ATP: Safe Attachments, Safe Links, and Anti-Phishing Policies or “All the policies you can shake a stick at”



With the advent of scammers, spammers, phishers, and other types of baddies, and the complementary rise in anti-malware, anti-spam, domain and sender verification techniques, we're in a perpetual cat-and-mouse game.  I've had several customers over the past few weeks ask me about best practices for configuring some of the Advanced Threat Protection (ATP) features.

I've pulled this information together as a compendium (oooh, big word) of some of the tips, tricks, and practices that have helped my customers be successful when configuring the service. Most of this is data you'll find on our support pages (and I've supplied lots of links where I pulled the data from), just to keep me honest. 😉

While we do provide a pretty good amount of documentation, we tend to do it in little bites scattered all over, which can be frustrating if you're looking for an end-to-end configuration resource. Hopefully, this helps a few folks out.

In this post:

Advanced Threat Protection Safe Attachments
  Safe Attachments Options
  Configure a Safe Attachments Policy
  Safe Attachments Policy For Email Attachments
  Safe Attachments Policy for SharePoint, OneDrive, and Teams
Advanced Threat Protection Safe Links
  Safe Links Options
  Configure a Safe Links Policy
  Safe Links policies that apply to the entire organization
  Safe Links policies that apply to specific recipients
Advanced Threat Protection Anti-Phishing
  Anti-Phishing Options
  Configure an Anti-Phishing Policy
Transport Rules
Bypass Safe Attachments Processing
Bypass Safe Links Processing
Lower Phishing Threshold
Tools and Information
O365 ATP Safe Links Decoder
Office 365 Message Header Analyzer
Message Header Analyzer Plug-in for Outlook
Exchange Online Protection Anti-spam Message Headers
Advanced Spam Filtering (ASF) Header Values
Safe Attachments File Types

Advanced Threat Protection Safe Attachments

Traditional antivirus and anti-malware scanning engines are based on file hashes or signatures, meaning that every file that gets scanned is compared against the fingerprints of known villians, er, viruses.  If a new virus or piece of malware is created, it will most likely have a uniquely new file signature that's not included in a database, and therefore, evade detection.  (For you extra nerdy folk, you can take stroll down memory lane and remember the first worm, created in 1971 and the first virus, introduced in 1982). In 1986, two brothers released the Brain boot sector virus, affecting IBM-PCs.  Since G-Data Antivirus and McAfee VirusScan were both released in 1987, signature-based antivirus has ruled the roost.

Advanced Threat Protection's Safe Attachments technology is designed to be heuristic--investigating behaviors that attachments perform.  While something may look like Word document on the outside (because it has a .doc or .docx extension), ATP digs deeper into the attachments to see if they are what they say they are based on how they perform.  Using virtual environments and sandboxing, the attachments are detonated--that is, attempted to be run and the behaviors they exhibit observed.  Behaviors might include: nothing (which would indicate a benign attachment), embedded code attempting to open up workstation firewall ports, encoded scripting to launch a listener or attach to an external website, or calls to the registry to read or write data.

Back to top

Safe Attachments Options

What's good for the goose may not be good for the gander, so you may want to review the responses that are available before creating a policy.  Here are the options, what they mean, and some further information on deciding which is best.  Note that these options only apply for policies configured to Protect email attachments.

Option Effect Use when you want to:
Off Does not scan attachments for malware

Does not delay message delivery

Turn scanning off for internal senders, scanners, faxes, or smart hosts that will only send known, good attachments

Prevent unnecessary delays in routing internal mail

Note: This option is not recommended for most users. It enables you to turn ATP Safe Attachments scanning off for a small group of internal senders.

Monitor Delivers messages with attachments and then tracks what happens with detected malware See where detected malware goes in your organization.  You can view the reports under the Threat management dashboard.
Block Prevents messages with detected malware attachments from proceeding

Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages

Blocks future messages and attachments automatically

Safeguard your organization from repeated attacks using the same malware attachments.
Replace Removes detected malware attachments

Notifies recipients that attachments have been removed

Sends messages with detected malware to quarantine in Office 365 where a security administrator or analyst can review and release (or delete) those messages

Raise visibility to recipients that attachments were removed because of detected malware.  A text file attachment is included that notifies the user that the attachment was removed.
Dynamic Delivery Delivers messages immediately

Replaces attachments with a placeholder file until scanning is complete, and then reattaches the attachments if no malware is detected

Includes attachment previewing capabilities for most PDFs and Office files during scanning

Sends messages with detected malware to Quarantine where a security administrator or analyst can review and release (or delete) those messages

Learn about dynamic delivery and previewing with ATP Safe Attachments

Avoid message delays while protecting recipients from malicious files.

Enable recipients to preview attachments in safe mode while scanning is taking place.

Note: Dynamic delivery is only available for cloud-hosted mailboxes.  If you configure a dynamic delivery policy in a hybrid environment scoped to users that are both on-premises and in-cloud, messages scanned for users in the on-premises environment will be treated as though the they are configured in "Replace" mode, and the message will not be delivered until scanning is complete.

Additionally, if a user is covered by a dynamic delivery policy, and they forward a message with the placeholder attachment (before the scanning has been completed), what happens depends on whether or not the recipient is licensed for ATP:

If the recipient of a forwarded message is not licensed, the message is forwarded without safe attachments scanning.  If the recipient of a forwarded message is licensed, then they will see the attachment preview (per this support article).

Finally, there are some scenarios in which dynamic delivery will not work:

  • Email messages that are in public folders
  • Email messages that are routed out of and then back into the user's mailbox using custom rules
  • Messages that are moved (automatically or manually) out of the hosted mailbox and into other locations, including archive folders
  • Messages that are deleted
  • A user's mailbox search folder that is in an error state
  • Environments in which an Exchange Online admin has enabled Exclaimer.
Enable redirect Applies when the Monitor, Block, or Replace option is chosen

Sends attachments to a specified email address where security administrators or analysts can investigate

Enable security administrators and analysts to research suspicious attachments

Table data compiled mostly from https://support.office.com/en-us/article/dynamic-delivery-and-previewing-with-office-365-atp-safe-attachments-f16c9928-8e3d-4219-b994-271dc9a16272 and https://support.office.com/en-us/article/Set-up-Office-365-ATP-safe-attachments-policies-078EB946-819A-4E13-8673-FE0C0AD3A775.

While it's possible to create a Safe Attachments policy inside of the Exchange Admin Center (EAC), it's best if you create and manage it in the Security & Compliance Center, since that's the direction we're moving for consolidated management of security policies.

Back to top

Configure a Safe Attachments Policy

Safe attachments (as well as safe links policies) can be scoped to your entire organization, domains, or smaller subsets of your users. Depending on how your organization functions or how you want to handle mail flow and threats in your environment, you may need to configure one or more policies to meet your requirements.

Back to top

Safe Attachments Policy For Email Attachments

To create a Safe Attachments Policy in the Security & Compliance Center:

  1. Navigate to https://protection.office.com.
  2. In the navigation menu, expand Threat management, and then select Policy.
  3. Select the ATP Safe Attachments tile.
  4. Under Protect email attachments, click the + button to create a new policy.
  5. Enter a name for the policy (required), a description (optional), and then select a response method.
  6. Scroll down to the bottom of the window.
  7. Specify settings for Redirect attachment on detection and Applied To.  The address specified in the Enable redirect text box should be accessible to your email administrators or security team to review suspicious attachments.  You can choose to apply a policy to an individual user, domain, or group.  You can specify exceptions based on a user, domain, or group.
  8. Click Save when finished.

Back to top

Safe Attachments Policy For SharePoint, OneDrive, and Teams

The same heuristics engine that drives Safe Attachments for message attachments can now be used against SharePoint, OneDrive, and Teams storage locations.  While it doesn't scan all previously stored documents, it does pay attention to documents that you share.  Per the product documentation:

Advanced Threat Protection for SharePoint Online, OneDrive for Business, and Microsoft Teams will not scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned asynchronously, through a process that uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.

Given that, configuring a Safe Attachments policy for SharePoint, OneDrive, and Teams sites is pretty easy.

  1. Navigate to https://protection.office.com.
  2. In the navigation menu, expand Threat management, and then select Policy.
  3. Select the ATP Safe Attachments tile.
  4. Under Protect files in SharePoint, OneDrive, and Microsoft Teams, select the checkbox next to Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
  5. Click the Save button at the bottom of the page.
  6. Connect to the SharePoint Online with PowerShell.  If you do not have the SharePoint Online Management Shell module installed, click here to download and install it.  When connecting to SharePoint Online via the management shell, the URL for your tenant is https://<tenantname>-admin.sharepoint.com.
  7. Configure the DisallowInfectedFileDownload parameter.  The default value is False.

    Per the product documentation, if the Set-SPOTenant cmdlet has the DisallowInfectedFileDownload parameter set to:

    true (recommended), this happens: false, this happens:
    All actions, except Delete, are blocked for detected files.

    People cannot open, move, copy, or share detected files.

    A visual cue indicates that a file has been identified as malicious. No one can download the file.

    All actions, except Delete and Download, are blocked for detected files.

    People cannot open, move, copy, or share detected files.

    A visual cue indicates a file has been identified as malicious, but people can choose to accept the risk and download the file.

  8.  Use the Set-SPOTenant cmdlet with the -DisallowInfectedFileDownload parameter as appropriate.

Back to top

Advanced Threat Protection Safe Links

ATP Safe Links is comprised of a few components:

  • URL wrapping service for click-time evaluations
  • reputation database
  • scanning files embedded in hyperlinks using the sandboxing and detonation chamber
  • Scanning links embedded in Office documents when opened using Office ProPlus signed in as a user licensed for a Safe Links policy

The URL wrapping service processes links on messages and encapsulates hyperlinks permanently in the delivered messages.  The rewritten link persists for the life of the message and will be re-processed and evaluated each time it is clicked, whether it is a few hours, a few days, or years later, and whether or not it exists in the original mailbox or forwarded to new recipients.  ATP-protected links are evaluated in real-time against the reputation database.

In addition to rewriting links that have been delivered in email messages, users who have been assigned an ATP license and are opening documents with Office ProPlus applications signed in as the user will also be protected from malicious links inside documents.

Back to top

Safe Links Options

Before you configure a Safe Links policy (either for the organization or for individual or groups of recipients), you should familiarize yourself with the options available.

For this policy This option Does this
Default (once defined, the default policy applies to everyone in the organization) Block the following URLs Enables your organization to have a custom list of URLs that are automatically blocked. When users click a URL in this list, they'll be taken to a warning page that explains why the URL is blocked.

See Set up a custom blocked URLs list using ATP Safe Links for more details, such as newly added support for up to three wildcard asterisks (*).

Default Office 365 ProPlus, Office for iOS and Android When this option is selected, ATP Safe Links protection is applied to URLs in documents that are open in Word 2016, Excel 2016, PowerPoint 2016 on Windows, iOS, or Android devices, or Visio 2016 on Windows, with the user signed into Office 365.

Tip: If you see Office 2016 on Windows, then the feature update has not reached your Office 365 environment yet (and it's coming soon). Until then, ATP Safe Links protection applies to Word 2016, Excel 2016, PowerPoint 2016 or Visio 2016 running on Windows.

Default Don't track when users click ATP Safe Links When this option is selected, click data for URLs in Word, Excel, PowerPoint, and Visio documents is not stored.
Default Don't let users click through ATP Safe Links to original URL When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.
A policy created for specific email recipients Off Does not scan URLs in email messages.

Enables you to define an exception rule, such as a rule that does not scan URLs in email messages for a specific group of recipients.

A policy created for specific email recipients On Rewrites URLs to route users through ATP Safe Links protection when the users click URLs in email messages.

Checks a URL when clicked against a list of blocked or malicious URLs.

A policy created for specific email recipients Use Safe Attachments to scan downloadable content When this option is selected, URLs that point to downloadable content are scanned.
A policy created for specific email recipients Apply Safe Links to messages sent within the organization This feature is rolling out beginning in March 2018.

When this option is available and selected, ATP Safe Links protection is applied to email messages sent between people in your organization, provided the email accounts are hosted in Office 365.

A policy created for specific email recipients Do not track user clicks When this option is selected, click data for URLs in email from external senders is not stored.

URL click tracking for links within email messages sent within the organization is currently not supported.

A policy created for specific email recipients Do not allow users to click through to original URL When this option is selected, users cannot proceed past a warning page to a URL that is determined to be malicious.
A policy created for specific email recipients Do not rewrite the following URLs Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning for a specific group of email recipients in your organization.

See Set up a custom "Do not rewrite" URLs list using ATP Safe Links for more details, including recent changes to support for wildcard asterisks (*).

The preceding table also appears at https://support.office.com/en-us/article/set-up-office-365-atp-safe-links-policies-bdd5372d-775e-4442-9c1b-609627b94b5d.

Back to top

Configure a Safe Links Policy

You can configure both organization-wide Safe Links settings, as well as policies scoped to individual users or groups of users.

Back to top

Safe Links policies that apply to the entire organization

  1. Navigate to https://protection.office.com.
  2. In the navigation menu, expand Threat management, and then select Policy.
  3. Select the ATP Safe Links tile.
  4. In the Policies that apply to the entire organization section, click the pencil icon to edit the Default policy.
  5. Under Settings that apply to content across Office 365, in the Block the following URLs section, add any domains you wish to always block by entering them in the text box and clicking the + button.

    Note: the links added to the organizational policy will apply to all users, regardless of settings in other user-scoped policies.  The URLs and domains entered in the Block the following URLs section will apply to Office ProPlus, Office Online / Web Apps, Office for iOS and Android, as well as links that are wrapped via Safe Links.  If a domain is later added or removed, the behavior on links that are protected will be updated to reflect the new settings.
  6. Under Settings that apply to content except email, select whether or not you wish to enforce Safe Links policies for Office ProPlus as well as Office for iOS and Android.  If you select Do not track when users click safe links, user telemetry data for URLs specified in the blocked domains list will not be collected when links are followed by clicking on a URL in an Office application (besides Outlook).  If you select Do not let users click through safe links to the original URL, users will be directed to a warning page when clicking on a blocked link inside an Office document.
  7. Click Save.

Back to top

Safe Links policies that apply to specific recipients

To create a Safe Links policy that applies to specific recipients, follow these steps.  Keep in mind that each Safe Links policy can apply to an individual user, group of users, or one or more domains.  You can specify one or more user selection conditions (such as "is a member of" and "recipient domain is").

  1. Navigate to https://protection.office.com.
  2. In the navigation menu, expand Threat management, and then select Policy.
  3. Select the ATP Safe Links tile.
  4. In the Policies that apply to specific recipients section, click the + to create a new policy.
  5. Choose whether or not to rewrite links for the group this policy will apply to.  If the Select the action for unknown potentially malicious URLs in messages radio button is Off, no further Safe Links configuration options will be available except the recipient selection conditions.
  6. Select the appropriate check boxes, referring to this table detailing the operation of the parameters.
  7. For any URLs that you want to be ignored by Safe Links processing (such as known good URLs), enter them in the Do not rewrite the following URLs box and click the + button.
  8. Specify a user, domain, or group to which you want to apply the policy.  This is a required field.
  9. Click Save to complete the policy.

Back to top

Advanced Threat Protection Anti-Phishing

One of the newer additions to the Advanced Threat Protection family is the configurability of specific anti-phishing policies.  Anti-phishing policies protect against emails intended to deceive the recipient in some way (usually by pretending to be a familiar or trusted sender) in order to gain important business or personal data, including service and logon credentials, bank account information, credit card or other information that can be used to further impersonate the user.

Back to top

Anti-phishing Options

Before configuring an anti-phishing policy, familiarize yourself with the available settings and how they impact the policy and users.

This setting Does this Use when you want to
Add users to protect Defines which email addresses will be protected by the policy. You can add up to 20 internal and external addresses that you want to protect from impersonation. When you want to ensure that mail from outside your organization isn’t an impersonation of one of the users on the list of users you are protecting. Examples of users you might want to protect are high-level executives, business owners, external board members, and so on.

This list of protected users is different from the list of people to which the policy applies, or rather, for which the policy is enforced. You define the applies to list in the Applied to section of the policy options.

For example, if you add Mary Smith <marys@contoso.com> as a user to protect, then apply the policy to the group "All Users". This would ensure that a mail that appeared to impersonate "Mary Smith" sent to a user in the "All Users" group would be acted on by the policy.

Add domains to protect Allows you to choose which domains you want to protect from impersonation. You can specify that the policy include all of your custom domains, a comma-separated list of domains, or a combination of the two. If you choose Automatically include domains that I own, and you later add a domain to your Office 365 organization, this anti-phishing policy will be in place for the new domain. Whenever you want to ensure that mail from outside your organization isn’t an impersonation of one of the domains defined in your list of verified domains or that of a partner domain.
Choose actions Choose the action to take when Office 365 detects an impersonation attempt against the users and domains you added to the policy. You can choose different actions for users and domains in the same anti-phishing policy. These actions apply to any incoming email that has been identified by Office 365 as impersonating a user account or domain that is under the protection of this anti-phishing policy.

Quarantine message Email will be sent to Office 365 quarantine. When you choose this option, the email is not sent to the original recipient.

Redirect message to another email address Email will be sent to the email address you specify. You can specify multiple email addresses. When you choose this option, the email is not sent to the original recipient.

Move message to the recipients' Junk email folder Email will be sent to the recipients' Junk email folder. When you choose this option, the email is still sent to the original recipient but is not placed in the recipient's inbox.

Deliver the message and add other addresses to the Bcc line Email will be delivered to the original recipient. In addition, the users you identify will be added to the bcc line of the message before it's delivered. When you choose this option, the email is still sent to the original recipient's inbox.

Don't apply any action Email will be delivered to the original recipient's inbox. No other action will be taken on the email message.

Turn on phishing protection tips Enables anti-phishing safety tips in email.

When you want to take an action on messages that Office 365 has determined to be an impersonation of a user or domain as defined in the policy.
Enable mailbox intelligence Enables or disables mailbox intelligence for this policy. You can only enable mailbox intelligence for cloud-based accounts, that is, accounts whose mailbox is hosted entirely in Office 365. When you want to enhance impersonation results for users based on each user's individual sender map. Mailbox intelligence is built around the people you send and receive mail from. This intelligence allows Office 365 to customize the impersonation policy at a user-level in order to better handle false positive results.
Add trusted senders and domains Defines email addresses and domains that will not be considered impersonations by this policy. Messages from the sender email addresses and domains you add as trusted senders and domains won't ever be classified as an impersonation-based attack. As a result, the actions and settings in this policy won't be applied to messages from these senders and domains. When users interact with domains or users that trigger impersonation but are considered to be safe. For example, if a partner has the same/similar display name or domain name as a user defined on the list.
Applied to Defines the recipients whose incoming email messages will be subject to the rules of the policy. You can create conditions and exceptions for the recipients associated with the policy.

For example, you can create a global policy for your organization by applying the rule to all recipients in your domain.

You can also create exception rules, such as a rule that does not scan email messages for a specific group of recipients.

Each policy must be associated with a set of users, for example users in a particular group or domain.

Note: The preceding table contains data from https://support.office.com/en-us/article/Set-up-Office-365-ATP-anti-phishing-policies-5a6f2d7f-d998-4f31-b4f5-f7cbf6f38578#phishpolicyoptions.

Back to top

Configure an Anti-Phishing Policy

Like Safe Links policies, Anti-Phishing policies can be customized and applied to groups or subgroups of users.  To configure a policy, follow these steps.

  1. Navigate to https://protection.office.com.
  2. In the navigation menu, expand Threat management, and then select Policy.
  3. Select the ATP anti-phishing tile.
  4. Click the + Create button to start the Create a new anti-phishing policy wizard.
  5. Enter a name (required) and description (optional) for the policy.  As you can see, I was quite creative with mine.  Click Next when done.
  6. Select conditions under which to apply the policy.  In this example, I'm going to choose recipient domain is and select my accepted domain to protect all users with the same policy.  Once the domain has been added, click Next.

  7. Click Create this policy to be taken to the policy configuration options.
  8. At Edit your policy page, click Edit next to the configuration options you want to edit.  In my case, I want to ensure that I protect all the domains in my tenant from impersonation as well as the domain of a trusted partner that I do a lot of business with, as well as apply additional protection or scrutiny to messages purporting to be from a few specific users (such as the Finance lead and payroll).  I want to display warnings to the recipients when something seems suspicious.  Given all the options I want to manage, I'm going to click the Edit button in the Impersonation section.
  9. I'm going to first add the users and addresses I want to protect from being impersonated.  So, click Add users to protect. In this case, I'm adding the Finance director (internal) and a payroll email address (external).
  10. Click Add domains to protect tab, and then slide the toggle to include all the domains in the tenant, as well as a custom domains.  Since I want to protect my organization from being spoofed by one of my partner's domains, I'm going to add their domain as well.  Note: Press [Enter] when you're finished entering each domain--clicking Save will take you back to the Edit your policy page.  If you do so, you'll just have to click the Edit button again to enter back into the editing screen.
  11. Click the Actions tab.  In this case, I want messages that appear to be sent my my protected users to go to Quarantine (which will require them to be released).  Other messages that appear to be impersonated will get delivered to the user's junk mail.
  12. Click the Turn on impersonation safety tips link to expose the Safety tips flyout panel.  Toggle all three sliders to on.
  13. Click Save to save the flyout options.
  14. Click Save to save the policy.
  15. Click Close to complete configuration of the policy.

Back to top

Transport Rules

In addition to the general policy configurations, ATP Safe Attachments, ATP Safe Links, and ATP Anti-phishing policies can be further refined with a few transport rule options.

Back to top

Bypass Safe Attachments Processing

You can configure a transport rule to set an X-header to bypass safe attachments processing, in the event that you want to prevent attachment processing from certain sources that you are certain will only send safe attachments.  To configure the transport rule:

  1. Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
  2. Select Mail Flow.
  3. Click the +, and then select Create a new rule.
  4. Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
  5. Enter a value for the name, select which messages the rule will apply to (such as applying to a certain sender, IP address range, or domain), and then under *Do the following, select Modify the message properties | Set the message header to this value.  Enter X-MS-Exchange-Organization-SkipSafeAttachmentProcessing as the header name, then set the value to 1.
  6. Click Save to finish the rule.

Alternately, you can use PowerShell to configure the rule:

New-TransportRule -From @('trusteduser@trusteddomain.com') -SetHeaderName 'X-MS-Exchange-Organization-SkipSafeAttachmentProcessing' -SetHeaderValue '1' -Name 'Bypass Safe Attachments' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

Back to top

Bypass Safe Links Processing

Just as you may need to bypass safe attachments processing, you may need to bypass safe sender processing (such as from a trusted network or sender).

  1. Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
  2. Select Mail Flow.
  3. Click the +, and then select Create a new rule.
  4. Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
  5. Enter a value for the name, select which messages the rule will apply to (such as applying to a certain sender, IP address range, or domain), and then under *Do the following, select Modify the message properties | Set the message header to this value.  Enter X-MS-Exchange-Organization-SkipSafeLinksProcessing as the header name, then set the value to 1.
  6. Click Save to finish the rule.

Alternately, you can use PowerShell to configure the rule:

New-TransportRule -From @('trusteduser@trusteddomain.com') -SetHeaderName 'X-MS-Exchange-Organization-SkipSafeLinksProcessing' -SetHeaderValue '1' -Name 'Bypass Safe Links' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

Back to top

Lower Phishing Threshold

Depending on the type of phishing messages that you get, it may be desirable to lower the threshold (thereby, increasing sensitivity) for phishing messages.  You can do this by creating a transport rule to apply these settings.

  1. Log into the Office 365 Admin Center, and navigate to the Exchange Admin Center.
  2. Select Mail Flow.
  3. Click the +, and then select Create a new rule.
  4. Click on more options… at the bottom of the dialog box. This is necessary to show all fields required to complete the rule.
  5. Enter a value for the name, select which messages the rule will apply to.  Under Sender condition, select The sender is located..., and then select Outside the organization, and then click OK.  Select any additional message selection criteria, such as scoping for internal recipients.
  6. Under *Do the following, select Modify the message properties | Set the message header to this value.  Enter MS-Exchange-Organization-PhishThresholdLevel as the header name, then set the value to 2.  Valid values are 2, 3, and 4 (default).
  7. Click Save to complete the rule.

Alternately, you can use PowerShell to configure the rule:

New-TransportRule -FromScope 'NotInOrganization' -SetHeaderName 'MS-Exchange-Organization-PhishThresholdLevel' -SetHeaderValue '2' -Name 'Lower Phishing Threshold for Executives' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '
' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

Back to top

Tools

Should you find yourself in the need to analyze messages that have been processed by ATP or EOP, you can use these tools:

Back to top

O365 ATP Safe Links Decoder

For messages that have been processed (and subsequently, rewritten) by Safe Links, you can use this decoder to return the original URL.  To use it, simply copy a rewritten URL from a processed message and then paste it in the link window.  The decoded link will appear below.

Back to top

Office 365 Message Header Analyzer

Use this tool to evaluate messages that have passed through Office 365.  Simply open the message, select File | Properties, copy and paste the headers, and click the Analyze headers button.

Back to top

Message Header Analyzer Plug-in for Outlook

This plug-in brings the functionality of the Message Header Analyzer into the Outlook client.  After installing the plug-in via the Get App button on the home page, select a message in Outlook, and then click the MHA icon on the toolbar.

Back to top

Exchange Online Protection Anti-spam Message Headers

Once you've extracted the data from the headers, you can compare it to the values on this table (original table data from https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx and https://technet.microsoft.com/en-us/library/dn759623(v=exchg.150).aspx, so be sure to check there periodically for updates).  These values appear in the X-header X-Forefront-Antispam-Report, except for BCL and PCL, which appear in the X-Microsoft-Antispam header.

Header field Description
CIP: [IP address] The connecting IP address. You may want to specify this IP address when creating an IP Allow list or an IP Block list in the connection filter. For more information, see Configure the connection filter policy.
CTRY The country from which the message connected to the service. This is determined by the connecting IP address, which may not be the same as the originating sending IP address.
LANG The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).
SCL The Spam Confidence Level (SCL) value of the message. For more information about interpreting these values, see Spam confidence levels.
SRV:BULK The message was identified as a bulk email message. If the Block all bulk email messages advanced spam filtering option is enabled, it will be marked as spam. If it is not enabled, it will only be marked as spam if the rest of the filtering rules determine that the message is spam.
SFV:SFE Filtering was skipped and the message was let through because it was sent from an address on an individual’s safe sender list.
SFV:BLK Filtering was skipped and the message was blocked because it was sent from an address on an individual’s blocked sender list.

Tip: For more information about how end users can create safe and blocked sender lists, see Block or allow (junk email settings) (OWA) and Overview of the Junk Email Filter (Outlook).

IPV:CAL The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.
IPV:NLI The IP address was not listed on any IP reputation list.
SFV:SPM The message was marked as spam by the content filter.
SFV:SKS The message was marked as spam prior to being processed by the content filter. This includes messages where the message matched a Transport rule to automatically mark it as spam and bypass all additional filtering.
SFV:SKA The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list.
SFV:SKB The message was marked as spam because it matched a block list in the spam filter policy, such as the Sender block list.
SFV:SKN The message was marked as non-spam prior to being processed by the content filter. This includes messages where the message matched a transport rule to automatically mark it as non-spam and bypass all additional filtering.
SFV:SKI Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant.
SFV:SKQ The message was released from the quarantine and was sent to the intended recipients.
SFV:NSPM The message was marked as non-spam and was sent to the intended recipients.
H: [helostring] The HELO or EHLO string of the connecting mail server.
PTR: [ReverseDNS] The PTR record, or pointer record, of the sending IP address, also known as the reverse DNS address.
X-CustomSpam: [ASFOption] The message matched an advanced spam filtering (ASF) option. For example, X-CustomSpam: Image links to remote sites denotes that the Image links to remote sites ASF option was matched. To find out which X-header text is added for each specific ASF option, see Advanced spam filtering (ASF) options.
BCL The Bulk Complaint Level (BCL) of the message.

This status can be returned as one of the following numerical values:

  • The message isn’t from a bulk sender.
  • 1-3  The message is from a bulk sender that generates few complaints.
  • 4-7  The message is from a bulk sender that generates a mixed number of complaints.
  • 8-9  The message is from a bulk sender that generates a high number of complaints.
PCL The Phishing Confidence Level (PCL) This status can be returned as one of the following numerical values:

  • 0-3 The message's content isn't likely to be phishing.
  • 4-8 The message's content is likely to be phishing.
  • -9990 (Exchange Online Protection only) The message's content is likely to be phishing.

The values are used to determine what action your email client takes on messages. For example, Microsoft Office Outlook uses the PCL stamp to block the content of suspicious messages. For more information about phishing, and how Outlook processes phishing messages, see Turn on or off links in email messages.

Back to top

Advanced Spam Filtering (ASF) Header Values

In addition to the standard headers above, you can also enable Advanced Spam Filtering options.  Each option is represented by a custom header value.  They are listed here for your convenience (again, all-in-one page), but the definitive table is located at https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx.

Advanced Spam Filtering Option Description X-header text
Increase Spam Score Section When enabled, these options set the spam confidence level (SCL) of a matched message to 5 or 6, which is considered suspected spam. The action performed on the message will match the Spam setting in your content filter policy.
Image links to remote sites When this setting is enabled, any message with HTML content that has an IMG tag that links remotely (for example, using http) will receive an increased spam score. X-CustomSpam: Image links to remote sites
Numeric IP address in URL When this setting is enabled, any message that has numeric-based URLs (most often in the form of an IP address) will receive an increased spam score. X-CustomSpam: Numeric IP in URL
URL redirect to other port When this setting is enabled, any message that contains a hyperlink that redirects the user to ports other than port 80 (regular HTTP protocol port), 8080 (HTTP alternate port), or 443 (HTTPS port) will receive an increased spam score. X-CustomSpam: URL redirect to other port
URL to .biz or .info websites When this setting is enabled, any message that contains a .biz or .info extension in the body of a message will receive an increased spam score. X-CustomSpam: URL to .biz or .info websites
Mark as Spam Section When enabled, these options set the spam confidence level (SCL) of a matched message to 9, which is considered certain spam. The action performed on the message will match the High confidence spam setting in your content filter policy.
Empty messages When this setting is enabled, any message in which the body and subject line are both empty, and which also has no attachment, will be marked as spam. X-CustomSpam: Empty Message
JavaScript or VBScript in HTML When this setting is enabled, any message that uses JavaScript or Visual Basic Script Edition in HTML will be marked as spam. Both of these scripting languages are used within an HTML message to automatically cause a specific action to occur. The browser will parse and process the script along with the rest of the document. X-CustomSpam: Javascript or VBscript tags in HTML
Frame or IFrame tags in HTML When this setting is enabled, any message that contains the <Frame> or <IFrame> HTML tag will be marked as spam. These tags are used on websites or in HTML messages to format the page for displaying text or graphics. X-CustomSpam: IFRAME or FRAME in HTML
Object tags in HTML When this setting is enabled, any message that contains the <Object> HTML tag will be marked as spam. This HTML tag allows plug-ins or applications to run in an HTML window. X-CustomSpam: Object tag in html
Embed tags in HTML When this setting is enabled, any message that contains the <Embed> HTML tag will be marked as spam. This HTML tag allows different kinds of documents of varying data types to be embedded into an HTML document. Examples include sounds, movies, or pictures. X-CustomSpam: Embed tag in html
Form tags in HTML When this setting is enabled, any message that contains the <Form> HTML tag will be marked as spam. This HTML tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient. X-CustomSpam: Form tag in html
Web bugs in HTML When this setting is enabled, any message that contains a Web bug will be marked as spam. A Web bug is a graphic that is designed to determine whether a Web page or email message has been read. Web bugs are often invisible to the recipient because they are typically added to a message as a graphic that is as small as one pixel by one pixel. Legitimate newsletters may also use this technique, although many consider this an invasion of privacy. X-CustomSpam: Web bug
Apply sensitive word list When this setting is enabled, any message that contains a word from the sensitive word list will be marked as spam. Using the sensitive word list allows easy blocking of words that are associated with potentially offensive messages. Some of these words are case sensitive. As an administrator, you cannot edit this list. Filtering against the sensitive word list is applied to both the subject and message body of a message. X-CustomSpam: Sensitive word in subject/body
SPF record: hard fail When this setting is enabled, messages that fail an SPF check (meaning they were sent from an IP address not specified in the SPF record) will be marked as spam. Turning this setting on is recommended for organizations who are concerned about receiving phishing messages.

Note: Test mode is not available for this option.

X-CustomSpam: SPF Record Fail
Conditional Sender ID filtering: hard fail When this setting is enabled, any message that hard fails a conditional Sender ID check is marked as spam. This option combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders.

Note: Test mode is not available for this option.

X-CustomSpam: SPF From Record Fail
NDR backscatter If you’re using EOP to protect on-premises mailboxes, when this setting is enabled, all legitimate non-delivery report (NDR) messages are delivered to the original sender, and all backscatter (illegitimate NDR) messages will be marked as spam. If you don’t enable this setting, then all NDRs still go through spam filtering. In this case, most legitimate messages will get delivered to the original sender while some, but not all, backscatter messages will get marked as spam. However, backscatter messages that aren’t marked as spam won’t go to the original sender because it will go to the spoofed sender.

If you’re using the service to protect Exchange Online cloud-hosted mailboxes, you don’t need to configure this setting.

Note:
  • For both scenarios (on-premises and cloud-hosted mailboxes), it’s also not necessary to enable this setting for outbound mail sent through the service, as NDRs that are legitimate bounce messages will be automatically detected and delivered to the original sender.
  • Test mode is not available for this option.
Tip:
For more information about backscatter messages and EOP, see Backscatter messages and EOP.
X-CustomSpam: Backscatter NDR
Bulk mail Advanced-spam filtering of bulk email has been retired and replaced with the bulk and email threshold settings. Check out What's the difference between junk email and bulk email? and Configure your spam filter policies for more information and how to configure the settings.

Back to top

Safe Attachments File Types

While this list is by no means exhaustive, it's here to give you an idea of some the types of files that we are detonating and examining.

ACE

ADE

ADP

ANI

APP

ASP

BAS

BAT

CER

CHM

CMD

COM

CPL

CRT

CSH

DER

DLL

DOCM

DOS

EXE

FXP

GADGET

HLP

HTA

LNF

LNS

LSP

LTS

JAR

JS

JSE

KSH

LNK

MAD

MAF

MAG

MAM

MAQ

MAR

MAS

MAT

MAU

MAV

MAW

MDA

MDB

MDE

MDT

MDW

MDZ

MSC

MSH

MSH1

MSH1xml

MSH2

MSH2xml

MSHxml

MSI

MSP

MST

OBJ

OPS

OS2

PCD

PIF

PLG

PRF

PRG

PS1

PS1xml

PS2

PS2xml

PSC1

PSC2

PST

RAR

REG

SCF

SCR

SCT

SHB

SHS

TMP

URL

VB

VBE

VBS

VSMACROS

VSW

VXD

W16

SWF

FLA

WS

WSC

WSF

WSH

XNK

ZIP

PDF

Microsoft Office document formats (Outlook, Onenote, PowerPoint, Word, Excel, Visio, Project)

 

Back to top

Whew! That's all the configuration news that's fit to print for now!

Comments (2)

  1. scott says:

    Great post, do you have any suggestions on preventing lateral movement of phishing/spam after an internal users credentials are compromised? Very new threats that aren’t red-flagged by blocking services are still getting past my phishing filters – but i cannot find any way to deal with the next stage of the threat, an internal user mail-bombing laterally to other internal users. Thanks!

    1. We have a few things cooking for that, such as ATP features being enabled on intra-org (internal) emails, not just inbound from the internet. Our public stance is that of “assume breached,” meaning that you should act on the reality that some of your users are most likely already compromised without your knowing it. The best defense is multi-pronged:

      – multifactor authentication, requiring a token (hard or soft) to complete the logon process. MFA is natively available on all Office 365 plans; you can extend it with Azure MFA to extend to other SaaS offerings.
      – using Windows Defender ATP (https://www.microsoft.com/en-us/windowsforbusiness/windows-atp) to monitor behaviorin your environment and provide breach remediation
      – Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) to detect anomalous activity

Skip to main content