Share via


Exchange Online Protection Troubleshooting Guide

Below you will find various links necessary to troubleshoot Exchange Online Protection issues. The list has been compiled to go over various areas of expertise that you will run into when dealing with Exchange online Protection.

 

Exchange Online Protection Complete Guide:

 

1. Customize your SPF record

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

 

2. Find and release quarantined messages as an end user

https://technet.microsoft.com/en-us/library/dn683870%28v=exchg.150%29.aspx

(Access: https://admin.protection.outook.com/quarantine)

 

3. SPF Hard Fail On

https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

 

4. High Risk Delivery Pool

https://technet.microsoft.com/en-us/library/jj200746(v=exchg.150).aspx

 

5. Outbound spam

https://technet.microsoft.com/en-us/library/dn600434(v=exchg.150).aspx

 

6. Connect to PowerShell

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

 

7. Get Transport Rules

https://technet.microsoft.com/en-us/library/aa998585(v=exchg.150).aspx

 

8. Export Content Filtering Policy

https://technet.microsoft.com/en-us/library/jj200764(v=exchg.150).aspx

 

9. Rules to block executable files

https://support.microsoft.com/kb/2959596

 

10. Information on EOP improvements.

https://blogs.office.com/2014/10/15/evolving-exchange-online-protection-eop-protect-tomorrows-threats/ https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/

 

11. Submitting false positives to Microsoft + Outlook Junk Add-in

https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

 

12. Blocked Sender / Safe Senders in Office 365

https://support.microsoft.com/kb/2545137?wa=wsignin1.0

 

13. Virus

1)     Submit it here: https://www.microsoft.com/security/portal/submission/submit.aspx.

2)     Submit the samples AS A PASSWORD-PROTECTED ATTACHMENT (and send the password in the body of your email) to our junk@office365.microsoft.com alias per the spam submission process here: https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx for an additional anti-spam protection from this message (the spam analysts could then mark it as spam).

3)      Make sure you have a rule in EOP that blocks executable content. https://support.microsoft.com/kb/2959596

4)      Keep your Operating Systems and 3rd party software (such as Adobe Acrobat Reader, Flash, Java etc.) updated with the latest security updates.

 

 

14. DMARC:

Introduction: https://blogs.msdn.com/b/tzink/archive/2014/11/04/a-brief-introduction-to-dmarc.aspx

Use DMARC in Office 365: https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

Use DKIM + DMARC in O365: https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/

Use DMARC to Prevent Spoofing: https://blogs.technet.com/b/eopfieldnotes/archive/2015/02/26/using-dmarc-to-prevent-spoofing.aspx

Strategies to mitigate Phishing attempts (video): https://blogs.technet.com/b/eopfieldnotes/archive/2015/05/29/support-hot-topics-strategies-to-mitigate-phishing-attempts.aspx

 

15. Malware and ATP:

Enable notifications when malware is detected and deleted: https://technet.microsoft.com/en-us/library/jj200745(v=exchg.150).aspx.

Find answer to common anti-malware questions on the FAQ: https://technet.microsoft.com/en-us/library/jj200664(v=exchg.150).aspx.

Go over these tips to prevent Zero-Day malware: https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/08/tips-to-prevent-zero-day-malware-with-eop.aspx and reduce Zero-Day threats (video): https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/26/support-hot-topics-reducing-the-threat-of-zero-day-malware.aspx.

Advanced Threat Protection is now GA: https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/, and to add Safe Links and Safe Attachments layers ATP offers. Once you’re set up with ATP, here’s the technical reference on ATP you should find useful: https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx.

When submitting zero-day malware samples to Microsoft, it’s important to do it as soon as possible to the time of detection to get anti-virus definitions up-to-date. Use your Microsoft (Live ID) Account to be notified once the definition updates are in place. https://www.microsoft.com/security/portal/submission/submit.aspx.

The vast majority of known malware can be stopped using Transport Rules using content and attachment scanning: we suggested that you move your existing attachment blocking and executable blocking rules to top priority (0 and 1): https://support.microsoft.com/kb/2959596. Review how to create a transport rule to evaluate and take action on DMARC failures: https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx , check which transport rules triggered: https://blogs.technet.com/b/eopfieldnotes/archive/2015/04/22/need-details-on-who-and-what-are-triggering-your-transport-rules-there-39-s-a-cmdlet-for-that.aspx. Use PowerShell to find or export the ID or other details of your existing rules: https://technet.microsoft.com/en-us/library/aa998585(v=exchg.150).aspx.

 

16. Spam+Bulk Filtering:

Spam filter policies: https://technet.microsoft.com/en-us/library/jj200684%28v=exchg.150%29.aspx. The new Spam Filter Allow and Block Lists are explained here: https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/19/an-introduction-to-the-new-spam-filter-allow-and-block-lists.aspx. Bulk Mail filtering and how lowering the threshold from 7 to 6 or 5 can help you catch more bulk mail spam https://blogs.office.com/2014/11/24/block-spam-holiday-season-new-enhanced-bulk-mail-experience-eop/.

 

17. Connection filtering:

We saw a number of Allowed IP ranges, that can probably be reduced to the bare minimum. Also note, that in case those IP’s are compromised and start sending spam, you might want to reconsider whether you want to bypass spam scanning from them. https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx

 

18. Customize your SPF record:

We discussed how you should change the current SPF configuration you have that includes “outlook.com” to include “spf.protection.outlook.com” per the article to minimize the number of DNS queries on your records: https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx. We touched on the Advanced Spam Filtering options, and that the essential option of SPF Hard Fail (inbound SPF checks) to protect against spoofed messages is already turned ON: https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

 

19. Outbound spam:

The current outbound spam policies, although defined to send to an address, are probably underutilized. We advised to separate the HRDP notifications from the blocked senders notifications, to be alerted real-time of more critical outbound spam issues. https://technet.microsoft.com/en-us/library/dn600434(v=exchg.150).aspx

 

20. False Positives / False Negatives:

Submit junk and non-junk to Microsoft (see updated addresses in the article). You noted that the Outlook Junk Add-in that’s installed on end-user machines is probably underutilized. In that regard, user education plays an important role, for getting submissions timely. https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

========================================================================================================================================

More information:

Blocked Sender / Safe Senders in Office 365

https://support.microsoft.com/kb/2545137?wa=wsignin1.0

 

PowerShell:

Connect to PowerShell

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

 

List of all available cmdlets, including reporting and mail flow:

https://technet.microsoft.com/en-us/library/jj200780(v=exchg.150).aspx

 

Reporting:

https://technet.microsoft.com/en-us/library/jj200725(v=exchg.150).aspx https://blogs.technet.com/b/eopfieldnotes/archive/2015/06/12/scheduling-mail-reports-in-office-365.aspx

 

 

Macro viruses:

 

The purpose of a macro is to automate frequently used tasks. Although some macros are simply a recording of your keystrokes or mouse clicks, more powerful VBA macros are authored by developers who use code that can run many commands on your computer. For this reason, VBA macros pose a potential security risk because a hacker can introduce a malicious macro through a document that, if opened, allows the macro to run and potentially spread a virus on your computer.

Safe attachments is a feature in ATP that opens every unknown supported file type attachment in a special hypervisor environment and helps detect malicious activity. It is designed to help detect malicious attachments even before anti-virus signatures are available. File types that the safe attachments feature can detonate: Safe attachments will detonate attachments that are common targets for malicious content, such as Office documents, PDFs, executable file types, and Flash files.

    • Block executable content by creating an Exchange Transport Rule, https://support.microsoft.com/en-us/kb/2959596
    • Block particular malicious attachments. For increased protection, we also recommend using Transport rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh. This can be done by using the Any attachment file extension includes these words condition. Refer to EOP Best Practices documentation: https://technet.microsoft.com/EN-US/library/jj723164(v=exchg.150).aspx
    • Customize your company’s SPF record to change it to Hard Fail.

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

    • Turn SPF Hard Fail On to mark all messages that fail SPF checks as spam, to quarantine them.

https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

    • See how DMARC can help against spoofing:

Introduction: https://blogs.msdn.com/b/tzink/archive/2014/11/04/a-brief-introduction-to-dmarc.aspx

Use DMARC in Office 365: https://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

Use DKIM + DMARC in O365: https://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/

Use DMARC to Prevent Spoofing: https://blogs.technet.com/b/eopfieldnotes/archive/2015/02/26/using-dmarc-to-prevent-spoofing.aspx

Strategies to mitigate Phishing attempts (video): https://blogs.technet.com/b/eopfieldnotes/archive/2015/05/29/support-hot-topics-strategies-to-mitigate-phishing-attempts.aspx