m09 exo protection v1.4

8/16/2019 M09 EXO Protection v1.4

1/41

Module 9Exchange OnlineProtection

Presenter Name

Presenter Role


2/41

Conditions and Terms of UseMicrosoft Condential

This training package is proprietary and condential and is intended only for uses descri!ed in the training materials" Conteto you under a Non%&isclosure 'greement and cannot !e distri!uted" Copying or disclosing all or any portion of the content asuch packages is strictly prohi!ited"

The contents of this package are for informational and training purposes only and are pro$ided )as is) #ithout #arranty of animplied including !ut not limited to the implied #arranties of merchanta!ility tness for a particular purpose and non%infrin

Training package content including *R+s and other ,nternet -e! site references is su!.ect to change #ithout notice" /ecausto changing market conditions the content should not !e interpreted to !e a commitment on the part of Microsoft and Microaccuracy of any information presented after the date of pu!lication" *nless other#ise noted the companies organi0ations pmail addresses logos people places and e$ents depicted herein are ctitious and no association #ith any real company odomain name e%mail address logo person place or e$ent is intended or should !e inferred"

Copyright and Trademarks1 2345 Microsoft Corporation" 'll rights reser$ed"

Microsoft may ha$e patents patent applications trademarks copyrights or other intellectual property righmatter in this document" Except as expressly pro$ided in #ritten license agreement from Microsoft the furndocument does not gi$e you any license to these patents trademarks copyrights or other intellectual prop

Complying #ith all applica!le copyright la#s is the responsi!ility of the user" -ithout limiting the rights undthis document may !e reproduced stored in or introduced into a retrie$al system or transmitted in any for6electronic mechanical photocopying recording or other#ise7 or for any purpose #ithout the express #riMicrosoft Corporation"

8or more information see Use of Microsoft Copyrighted Content athttp((###"microsoft"com(a!out(legal(permissions(

Microsoft: ,nternet Explorer: Outlook: ;ky&ri$e: -indo#s !ox ?@3: &irect>: -i-indo#s: are either registered trademarks or trademarks of Microsoft Corporation in the *nited ;tates anOther Microsoft products mentioned herein may !e either registered trademarks or trademarks of Microsoft*nited ;tates and(or other countries" 'll other trademarks are property of their respecti$e o#ners"

http://www.microsoft.com/about/legal/permissions/http://www.microsoft.com/about/legal/permissions/http://www.microsoft.com/about/legal/permissions/http://www.microsoft.com/about/legal/permissions/


3/41

O$er$ie#

?

This module explores the $arious capa!ilities of tOnline Protection ser$ice including

• 'nti%Mal#are protection

• 'nti%;pam protection including connection anltering

• Auarantining messages

• Reporting


4/41

O!.ecti$es

5

'fter completing this module you #ill !e a!le to

• -ork #ith the features pro$ided !y Exchange

Protection to pre$ent and control mal#are and• *se the Auarantine feature to release or delet

Bagged as spam


5/41

Exchange

OnlineProtection

What is Exchange Online Protection (EOP)?

• EOP is the ne# $ersion of 8orefront Online Pro

Exchange 68OPE7 MicrosoftDs hosted email ga• Pro$ides comprehensi$e email protection thro

engine anti$irus and continuously e$ol$ing anprotection

• /uilt on Exchange 234? Transport architecture

• eographically load%!alanced datacenters

• Aueuing capa!ilities 62 days7 to help ensure n

• Currently processes 4 !illion messages per da

EOP is aaila!le"

• 's a stand%alone cloud ser$ice for On Premise

• 's part of OFce ?@ su!scriptions


6/41

EOP

;u!scription Plans

@

The follo#ing are the a$aila!le EOP su!scription

• EOP standalone -here EOP protects your O

mail!oxes"• EOP feat#res in Exchange Online -here

your Exchange Online cloud%hosted mail!oxes

• Exchange Enterprise C$% &ith 'erices protects your On Premises mail!oxes like EOPand includes data loss pre$ention 6&+P7 and re#e! ser$ices"


7/41

;er$ice

+e$el'greement

H

• 433I kno#n $irus detection

• 99I spam detection rate

• 8alse Positi$e ratio of less than 423333 mes• 99"999I uptime

• '$erage email deli$ery of less than 4 minute

• 25(H Phone and #e! technical support


8/41

;imple to

&eploy

J

4" 'dd and $erify domain o#nership in OFce ?@

2" Change your M> record to point to

Kdomain%comL"mail"protection"outlook"com?" Create an ;P8 T>T record for your domain

$spf4 includespf"protection"outlook"com %all

or

$spf4

ip5yourout!ound,P'ddress includespf"protection"outl

5" 8ine tune anti%mal#are and anti%spam settings" Create rules to meet !usiness needs

@" ;upport added for &,M


9/41

EOP

'dministration

9

*nlike 8OPE Exchange Online Protection adminisincorporated into the Exchange 'dmin Center


10/41

-e! /ased

'dministration

43

• 'dministration $ia E'C

• Currently supports E'C and excel reporting in

• 933 congura!le domains per tenant Manage!e $ie#ed and domain types can !e edited in other domain management must !e done in tadmin center"

• EOP has su!domain support for internal relay

• Remote Po#ershell Except managing users acan !e fully managed through RP;"


11/41

EOP

in!oundltering

44


12/41

EOP

out!oundltering

42


13/41

'nti%Mal#are

4?


14/41

&enition

of Mal#are

45

• -hat is Mal#are

• Mal#are is any kind of un#anted soft#are

#ithout your adeQuate consent• -hat is ;py#are

• ;py#are is a general term used to descri!eperforms certain !eha$iors generally #ithappropriately o!taining your consent rst

• 'd$ertising

• Collecting personal information

• Changing the conguration of your com


15/41

Mal#are 8ilter

Conguration

4

-hat you can do in the Exchange 'dministration Ce

• The Mal#are detection response 6action7

• The custom alert text 6deletion txt7

• The notications 6#ho to send to and the a!ility

the notications7• Create custom mal#are policies apply them to s

users groups or domains" Custom policies take po$er the default company #ide policy


16/41

'nti%;pam

4@


17/41

Multi%layeredanti%spamprotection

4H

Connection ltering

• /locks up to J3I of all spam !ased on ,P !loc

'enderrecipient ltering

• /locks up to 4I of all spam !ased on internasender reputation

Content ltering

• /locks up to I of all spam !ased on internal

heuristics


18/41

Connection8ilter

4J

-hat is Connection 8iltering

• ,t is !locking or allo#ing in!ound messages !a

originating ,P address• The connection lter checks ,P 'llo# and ,P /l

checking the content of each message

• 42H? 6Max7 ,P entries can !e specied in ,P 'l

list

• Messages from specically allo#ed ,P address

ltering

• Messages from senders in the ,P /lock list arein cases #here they also appear in the ,P 'llo#

• ou can add an ,P address or address range to

or ,P /lock list in E'C

• Only ,P ranges #ith netmask (25%(?2 can !e u

• -ider ,P ranges reQuire transport rules


19/41

&irectory/ased Edge/locking

23

• The &irectory /ased Edge /locking 6&/E/7 feature messages for in$alid recipients at the ser$ice net#

• &/E/ lets admins add mail%ena!led recipients to O6generally through &ir;ync7 and !lock all messagesaddresses that arenDt present in OFce ?@

• ,f a message is sent to a $alid email address presenthe message continues through the rest of the ser$

• ,f the address is not present the ser$ice !locks theltering e$en occurs and a non%deli$ery report 6N&sender informing them that their message #as not

• &/E/ is automatically ena!led #hen your acceptedset to authoritati$e in Exchange Online


20/41

Content 8ilter

24


21/41

Content8ilter'ctions

22

• &elete

• Auarantine

• 'dd x%header• Mo$e to Sunk Email folder 6&efault option7

• Prepend su!.ect line #ith text

• Redirect to email address

• 8ilter messages from particular countries or !


22/41

Content 8ilter'd$ancedOptions

2?

• ,ncrease ;pam ;core

• Mark 's ;pam

•

Test Mode Options


23/41

;pamCondence+e$el

25

SCLRating

Spam Confidence Interpretation Default Action

-1

Non-spam coming from a safe

sender, safe recipient, or safe listedIP address (trusted partner) Deliver the message to the rec

!, 1Non-spam because the message "as scanned and determined to beclean

Deliver the message to the rec

#, $ %pam

&he initial default is to deliver the 'uarantine o"ever, if thecontent filter polic is modifiedmessage "ill instead be delive

mail folder

igh confidence

&he initial default is to deliver the 'uarantine o"ever, if thecontent filter polic is modifiedmessage "ill instead be delivemail folder


24/41

Congure&o#nstream ;pam'ction

2

EOP and the Sunk Mail folder

T#o rules need to !e added to the on premise en$iron

;et%Organi0ationCong ;C+SunkThreshold 5

Ne#%TransportRule )Name8orRule) %UeaderContainsM8orefront%'ntispam%Report) %UeaderContains-ords );@

Ne#%TransportRule )Name8orRule) %UeaderContainsM

8orefront%'ntispam%Report) %UeaderContains-ords );

End users need to !e educated a!out the use of the SOutlook

eader Description


25/41

'naly0ingMessageheaders for;P'Manalysis

2@

eader Description

.IP/ 0IP address &he connecting IP address

.&23&he countr from "hich the message connected to the service &his is determined b the cnot be the same as the originating sending IP address

45N6 &he language in "hich the message "as "r it ten, as specif ied b the countr code (for exa

%.4 &he %pam .onfidence 4evel (%.4) value of the message 9or more information about intedence levels

P.4 &he Phishing .onfidence 4evel (P.4) value of the message %ee belo" more informat ion

%2:/;84<&he message "as identified as a bul+ email message If the ;loc+ all bul+ email messagesenabled, it "ill be mar+ed as spam If it is not enabled, it "ill onl be mar+ed as spam if thethat the message is spam

%9:/%9 9iltering "as s+ipped and the message "as let through because it "as sent from an addre

%9:/;4<9iltering "as s+ipped and the message "as bloc+ed because it "as sent from an address list

IP:/.54&he message "as allo"ed through the spam filters because the IP address "as specified filter

IP:/N4I &he IP address "as not listed on an IP reputation list

%9:/%P= &he message "as mar+ed as spam b the content filter

%9:/%


26/41

Out!ound;pam

2H

-hy do you need out!ound spam ltering

• Out!ound spam ltering is needed !ecause m

programmers and their mal#are are out therecomputers inside corporate net#orks e$ery da

• This means that compromised users in your o!e sending large amounts of out!ound spam

kno#ledge

• Protects the reputation of normal deli$ery poo

http://technet.microsoft.com/en-us/library/jj200686(v=exchg.150).aspxhttp://technet.microsoft.com/en-us/library/jj200686(v=exchg.150).aspxhttp://technet.microsoft.com/en-us/library/jj200686(v=exchg.150).aspx


27/41

Auarantine

2J


28/41

Auarantined Messages

29

• Messages that are identied as spam or that m

Exchange transport rule can !e sent to the Qu

• ,f you are an administrator you can perform tactions against Quarantined messages $ia E'C

% ;earch for Quarantined messages

%


29/41

-orking #ithAuarantinedMessagesandPo#er;hell

?3

• To retrie$e information a!out Quarantined emails

Get-QuarantineMessage -StartReceivedDate 02/1

-EndReceivedDate 02/14/2013

• To release a Quarantined message

Get-QuarantineMessage -MessageID


30/41

Sunk EmailManagement

?4

• *sers recei$e spam notications for messagesthem that #ere marked as .unk and Quarantin

•

*sers can choose to either release or report omessages


31/41

8ind andreleaseAuarantined messagesas an enduser

?2

To access yo#r *#arantined messages

4" ;pecify the follo#ing *R+ in a #e! !ro#serhttps((admin"protection"outlook"com(Quaran

2" On the sign in page specify your $alid OFce pass#ord

?" 'fter youD$e signed in and !een authenticatedirected to the end user spam Quarantine pagcan nd and release messages that #ere ma


32/41

Sunk EmailManageme

nt

??

• 'n enhanced Sunk Email Reporting 'dd%in for M

Outlook % compati!le #ith the latest Microsoft6Outlook 234? % !ack#ards%compati!le

• *pcoming ;pam notication impro$ements Ena!ling admins to congure spam notication

independently from spam detection policies"

More granular control for spam notication sett

the current organi0ation and domain scope"

'dmin conguration for allo#ing users to su!m

examples"


33/41

?5


34/41

Reporting

?


35/41

/uilt%inReporting

?@

• Pro$ides a clear $ie# on spam ltering and m


36/41

Reporting6Excel7

?H

• ReQu• EOP s

of su!ut o

detai• Exce

a$ailaself%s

• Connreporser$i

• &ata

refre#ithiat an

• &rill trecendata unde

inform


37/41

+a! Exchange

Online Protection6EOP7

?J


38/41

ModuleRe$ie#

?9

4" -hat records are used to pre$ent spoong

Out!ound ;MTP egress points to the rest of

2" -hat are the three types of ltering a$aila!

?" -hat does the out!ound spam policy do


39/41

ModuleRe$ie#

53

4" -hat records are used to pre$ent spoong

Out!ound ;MTP egress points to the rest of

•. ;P8 and &,M 6!oth types implemented a

2" -hat are the three types of ltering a$aila!le

•. Connection 8iltering Mal#are 8iltering Co

?" -hat does the out!ound spam policy do

•. ,f an out!ound message is determined to

routed through the high risk deli$ery poo

the pro!a!ility of the normal out!ound%,P

added to a !lock list" ,f a customer continout!ound spam through the ser$ice theyfrom sending messages


40/41

Module;ummary

54

,n this module #e introduced the mail protection

pro$ided !y Exchange Online Protection" 'll messand lea$e the OFce ?@ en$ironment are passed

ensuring the highest le$el of protection !oth fromspam"


41/41

1 2342 Microsoft Corporation" 'll rights reser$ed" Microsoft -indo#s -indo#s

m09 exo protection v1.4

Documents