You can easily configure the multilevel protection of Office 365 against spam, viruses, and other unwanted messages via the Exchange Admin Center. With PowerShell you can customize additional settings that affect the behavior of different filters and also notify users of actions taken.
Avatar

Microsoft sets up all Office 365 tenants with several default settings. This increases the efficiency of the cloud platform. If, on the other hand, you want to configure your own settings, you must first create the prerequisites for them.

Duplicating default rules

As a first step, copy the default rules and policies for all Office 365 customers to the respective tenant so they are editable. This lets you adapt them to your own needs.

Start this process with the Enable-OrganizationCustomization command.

You only need to execute it once, and you cannot undo it. Subsequently, you can examine the current state of the tenant via the hydration status with Get-OrganizationConfig. The value False indicates the client can now create its own policies.

With Get OrganizationConfig, you can see whether the client has its own policies

With Get OrganizationConfig, you can see whether the client has its own policies

Editing the connection filter

The default connection filter has zero effect because it is not configured. While the spam filter can release or block mail addresses and domains, the connection filter concentrates purely on IP addresses and networks.

If you want to reject messages coming from certain IP addresses or exclude them from spam filtering, you have to configure mail flow rules.

You can retrieve the relevant settings with Get-HostedConnectionFilterPolicy:

Get-HostedConnectionFilterPolicy -Identity Default |
Format-Table Name, IP*, EnableSafeList

To edit the filter, use the Set-HostedConnectionFilterPolicy cmdlet. This lets you define multiple IP addresses (up to 256) and subnets, using a comma as a separator. In addition, you can subscribe to the SafeList, where Microsoft collects IP addresses from trusted senders:

Set-HostedConnectionFilterPolicy -Identity Default `
-IPAllowList 192.168.1.10,172.16.1.20 `
-IPBlockList 10.0.0.0/32,192.168.2.0/24 -EnableSafeList $true

If you want to change the IP lists, you have to be careful not to overwrite the existing entries. Therefore, using Add or Remove is mandatory. Such a command would look like this:

Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{Add="192.168.1.11", "192.168.1.12", "172.16.1.0/24"; Remove="192.168.2.0/24"}

Find further information about the connection filtering function at Microsoft Docs.

Editing spam filter (content filter)

There is also a predefined spam filter here with the name Default. This moves suspicious spam emails into the junk mail folder of the respective mailboxes. But the default filter setting omits many of the possible options, which I will discuss in more detail below.

Get-HostedContentFilterPolicy displays only a rudimentary list of supported settings.

Get HostedContentFilterPolicy prints the settings for the spam filter

Get HostedContentFilterPolicy prints the settings for the spam filter

Microsoft distinguishes between spam and messages with a high spam probability. If you want to quarantine the latter instead of moving them to the junk mail folder, you can use the following command:

Set-HostedContentFilterPolicy -Identity Default -HighConfidenceSpamAction Quarantine

Increasing spam scoring

There are four options to control the rating of messages. Matching a criterion increases the message rating and makes filtering it out as spam more likely.

ParameterNotes
IncreaseScoreWithBizOrInfoUrlsIf the message contains links to domains ending in .biz or .info
IncreaseScoreWithImageLinksIf the message contains images loaded from an external source
IncreaseScoreWithNumericIpsIf the message contains links with IP addresses instead of domains
IncreaseScoreWithRedirectToOtherPortIf the message contains links that redirect to certain ports

The following command activates these four options:

Set-HostedContentFilterPolicy -Identity Default ‑IncreaseScoreWithBizOrInfoUrls on `
-IncreaseScoreWithImageLinks on -IncreaseScoreWithNumericIps on `
-IncreaseScoreWithRedirectToOtherPort on

Marking emails as spam

There are several criteria for marking emails as spam. Meeting one of these criteria directly classifies the message as spam. The following table lists the options with short descriptions.

ParameterNotes
MarkAsSpamBulkMailMessages recognized as bulk or graymail
MarkAsSpamEmbedTagsInHtmlEmbed tags contained in HTML
MarkAsSpamEmptyMessagesNews without any content
MarkAsSpamFormTagsInHtmlForms contained in HTML
MarkAsSpamFramesInHtmlframe or iframe tags in HTML
MarkAsSpamFromAddressAuthFailIf the sender ID check returns an error (hard fail)
MarkAsSpamJavaScriptInHtmlJavaScript or VBScript included in HTML
MarkAsSpamNdrBackscatterMessage recognized as a nondelivery report (NDR)
MarkAsSpamObjectTagsInHtmlObject tags included in HTML
MarkAsSpamSensitiveWordListChecks the message for specific words
MarkAsSpamSpfRecordHardFailIf the Sender Policy Framework (SPF) check returns an error (hard fail)
MarkAsSpamWebBugsInHtmlWeb bugs (external minigraphics) in HTML included

Activating an option also can occur via Set-HostedContentFilterPolicy. The following example turns on the SPF check. In general, you can enter several parameters at once.

Set-HostedContentFilterPolicy -Identity Default -MarkAsSpamSpfRecordHardFail On

Find further descriptions on how to adjust the spam filter here on Microsoft Docs.

Quarantine settings

To inform users by email about spam under quarantine, you have to activate the notification. In addition, you can specify the interval in days and the language of the email:

Set-HostedContentFilterPolicy -Identity Default ‑EnableEndUserSpamNotifications $true `
-EndUserSpamNotificationLanguage German -EndUserSpamNotificationFrequency 5

Outgoing spam messages (outbound spam)

To prevent the system from sending spam and being blacklisted, it scans outgoing messages for spam. Upon confirming the suspicion, it blocks the user in question. The following command shows that the default setting does not enable notifications about such actions:

Get-HostedOutboundSpamFilterPolicy
Get HostedOutboundSpamFilterPolicy shows outbound spam filter settings

Get HostedOutboundSpamFilterPolicy shows outbound spam filter settings

The following command returns detailed output, including the notification addresses:

Get-HostedOutboundSpamFilterPolicy |
fl Name, NotifyOutboundSpam, NotifyOutboundSpamRecipients, BccSuspiciousOutboundMail, BccSuspiciousOutboundAdditionalRecipients

If you want to set up the notification, Set-HostedOutboundSpamFilterPolicy will do this task:

Set-HostedOutboundSpamFilterPolicy -Identity Default ‑BccSuspiciousOutboundMail $true `
-BccSuspiciousOutboundAdditionalRecipients suspicious-sender@buerkit.de `
-NotifyOutboundSpam $true -NotifyOutboundSpamRecipients outboundspam-alert@buerkit.de

A check confirms the successful execution of the command:

Check settings previously configured with Set HostedOutboundSpamFilterPolicy

Check settings previously configured with Set HostedOutboundSpamFilterPolicy

Microsoft explains how outgoing message scanning works with Office 365 in this article.

You can configure additional notifications for different actions in the Security and Compliance Center under the notification policies.

Malware filter

You can retrieve the responsible standard filter via Get-MalwareFilterPolicy.

View malware filter settings with Get MalwareFilterPolicy

View malware filter settings with Get MalwareFilterPolicy

Unfortunately, the default setting for the filter will only isolate malware messages, and it does not generate alerts. Thus, the sender and recipient of a mistakenly intercepted mail remain unaware of the message's deletion.

Only the administrator can release the message from quarantine via the Security and Compliance Center. However, the Exchange Admin Center does not display the messages deleted by the malware filter in quarantine. For more information about quarantine, click here.

Administrators can release intercepted messages from quarantine in the Security and Compliance Center

Administrators can release intercepted messages from quarantine in the Security and Compliance Center

Notifications for deleted messages and attachments

If you want EOP to notify you about intercepted mail, it offers several possibilities. It distinguishes between internal and external senders of malware mails. In addition, it can also inform an administrator.

To notify the sender of a deleted message, you must configure the following settings:

Set-MalwareFilterPolicy -Identity "Default" `
-Action DeleteAttachmentAndUseDefaultAlertText
-EnableInternalSenderNotifications $true -EnableExternalSenderNotifications $true

To notify an administrator, use the following command:

Set-MalwareFilterPolicy -Identity "Default" ‑EnableInternalSenderAdminNotifications $true `
-EnableExternalSenderAdminNotifications $true `
-InternalSenderAdminAddress mailadmin@buerkit.de `
-ExternalSenderAdminAddress mailadmin@buerkit.de

The administrator and the sender will then receive a notification of the undeliverability of a message.

You can check the malware filter by sending an email with content intended for this purpose

You can check the malware filter by sending an email with content intended for this purpose

Blocking attachments using the malware filter

If you want to block attachments with executable files in general, the malware filter can also do this. The following command ensures removal of files with the respective extensions:

Set-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true

For more information about malware filtering, visit Microsoft Docs.

Checking the protection features

You can test functions of antispam systems from different manufacturers via a special message. It must have the following content to check their operation, actions, and notifications:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

To test the malware filter, the corresponding message looks like this:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Conclusion

Overall, the basic version of Office 365 already includes adequate protection against spam and viruses. In addition, it's a good idea to implement Advanced Threat Protection, for example, against phishing attacks, exploits, and zero-day attacks.

0 Comments

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account