IT Insights
A service of Microsoft IT Showcase
Microsoft IT enhances security and reliability
with Exchange Online Protection
June 2015
Microsoft IT uses Exchange Online Protection as a service to block and filter
spam and other malicious email. In addition, they have developed tools and
processes to help manage the service and minimize such threats. This article
describes how Microsoft IT uses Exchange Online Protection and other
measures to reduce email security vulnerabilities.
Executive summary
Exchange Online Protection (EOP), which is part of Office 365, blocks email threats at various
levels. As part of the migration from Exchange On-Premises to Exchange Online, Microsoft IT
chose to use EOP as the email filtering service.
This article describes the value that EOP provides at various levels of protection and how
Microsoft IT uses EOP, from configuring its features to obtaining data about filtering activity by
downloading EOP service reports. This article also suggests best practices for using EOP.
Exchange Online Protection
EOP is a cloud-based email filtering service that is a part of Office 365. EOP blocks threats at different
levels, some of which can be configured using a web-based management tool. Although EOP can take
care of most threats, the service has to be managed. To do this effectively, Microsoft IT monitors the
changing landscape of external threats (see the Best Practices section.) Microsoft IT uses EOP to
automatically block external threats at the connection, content, and user, levels, as described in the
following sections.
Blocking threats at the connection level
EOP first scans at the connection level using a list of known malicious IP addresses. If email comes
from the IP address of a known source of spam, EOP blocks the mail outright. Similarly, EOP detects
when a sender attempts too many connections in a short time; in such a case, it suspects a denial-ofservice attack and temporarily blocks that sender’s IP address.
The IP allow list
Using EOP, Microsoft IT manages a list of IP addresses that are considered safe. Microsoft does
business with many external partners, including hardware suppliers and companies that offer services
(including employee benefits) to users at Microsoft. Some of these partners send newsletter updates
to Microsoft users. Although some of these newsletters might contain otherwise suspicious content—
Article
2 | IT Insights: Microsoft IT enhances security and reliability with Exchange Online Protection
for example, links to images hosted elsewhere or an unsubscribe link—Microsoft does not want to
filter out mail from these partners. Therefore, those partners are placed on the managed “allow” list.
Blocking threats at the content level
EOP lets Microsoft IT filter spam in a granular way. They use different EOP features to apply spam
filtering at varying levels to comply with the company’s security policies. To do this accurately,
Microsoft performed a business analysis and then adjusted the EOP spam-filtering rules accordingly.
The level of spam filtering differs between businesses.
For content-level filtering, the corporate email service team partners closely with the corporate
security team. For example, the email service team can mark messages that contain elements such as
image links to remote sites, URL redirects, or particular trigger words (“stop” words) as spam. The
filters for potential threats can be turned on or off individually.
Marking a message as spam
When a message is not rejected but is identified as spam, the EOP service sets an “X-Header” in the
message that states, “This message is spam.” (X-Headers are string properties that contain
information that a server can set in a message.) Then, in Exchange Online, the email service team
searches for that X-Header. If an X-Header is present in a message, they set the spam confidence level
(SCL) to six, which routes the mail to the user’s Junk Mail folder. Any message with an SCL higher than
six goes to the Junk Mail folder.
Because EOP is a cloud service and Microsoft uses Exchange Online, this routing takes place in the
cloud. EOP submits SCL-marked messages to Exchange Online, which contains the transport rules that
do the filtering. Users can set rules that instruct Exchange Online to move messages into folders of
their choosing.
Using EOP to activate transport rules
Exchange Online also uses various transport rules that can be configured in many ways, such as for
restricting access to email content. This is done through EOP, where the email service team can
automatically apply rights management to specific email messages.
Microsoft uses transport rules when they have services that send sensitive information, such as
passwords. The transport rules are not based on the content of messages, but rather the justification
for sending messages. The businesses that use these transport rules—such as the Xbox team—must
first present that justification to Microsoft IT. And, for example, if a business wants to restrict access to
messages that are sent to a certain distribution list, they can do so using transport rules.
Reacting to threats by blocking attachments, SMTP addresses, or mailboxes
Microsoft IT proactively blocks threats by applying transport rules or spam filtering to move mail to
the Junk Mail folder. But in other cases, they must react, for example, to incidents of harassment, new
spam outbreaks, and new malware attacks. Microsoft IT has set up specific transport rules to deal with
such threats. If, for example, malicious content is contained in a .gif file, Microsoft IT can react by
blocking .gif attachments.
 www.microsoft.com/ITShowcase
3 | IT Insights: Microsoft IT enhances security and reliability with Exchange Online Protection
Microsoft IT has configured the following transport rules to react to specific types of threats:

Block by IP address

Block by sender domain

Block by sender email address

Allow by IP address

Allow by sender domain

Allow by sender email address
It is also possible to set rules about attachment types and SMTP addresses or use connection filtering,
which was described in an earlier section.
Each business can apply its own rules using EOP. Two common spam-trigger phrases are “investment
decision” and “stock alert.” These phrases might be blocked within Microsoft corporate email;
however, in an investment or brokerage firm, these phrases might be completely legitimate and might
not be blocked.
Reactive action is also usually called for when incidents have been escalated to the Helpdesk.
Microsoft IT processes allow Helpdesk to take action by changing transport rules. This is considered a
“break-fix” situation—Helpdesk makes a fix and then informs the Exchange service team. Because
Helpdesk works 24/7 and they fix problems in real time, they must be able to take immediate action.
For example, Microsoft IT might use a rule that allows four IP addresses; Helpdesk could change this
list so that it blocks or allows additional addresses.
Other important ways that EOP can be configured for content-level threats are:

Intercepting email in transit. In cases such as personal harassment, suspicious activity, or an
internet mail storm, Microsoft IT uses intercept rules. Intercept rules stop one or more messages in
transit or forward messages to a security mailbox, particularly if an investigation is called for.

Detecting malware. Anti-malware filtering is built into EOP, so if a message contains a virus it is
deleted. Because EOP is a managed service, virus signatures are kept up-to-date. EOP customers
do not need to check for signature updates.

Blocking executables. One of the Microsoft IT security policies is a transport rule that blocks
users from sending .exe files as attachments. This rule can be modified to allow internal users to
send .exe files but to block the delivery of .exe files from outside the organization. To block
executables, Microsoft IT searches the multipurpose internet mail extensions (MIME) encoding of
the file instead of just examining the file extension, which can be altered by the sender.
Blocking threats at the user level
Users can institute their own level of blocking. The Block Senders and Safe Senders (or “Allowed
Senders”) lists are built into the Outlook client and Exchange (Outlook Web App) along with other
rules for actions on email. Microsoft IT lets users maintain their own lists of these types. This means
that even if a message is marked as spam, it will still be delivered to the user’s inbox if it comes from a
sender on the Allowed Senders list. Because these lists are synced to and reside in Exchange Online,
they are invoked right after the filtering and transport rules of EOP are invoked. These user-level rules
are the final filters on the message before it is delivered.
An admin can run the Set-MailboxJunkEmailConfiguration cmdlet in the Exchange Management Shell
(PowerShell). This is the server command that an admin can run to create settings for a particular user;
Microsoft IT typically uses it to respond to escalations or questions from a support team. For example,
a team might submit a list of 15 users that they do not want filtered as Junk mail. In these special
circumstances, Microsoft IT runs this command to update the list for them on the server.
 www.microsoft.com/ITShowcase
4 | IT Insights: Microsoft IT enhances security and reliability with Exchange Online Protection
Windows Anti-Virus
Windows Anti-Virus software is also present at the user level by policy. Whatever anti-virus software is
on a user’s computer remains available to them, and protects them in other ways; however, this
software and is not controlled by Exchange service management. Such software is used, for example,
to scan downloads from email or when a user moves a file out of their mailbox onto the hard drive.
Blocking other threats
Setting up connectors for secure email flow
Microsoft wants to exchange mail with its business partners as securely as possible. To establish
secure communication with a partner, Microsoft IT sets up inbound and outbound connectors with a
partner and then configures inbound and outbound Transport Layer Security (TLS) on each connector
using a certificate. TLS is an encryption protocol that provides security for communications over the
Internet. Connectors can be created and edited for EOP in the Exchange admin center.
Microsoft IT enforces TLS for specific recipients by specifying the partner’s domain. This means that
any mail to or from that partner’s domain uses TLS encryption. In addition, they can send mail using
Opportunistic TLS. This means that if the partner’s system supports TLS, the mail is sent with TLS. If
their system does not support TLS, the mail steps down to standard delivery.
Using EOP for directory-based edge blocking
The Directory Based Edge Blocking (DBEB) feature in Exchange Online and EOP lets users reject
messages for invalid recipients at the service network perimeter. By using DBEB, Microsoft IT can
specify recipients in Office 365 and then block messages sent to addresses that are not specified. In
other words, if the recipient address is not present in Exchange Online, it is rejected.
In the hybrid system that is used at Microsoft, Microsoft IT uses DBEB to decrease impact on their onpremises transport servers. They configured routing to move mail to EOP, then to Exchange Online,
and finally to the on-premises organization. DBEB is configured to relieve the on-premises
organization of as much of bandwidth as possible. Microsoft IT found that DBEB increases efficiency
of the on-premises transport servers by relieving them of much undeliverable traffic—tens of
thousands of email messages daily.
Best practices
To set up EOP, Microsoft IT pointed the organization’s mail exchanger record (MX record) to EOP.
EOP accepts mail for the organization and filters it. Then, all email that arrives for Microsoft is
delivered to EOP, where it is scanned. EOP can be managed through the Exchange Admin Center, the
web-based management portal, or by using remote PowerShell. (For more information, see:
https://technet.microsoft.com/en-us/library/jj723153(v=exchg.150).aspx)
Obtaining EOP service reports
Microsoft IT obtains detailed reports by downloading Excel spreadsheets that contain data about
filtering activity. EOP users can download these reports from the Microsoft Download page (link
provided in Resources section). These reports are used to review and analyze the service, and contain
information such as the amount of spam that has arrived, the malware count, the top senders, top
receivers, top spam recipients, and the amount of email going to and coming from internal and
external recipients.
This information can be generated from PowerShell by running cmdlets to build custom reports.
These cmdlets can be used to conduct an investigation into a certain sender, recipient, event, or time
period, rather than obtaining a large, downloadable report. All tenant admins have access to cmdlets
through PowerShell. (For more information, see Microsoft TechNet.)
 www.microsoft.com/ITShowcase
5 | IT Insights: Microsoft IT enhances security and reliability with Exchange Online Protection
The following cmdlets are available for Exchange Online reporting:

Get-MailDetailMalwareReport

Get-MailDetailSpamReport

Get-MailDetailTransportRuleReport

Get-MailFilterListReport

Get-MailTrafficPolicyReport

Get-MailTrafficReport

Get-MailTrafficSummaryReport

Get-MailTrafficTopReport
Fulfilling user requests
Microsoft IT set up a user-request fulfillment site. They created a form that lets users request features
related to EOP. Service team members are able to track requests, know their source, and manage their
progress. Examples of these requests are to allow transport-layer security with a particular partner or
to allow specific IP addresses (remove IPs from a block list).
Establishing a process to react to threats
Microsoft IT has a process in place to react to phishing attacks or a large volume of spam. Users can
set up a help desk process or a security escalation process. Users need a process to escalate and
respond to external threats or other unusual events quickly.
Being aware of industry malware trends
Microsoft IT has noticed that threats have slowly evolved away from spam and malware to phishing
and social engineering. IT pros need to be aware of industry trends. In these schemes, someone sends
a message that attempts to persuade the recipient that it is from a known or otherwise credible
source, and tries to lure the recipient into divulging usernames, passwords, and credit card numbers—
or even sending money.
Partnering with your security team
Microsoft IT found it was important to partner with teams that will receive issue escalations. Examples
of these partners are specialized security teams, the company help desk, teams that define policy, or
executive support teams. Communicate regularly and be aware of everyone’s duties and
responsibilities. Establish engagement methods and processes.
To help a security team act more quickly, let them use role-based access control (RBAC), and
automate it, if possible. Also, make sure they have the appropriate system permissions to do their
work.
Conclusion
Although EOP can automatically block threats at a number of levels, it is not a set-and-forget service.
The nature of threats changes constantly, so IT teams need to establish policies and processes to
adapt to the current security situation. Service managers in an enterprise need to be both proactive
and reactive. Proactive means setting up EOP and configuring it to conform to the organization’s
policies and block current threats. Reactive means having policies and communication methods in
place to respond to new and unexpected threats.
Note that while EOP covers the majority of threats, including spam and malware, transport rules may
need to be configured to handle business-specific situations. EOP has a toolset that provides granular
control for specific business needs.
 www.microsoft.com/ITShowcase
6 | IT Insights: Microsoft IT enhances security and reliability with Exchange Online Protection
Resources
Mail Protection Reports for Office 365
http://www.microsoft.com/en-us/download/details.aspx?id=30716
Microsoft IT Service Management transitions from Exchange On-Premises to Office 365:
https://www.microsoft.com/itshowcase/Article/Content/578
Microsoft IT migrates mailboxes to Office 365 Exchange Online:
https://www.microsoft.com/itshowcase/Article/Content/577
For more information
For more information about Microsoft products or services, call the Microsoft Sales Information
Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750.
Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access
information via the World Wide Web, go to:
www.microsoft.com
www.microsoft.com/ITShowcase
© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The
names of actual companies and products mentioned herein may be the trademarks of their respective
owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS SUMMARY.
 www.microsoft.com/ITShowcase