Office 365 has many amazing levels of protection including Exchange Online Protection (EOP) and add-ons like Advanced Threat Protection (ATP). Knowing how to properly define these rules is one thing, but knowing how to setup secured bypass rules is another. In this blog we will review common SPAM bypass policies and how to more securely define them.
When a legitimate email comes into an environment that is constantly identified and blocked as SPAM, the first thing I do is review the email header information to understand why (that is a blog to write another day). I find many times the email sender’s domain does not have the basics setup for recipient email systems to properly confirm the sender’s information. No DNS SPF records, no DMARC records, no DKIM records; nothing that verifies anything about the sender. While unfortunate to see these common shortfalls by email administrators so often, I still need to let this email in while making sure the rest of the environment is secure.
The usual ways I see organizations define SPAM bypass policies is to either enter the sender email address or sender domain in the safe sender list of EOP and ATP. While the capability to define these attributes exists within these areas, Microsoft does not recommend using this method (reference). There are a number of reasons why:
- The list could grow out of control and become a management nightmare. The list may grow to hundreds of entries without any historical knowledge of who requested each item
- If you define an entire domain (@domain.com) in the bypass field you are allowing everything from that domain to bypass your filter. There is no need to ever create such a wide bypass rule like this.
- If you define a specific sender address, while more restrictive that an entire domain, you are still enabling a certain level of trust from that sender into the foreseeable future. Let’s be honest, you are not going to evaluate these rules every month or even every year. What you define now will be in place for a long time, so make sure it is done correctly with security in mind.
- The biggest reason is security. What if someone spoofs the domain or user you just defined in a bypass policy. No policy equals no defense. Identity attacks continue to increase and are now the #1 threat to organizations globally.
The Answer: Define an Exchange Transport Rule
Microsoft’s recommended way to configure a safe-sender list is by using an Exchange Transport Rule. Setting up Exchange Transport Rules may take a bit more time and complexity to create, but they enable you to define multiple checkpoints to help verify the sender. Instead of just an email address or domain, you can define the rule to verify the sending server IP Address(es), a keyword or phrase within the email subject or Body. Verifying several attributes for a conditional access policy within the Exchange Transport Rules is a great way to secure the policy modification your organization has requested/required and something I and Microsoft recommends. You want to make your rule as restrictive as possible.
I recorded a short video that describes how to setup an exchange transport rule (link below). Additional ways to protect your Office 365 environment from threats are published in my blog series: aka.ms/nomorephish
Link to webinar overview of how to create a more secure SPAM bypass policy using an Exchange Transport Rule:
