Bulk editing of Safe Sender lists

The following article was written by Richard Deprez who is a Support Escalation Engineer for Exchange Online at Microsoft.

Recently I have seen an increase in phishing attacks coming through EOP due to safe sender aggregation (email addresses that have been added by end users to their safe senders list will be respected by EOP, that is, messages from these addresses will get an SCL of -1 when the message is destined to that particular user).  While everything is functioning as intended this can be a pain point if the email addresses that have been added are being spoofed by an attacker.

I also often see users adding internal email addresses to their safe senders list. In Office 365, authenticated mail will not be scanned by the spam filter, so there is no need to have any internal recipients on a user’s safe senders list.

In both of the above cases, an administrator will often want to remove specific addresses from an end user’s safe senders list. Editing the safe/block sender list for an individual is relatively simple: How to set up safe senders and blocked senders in Office 365.  However, attempting to find and remove in bulk can be a more difficult process due to the way the safe sender list is stored.

The below script (which is not officially supported by Microsoft) is a two-step process to identify and export the users who have a specific domain in the safe sender list and also to remove it from these users.  This way the users can be listed and educated about proper reasons for safe listing an address and removed to help prevent spoofed messages from coming in.

 

Step 1: Get the list of mailboxes who have the domain configured in their safe sender list:

 get-mailboxjunkemailconfiguration * -resultsize unlimited|where {$_.TrustedSendersAndDomains -like ‘*@contoso.com’} |Export-csv ‘C:\testsafe.csv’ -notypeinformation

Step 2: The actual removal of the domains. In this scenario we are using the input file created in step 1; the script can be easily altered to just check all mailboxes and remove where applicable.

 $newarray = @()
 $users = Import-csv ‘C:\testsafe.csv’
 foreach ($Identity in $users ){
 $temp = (Get-MailboxJunkEmailConfiguration -identity $Identity.Identity).TrustedSendersAndDomains
 foreach ($obj in $temp) { if (!(($obj -like '*@contoso.com'))) { $newarray += $obj }}
 Set-MailboxJunkEmailConfiguration -identity $Identity.Identity -TrustedSendersAndDomains $newarray
 $newarray = @()
 }

The above script has worked great for many of organizations I have worked with, but is not officially supported by Microsoft. Please ensure you test all your PowerShell scripts before running against production objects.

- Richard Deprez