. https://www.microsoft.com/security/portal/submission/submit.aspx.

The vast majority of known malware can be stopped using Transport Rules using content and attachment scanning: we suggested that you move your existing attachment blocking and executable blocking rules to top priority (0 and 1): https://support.microsoft.com/kb/2959596. Review how to create a transport rule to evaluate and take action on DMARC failures: https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx , check which transport rules triggered: https://blogs.technet.com/b/eopfieldnotes/archive/2015/04/22/need-details-on-who-and-what-are-triggering-your-transport-rules-there-39-s-a-cmdlet-for-that.aspx. Use PowerShell to find or export the ID or other details of your existing rules: https://technet.microsoft.com/en-us/library/aa998585(v=exchg.150).aspx.

16. Spam+Bulk Filtering:

Spam filter policies: https://technet.microsoft.com/en-us/library/jj200684%28v=exchg.150%29.aspx. The new Spam Filter Allow and Block Lists are explained here: https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/19/an-introduction-to-the-new-spam-filter-allow-and-block-lists.aspx. Bulk Mail filtering and how lowering the threshold from 7 to 6 or 5 can help you catch more bulk mail spam https://blogs.office.com/2014/11/24/block-spam-holiday-season-new-enhanced-bulk-mail-experience-eop/.

17. Connection filtering:

We saw a number of Allowed IP ranges, that can probably be reduced to the bare minimum. Also note, that in case those IP’s are compromised and start sending spam, you might want to reconsider whether you want to bypass spam scanning from them. https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx

18. Customize your SPF record:

We discussed how you should change the current SPF configuration you have that includes “outlook.com” to include “spf.protection.outlook.com” per the article to minimize the number of DNS queries on your records: https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx. We touched on the Advanced Spam Filtering options, and that the essential option of SPF Hard Fail (inbound SPF checks) to protect against spoofed messages is already turned ON: https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

19. Outbound spam:

The current outbound spam policies, although defined to send to an address, are probably underutilized. We advised to separate the HRDP notifications from the blocked senders notifications, to be alerted real-time of more critical outbound spam issues. https://technet.microsoft.com/en-us/library/dn600434(v=exchg.150).aspx

20. False Positives / False Negatives:

Submit junk and non-junk to Microsoft (see updated addresses in the article). You noted that the Outlook Junk Add-in that’s installed on end-user machines is probably underutilized. In that regard, user education plays an important role, for getting submissions timely. https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

========================================================================================================================================

More information:

Blocked Sender / Safe Senders in Office 365

https://support.microsoft.com/kb/2545137?wa=wsignin1.0

PowerShell:

Connect to PowerShell

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

List of all available cmdlets, including reporting and mail flow:

https://technet.microsoft.com/en-us/library/jj200780(v=exchg.150).aspx

Reporting:

https://technet.microsoft.com/en-us/library/jj200725(v=exchg.150).aspx https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/12/scheduling-mail-reports-in-office-365.aspx

Macro viruses:

The purpose of a macro is to automate frequently used tasks. Although some macros are simply a recording of your keystrokes or mouse clicks, more powerful VBA macros are authored by developers who use code that can run many commands on your computer. For this reason, VBA macros pose a potential security risk because a hacker can introduce a malicious macro through a document that, if opened, allows the macro to run and potentially spread a virus on your computer.

- Disable Macros in Office files, https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
- Note that whitelisting inbound messages by domain is generally risky (allows spam and spoofing) and should be kept to a minimum, but whitelisting inbound messages for your own domains is extremely risky (allows spoofing, spam, phishing, and spear-phishing). There are other ways to do that via connection filtering and connectors, and we found that you’re already using IP Allow Lists.
- Submit zero-day malware samples to Microsoft, https://www.microsoft.com/security/portal/submission/submit.aspx See how Advanced Thread Protection (https://products.office.com/en-us/exchange/online-email-threat-protection) can help your company against these particular threats: https://technet.microsoft.com/EN-US/library/mt148491%28v=exchg.150%29.aspx

Safe attachments is a feature in ATP that opens every unknown supported file type attachment in a special hypervisor environment and helps detect malicious activity. It is designed to help detect malicious attachments even before anti-virus signatures are available. File types that the safe attachments feature can detonate: Safe attachments will detonate attachments that are common targets for malicious content, such as Office documents, PDFs, executable file types, and Flash files.

- Block executable content by creating an Exchange Transport Rule, https://support.microsoft.com/en-us/kb/2959596
- Block particular malicious attachments. For increased protection, we also recommend using Transport rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh. This can be done by using the Any attachment file extension includes these words condition. Refer to EOP Best Practices documentation: https://technet.microsoft.com/EN-US/library/jj723164(v=exchg.150).aspx
- Customize your company’s SPF record to change it to Hard Fail.