Exchange Edge Server and Common Attachment Blocking In Exchange Online Protection

Posted on Leave a commentPosted in 2007, 2010, 2013, 2016, Edge, EOP, exchange, exchange online, Exchange Online Protection, FOPE, IAmMEC, Office 365

Both Exchange Server Edge role and Exchange Online Protection have an attachment filtering policy. The default in Edge Server is quite long, and the default in EOP is quite short. There is also a few values that are common to both.

So, how do you merge the lists so that your Edge Server attachment filtering policy is copied to Exchange Online in advance of changing your MX record to EOP?

You run

Set-MalwareFilterPolicy Default -FileTypes ade,adp,cpl,app,bas,asx,bat,chm,cmd,com,crt,csh,exe,fxp,hlp,hta,inf,ins,isp,js,jse,ksh,lnk,mda,mdb,mde,mdt,mdw,mdz,msc,msi,msp,mst,ops,pcd,pif,prf,prg,ps1,ps11,ps11xml,ps1xml,ps2,ps2xml,psc1,psc2,reg,scf,scr,sct,shb,shs,url,vb,vbe,vbs,wsc,wsf,wsh,xnk,ace,ani,docm,jar

This takes both the Edge Server default list and the EOP default list, minus the duplicate values and adds them to EOP. If you have a different custom list then use the following PowerShell to get your two lists and then use the above (with “Default” being the name of the policy) PowerShell to update the list in the cloud

Edge Server: Get-AttachmentFilterEntry

EOP: $variable = Get-MalwareFilterPolicy Default
$variable.FileTypes

Get-SpoofMailReport in EOP

Posted on Leave a commentPosted in EOP, exchange online, Exchange Online Protection, Office 365, spam, spoof

Using Office 365 or EOP to protect your email and worried about spoofed emails? Then try this cmdlet in Remote PowerShell for EOP:

PS C:\Users\brian.reid> Get-SpoofMailReport

Date                Event Type Direction Domain Action       Spoofed Sender              True Sender     Sender IP
—-                ———- ——— —— ——       ————–              ———–     ———
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     no-reply@domain.com         mandrillapp.com 198.2.186.0/24
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com          mimecast.com    1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com                          1.130.217…
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     no-reply@domain.com         someapp.com     198.2.179.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com             mimecast.com    1.130.217…
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                       1.130.217…
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                       1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                       1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com          mimecast.com    91.220.42.0/24
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com                          91.220.42.0/24
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com                          1.130.217…
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com          mimecast.com    91.220.42.0/24
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com             mimecast.com    91.220.42.0/24
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com          mimecast.com    1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com                             1.130.217…
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com                             91.220.42.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com             mimecast.com    91.220.42.0/24
10/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                          1.130.217…
11/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                          1.130.217…
11/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@domain.co.uk                      1.130.217…
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     paul@domain.com                             91.220.42.0/24
07/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     no-reply@domain.com         mandrillapp.com 198.2.132.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     andrew@domain.com           mimecast.com    91.220.42.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com          mimecast.com    91.220.42.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com                          91.220.42.0/24
08/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.co.uk     mimecast.com    1.130.217…
10/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
10/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@other.com                         1.130.217…
11/04/2016 00:00:00 SpoofMail  Inbound          CaughtAsSpam wordpress@other.com         host-h.net      129.232.144…
11/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@domain.co.uk      mimecast.com    91.220.42.0/24
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@domain.co.uk      mimecast.com    91.220.42.0/24
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@other.com         host-h.net      197.189.237…
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
13/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@other.com                         91.220.42.0/24
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     no-reply@domain.com         mandrillapp.com 198.2.187.0/24
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.co.uk                     1.130.217…
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@other.com         host-h.net      197.189.237…
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@other.com                         91.220.42.0/24
14/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.co.uk     mimecast.com    1.130.217…
17/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@domain.co.uk      mimecast.com    1.130.217…
17/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com                          1.130.217…
17/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    1.130.217…
17/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     wordpress@domain.co.uk      mimecast.com    91.220.42.0/24
17/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     support@domain.com                          91.220.42.0/24
18/04/2016 00:00:00 SpoofMail  Inbound          GoodMail     postmaster@domain.com       mimecast.com    91.220.42.0/24

Thats the output I get from running this on the afternoon of April 20th (UK style dates for the American readers of this blog)! Notice a few things (its been somewhat redacted to remove private into), but the spam filter provider in front of EOP in this tenant is seen as spoofing postmaster emails and there are some from mandrillapp.com in a similar vein. Both of these companies send email on our behalf, so I expect to see them here – so nothing to see here for these. How about the others? One is a hosting company, probably hosting WordPress instances and so these are probably alerts of some kind from a web hoster to us, so again I think for us nothing here.

What do you get – is it more interesting for you?

Then finally, how about getting the results in date order, as they are not by default: Get-SpoofMailReport | sort -Property Date

 

 

Advanced Threat Protection via PowerShell

Posted on 3 CommentsPosted in Advanced Threat Protection, ATP, EOP, exchange online, Exchange Online Protection, IAmMEC, Office 365, Safe Attachments, Safe Links

I discussed the newly released Advanced Threat Protection product in Office 365 on my blog, and in this article I want to outline the cmdlets that can be used to set this product up from Remote PowerShell to Office 365.

To connect to Office 365 via PowerShell take a search on your favourite search engine – there are lots and lots of articles on doing this. Once you have a connection to Exchange Online and you have purchased the Exchange Online Advanced Threat Protection product, you can use PowerShell to do your administration and report gathering.

The cmdlets you can use are for Safe Links are:

Disable-SafeLinksRule
Enable-SafeLinksRule
Get-SafeLinksPolicy
Get-SafeLinksRule
New-SafeLinksPolicy
New-SafeLinksRule
Remove-SafeLinksPolicy
Remove-SafeLinksRule
Set-SafeLinksPolicy
Set-SafeLinksRule

And the cmdlets you can use for Safe Attachments are:

Disable-SafeAttachmentRule
Enable-SafeAttachmentRule
Get-SafeAttachmentPolicy
Get-SafeAttachmentRule
New-SafeAttachmentPolicy
New-SafeAttachmentRule
Remove-SafeAttachmentPolicy
Remove-SafeAttachmentRule
Set-SafeAttachmentPolicy
Set-SafeAttachmentRule

And for reporting, you can run Get-AdvancedThreatProtectionTrafficReport to report on the number of attachments blocked and the type of notification sent when looking at Safe Attachments. Get-UrlTrace does the same report for Safe Links.

The cmdlet *-SafeLinksPolicy and *-SafeAttachmentPolicy controls the policy. Every rule needs to be associated with a policy and so a policy needs creating first:

New-SafeLinksPolicy “Protect C7 Solutions Users”

Will create a Safe Link policy with the default settings. This includes no URL tracking, no click through and is not enabled. A better start might be

New-SafeLinksPolicy “Protect C7 Solutions Users” -TrackClicks $true -IsEnabled $true -AllowClickThrough $false

Once a policy is created, a rule can be added to that policy. The *-SafeLinksRule and *-SafeAttachmentRule cmdlets control this in the shell. You can only have one rule per policy. An example cmdlet to create a rule would be:

New-SafeLinksRule “Protect C7 Solutions Users” -SafeLinksPolicy “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -Enabled $true

Note that the –SafeLinksPolicy value matches that of the name of the previously created policy when making the rule.

To create a Safe Attachment policy and rule that protect all users by blocking malicious attachments and sending a report to an external mailbox you could use:

New-SafeAttachmentPolicy “Protect C7 Solutions Users” -Enable $true -Redirect $true -RedirectAddress brian@contoso.com –Action Block

New-SafeAttachmentRule “Protect C7 Solutions Users” -RecipientDomainIs “c7solutions.com” -SafeAttachmentPolicy “Protect C7 Solutions Users” -Enabled $true

The other cmdlets are self explanatory with regard to Enable- and Disable- and Set- and Remove-. The advantage of using PowerShell to administer Safe Links and Safe Attachments is you can set up a policy in a lab and then copy it to a production environment or enable the same policy on many different tenants if you are a Microsoft Partner with customers interested in this advanced protection of their mailbox.

Getting Started with Office 365 Advanced Threat Protection

Posted on 5 CommentsPosted in Advanced Threat Protection, ATP, EOP, exchange online, Exchange Online Protection, IAmMEC, malware, Office 365, proxy, Safe Attachments, Safe Links

Announced a few months ago, Advanced Threat Protection became generally available on 1st June. I have been involved with trialling this product during the beta and so I thought I would note down a few thoughts on setting this up and what to expect now that it is publicly available.

Advanced Threat Protection is an add-on product to Exchange Online/Exchange Online Protection with its own subscription, so you will not see these features and products unless you have subscribed. Once you have subscribed you will get two new features in the Exchange Control Panel for Office 365. These are the ability to find malware containing attachments before a detection signature for that malware exists (zero-day malware attacks) and the ability to filter all hyperlinks in email via a known malicious links service (filtering against spear-phishing attacks). The feature to detect zero-day malware is called Safe Attachments and the feature to protect against spear-phishing is known as Safe Links.

Subscribing to Advanced Threat Protection

After signing into the Office 365 administration portal click Purchase Services on the left hand menu and locate your current Office 365 subscription that contains Exchange Online or Exchange Online Protection (Office 365 Enterprise E3 contains EOP, so you would look for your suite purchase if you did not have a standalone purchase of EOP). Your current subscriptions will contain the words Already Purchased underneath the item as shown:

image or image

In the two screenshots above you can see that you have no Exchange Online Advanced Threat Protection licences purchased. To add Advanced Threat Protection licences click the Add more link and enter the number of licences you want to purchase. You do not need to purchases the same number of licences as EOP or Exchange Online mailbox licences as you use the policy below to control who Advanced Threat Protection is available for. Advanced Threat Protection for volume licence customers is available from August 2015 and for non-profit/educational licences from later in the year. Once the purchase is confirmed the Advanced Threat’s menu entry appears in the Exchange Administration Console. Also don’t forget to assign a licence to the appropriate users in the Office 365 portal.

Safe Attachments

Safe Attachments in Advanced Threat Protection takes any email that meets the conditions of any one of the Safe Attachment policies that you create that also contains an attachment and checks this email for for malicious behaviour as it passes through Exchange Online Protection (EOP). Before an email is checked by Safe Attachments the attachment has already been scanned for known malware and viruses. So if the attachment contains malware that was not detected by an existing AV signature or if it is a safe attachment (no malware) then the email is routed to the Safe Attachments component in EOP. If the email does not contain any attachments it is routed to the users mailbox by way of the other EOP spam filtering features.

Once an email is considered to have cause to be checked by the Safe Attachments component of ATP the individual attachments in the message are placed inside a newly created Windows virtual machine that is spun up in ATP for the purposes of this service. The attachment is then executed or otherwise run (for example if it is a Word doc, it is opened in Word in the new VM that was created for it). The VM is then watched for behaviour that is considered to be unsafe. Examples of unsafe behaviour include setting certain known registry key locations (such as the RunOnce group of keys in Windows) or downloading malicious content from the internet. If the attachment does not exhibit that behaviour then the email is released and sent on to the user. If the email does exhibit these actions the email is not sent onward, and optionally a copy of the email in a form of a report is forwarded to an administrators mailbox (where care should be taken on opening the attachment).

The time it takes to spin up a new VM and execute the attachment is in the region of 7 to 10 minutes. Therefore anyone subject to a Safe Attachments policy will have emails that contain attachments delayed by at least this amount of time. Of course this delay is necessary to ensure that the recipient is not being sent malware that is currently not detected (zero-day attacks) and the impact of this delay needs to be considered against the benefit of the additional filtering that happens and the impact of that user executing the malware themselves on their own machine.

To protect a user with Safe Attachments you need to create a policy. This is done in the Exchange Admin Centre in Office 365 and the “advanced threats” area as shown:

SNAGHTML43a8f613

In the above screenshot I have a single policy created called “Protect Brian Only”. This would be an example where I wanted to protect those users whom I though where more likely to be subject to zero-day malware attacks – good examples would be highly targets accounts (CEO etc.), IT administrator/help desk accounts and of course the accounts of users who will click anything and so you are often cleaning up their PC! There is no default policy, so unless a user is protected by a policy that you the administrator create, they are not subject to the Safe Attachments feature.

As Advanced Threat Protection is an additional licence, only those users who are licenced should be included in any policy.

Opening the “Protect Brian Only” example policy above shows me three sets of options. These are:

SNAGHTML43aa903b SNAGHTML43b22229 SNAGHTML43aad2b3

The first page allows me to edit the name and description. The second page sets the policy (more on this below) and the final page sets who the policy applies to. In this example it applies to a single recipient who was selected from the list of users in Office 365, though it could be a list of more than one user or anyone with a given email domain or anyone in an already created group.

The policy setting allows me to do the following:

  • Scan attachment containing emails (with options to not do this scanning, scan and send onward to the user regardless of the result, block the emails containing bad attachments or replace the attachments with a notification but allow the contents of the email to go on through).
  • Redirect the attachment containing emails to an alternative email address and what address to use. This is great for seeing what is blocked and acting as a sort of reporting service. Warning – this email address will get malicious emails sent to it, handle with extreme care.
  • Finally, in the event of a timeout at EOP/ATP where the attachment cannot be scanned in 30 minutes, check this box to treat the attachment in the same way as malicious emails are treated. This is the default action.

In the mailbox of the intended recipient, if block or replace is selected in the policy then the user will not see the malicious attachment and therefore cannot accidently execute its contents.

In the mailbox of the email address used for the redirection, you will see messages such as follows:

image

Here you see a report email that contains the email that was detected as malicious. You can see the To: address (redacted in the graphic above) and that it was not sent to the intended recipient and that it should not be opened.

All in all, its a very simple and inexpensive way to protect the mailboxes of either all staff or those you consider subject to targeted malware such as CEO type staff and the IT department. Even if you do not redirect emails containing malicious attachments, you can report on the number and type of attachments that are blocked from the reporting console available from the image icon on the ATP toolbar. The following shows a 30 day report for my tenant (which has only a few live mailboxes protected). For data-points beyond 7 days old it will take a short while for the information on the report to be returned to you and you need to request that report from the provided link. For data-points under 7 days you can see the information in real-time. The grey background to report shows where the 7 day period is located. In the below screenshot the above malware can be see in the report as the single instance of an email that passed AV scanning successfully but was in fact a zero-day attack. The second screenshot below shows the type of malware attachments that ATP is blocking. From this we can see that the risk lies in maliciously crafted Excel and Word attachments.

SNAGHTML43c1954c SNAGHTML43ce425b

Safe Links

When an email is delivered to the end recipient, any technology that checks the target of any link in the email is prone to one large issue – the web page or attachment on the other side of the hyperlink in the email may be safe and okay to view at the time of delivery, but might not be at the time the user comes to open the email and then click the link. Being aware of users working, or at least email reading hours, and delivering emails outside this timeframe with links to websites that are okay at the time of delivery means the email passes any web site or download checks done by the email server.

Advanced Threat Protection’s Safe Links feature protects the user by rewriting the hyperlink in the email body so that the link is checked at the point of click and not the point of delivery. To do this the hyperlink is changed from the target to the Safe Links portal. Then when the user clicks the link, they are taken to the Safe Links portal and if the site is now on a block list, the user is blocked, but if the target of the link is fine they are sent a browser redirect to the original target. Note that this is not a proxy server – you do not connect to the target URL through the Safe Links portal, you just visit the Safe Links portal when you click the link and if the target is safe at point of click you are directed via your browser to the target (a client side redirect). If the target is not safe at point of click then an error page is displayed.

In the following screenshot is an email with a hyperlink in it. This link was received by me to my Safe Links protected account and it looks link it might be an attempt to download malware to my computer, but I am going to click the link anyway (in second screenshot I am hovering over the hyperlink):

image image

You can see from the above screenshot that the hyperlink takes the user first to https://na01.safelinks.protection.outlook.com/?url=targetURL&data=value&sData=otherValue. The na01 part of the URL will be regionally specific and so might read emea01 or apac01 etc. When the user clicks the link they go to region.safelinks.protection.outlook.com. In my case I see the following webpage:

image

Here I am told the page has been classified as malicious. I also have an option to continue anyway (and I can control if this setting appears for users or not) and an option to close the browser window.

If the hyperlink is not malicious at the point of click then I still go to the Safe Links portal (as it is the portal that checks the link at point of click), but then get redirected to the target URL. This can be seen in the following screenshot which shows the F12 developer tools enabled in the browser and the network trace screen shown at the bottom of the window:

image

You will see that the first line is the Safe Links portal and this take 0.75 second before being redirected with a HTTP 302 client side redirect to the target URL and then the rest of the objects on the target page (until I paused the trace).

So how do I set this all up? It is very similar to the Safe Attachments above in that we create a policy, and then any email that contains hyperlinks that is delivered to the end user after that users is added to a policy get rewritten.

First we go to the Advanced Threats area of the Exchange Administration Console:

SNAGHTMLeafbb84

Here you can see an existing policy. There are no policies by default. If I create a new policy I need to provide the following:

SNAGHTMLeb3664c

You can see from the screenshot that you need a name for the policy and whether or not a link is rewritten (policies with greater priority take precedence, so if a user is subject to two or more polices then only the higher priority policy takes effect, therefore you can use a policy to turn off link rewriting for a subset of users covered under a lower policy that enabled it for more users). Also you can disable link tracking and not to allow users to have the option to click through to the target URL. Link tracking allows you to report who clicked what link and not allowing users to click through disables the “Continue to this website (not recommended)” link on the Safe Links warning page.

You also have the ability to control URL’s that you do not want to rewrite, and rewriting will only happen for FQDN URL’s (that is those with dots in them) and not single name URL’s such as http://intranet.  This allows you to bypass redirection for sites you know are safe or are FQDN’s but are internal.

Finally you get to set who the policy applies to. You do not need to apply the policy to all users if you have not licenced all users, but you can set policy based on who the recipient is, what domain the recipient is in (all users in that domain) or a group (some users).

On the Mail Flow menu in Exchange Control Panel you can view a URL Trace of the links that users have clicked in the past 7 days. The report shows you the link clicked and if it was blocked or not. If the click through option is enabled, it will show if that was done as well. Only users in policies that track clicks will be reported. As report looks like the following:

SNAGHTMLfdf4592

Further Administration

To administer your Safe Links and Safe Attachments policy and rules via Remote PowerShell see http://c7solutions.com/2015/06/advanced-threat-protection-via-powershell

Speaking at TechEd Europe 2014

Posted on 4 CommentsPosted in certificates, cloud, EOP, exchange, exchange online, Exchange Online Protection, GeoDNS, hybrid, IAmMEC, journaling, mcm, mcsm, MVP, Office 365, smarthost, smtp, starttls, TechEd, TLS, transport

I’m please to announce that Microsoft have asked me to speak on “Everything You Need To Know About SMTP Transport for Office 365” at TechEd Europe 2014 in Barcelona. Its going to be a busy few weeks as I go from there to the MVP Summit in Redmond, WA straight from that event.

image

My session is going to see how you can ensure your migration to Office 365 will be successful with regards to keeping mail flow working and not seeing any non-deliverable messages. We will cover real world scenarios for hybrid and staged migrations so that we can consider the impact of mail flow at all stages of the project. We will look at testing mail flow, SMTP to multiple endpoints, solving firewalling issues, and how email addressing and distribution group delivery is done in Office 365 so that we always know where a user is and what is going to happen when they are migrated.

Compliance and hygiene issues will be covered with regards to potentially journaling from multiple places and the impact of having anti-spam filtering in Office 365 that might not be your mail flow entry point.

We will consider the best practices for changing SMTP endpoints and when is a good time to change over from on-premise first to cloud first delivery, and if you need to maintain on-premises delivery how should you go about that process.

And finally we will cover troubleshooting the process should it go wrong or how to see what is actually happening during your test phase when you are trying out different options to see which works for your company and your requirements.

Full details of the session, once it goes live, are at http://teeu2014.eventpoint.com/topic/details/OFC-B350 (Microsoft ID login needed to see this). Room and time to be announced.

Updating Exchange 2013 Anti-Malware Agent From A Non-Internet Connected Server

Posted on Leave a commentPosted in 2013, 64 bit, antivirus, exchange, Exchange Online Protection, IAmMEC, malware, mcm, mcsm, powershell, x64

In Forefront Protection for Exchange (now discontinued) for Exchange 2010 it was possible to run the script at http://support.microsoft.com/kb/2292741 to download the signatures and scan engines when the server did not have a direct connection to the download site at forefrontdl.microsoft.com.

To achieve the same with Exchange 2013 and the built-in anti-malware transport agent you can repurpose the 2010 script to download the engine updates to a folder on a machine with internet access and then use a script from Exchange Server 2013 to download from a share on the first machine that you downloaded the files to, and that the Exchange Servers can reach.

So start by downloading the script at http://support.microsoft.com/kb/2292741 and saving it as Update-Engines.ps1.

Create a folder called C:\Engines (for example) and share it with Authenticated Users / Read access and full control to the account that will run Update-Engines.ps1

Run Update-Engines.ps1 with the following

Update-Engines.ps1 -EngineDirPath C:\engines -UpdatePathUrl http://forefrontdl.microsoft.com/server/scanengineUpdate/  -Engines “Microsoft” -Platforms amd64

The above cmdlet/script downloads just the 64 bit Microsoft engine as that is all you need and places them in the local folder (which is the shared folder you created) on that machine. You can schedule this script using standard published techniques for scheduling PowerShell.

On your Exchange Server that has no internet connectivity, start Exchange Management Shell and run the following:

Set-MalwareFilteringServer ServerName –PrimaryUpdatePath \\dlserver\enginesShare

Then start a PowerShell window that is running as an administrator – you can use Exchange Management Shell, but it too needs to be started as an administrator to do this last step. In this shell run the following:

Add-PSSnapin microsoft.forefront.filtering.management.powershell

Get-EngineUpdateInformation

Start-EngineUpdate

Get-EngineUpdateInformation

Then compare the first results from Get-EngineUpdateInformation with the second results. If you have waited 30 or so seconds, the second set of results should be updated to the current time for the LastChecked value. UpdateVersion and UpdateStatus might also have changed. If your Exchange Server has internet connectivity it will already have updated automatically every hour and so not need this script running.

Exchange DLP Rules in Exchange Management Shell

Posted on Leave a commentPosted in 2013, cloud, DLP, EOP, exchange, exchange online, Exchange Online Protection, IAmMEC, IFilter, mcm, mcsm, Office 365

This one took a while to work out, so noting it down here!

If you want to create a transport rule for a DLP policy that has one data classification (i.e. data type to look for such as ‘Credit Card Number’) then that is easy in PowerShell and an example would be as below.

New-TransportRule -name “Contoso Pharma Restricted DLP Rule (Blocked)” -DlpPolicy ContosoPharma” -SentToScope NotInOrganization -MessageContainsDataClassifications @{Name=”Contoso Pharmaceutical Restricted Content”} -SetAuditSeverity High -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText “This email contains restricted content and you are not allowed to send it outside the organization”

As you can see, and highlighted in red, the data classification is a hashtable and the single classification is mentioned.

To add more than one classification is much more involved:

$DataClassificationA = @{Name=”Contoso Pharmaceutical Private Content”}
$DataClassificationB = @{Name=”Contoso Pharmaceutical Restricted Content”}
$AllDataClassifications = @{}
$AllDataClassifications.Add(“DataClassificationA”,$DataClassificationA)
$AllDataClassifications.Add(“DataClassificationB”,$DataClassificationB)
New-TransportRule -name “Notify if email contains ContosoPharma documents 1” -DlpPolicy “ContosoPharma” -SentToScope NotInOrganization -MessageContainsDataClassifications $AllDataClassifications.Values -SetAuditSeverity High -GenerateIncidentReport administrator -IncidentReportContent “Sender”,”Recipients”,”Subject” -NotifySender NotifyOnly

And as you can see, shown in red above, you need to make a hashtable of hashtables and then use the value of the final hashtable in the New-TransportRule

Highly Available Office 365 to On-Premises Mail Routing

Posted on 20 CommentsPosted in 2010, 2013, cloud, DNS, EOP, exchange, exchange online, Exchange Online Protection, hybrid, IAmMEC, MX, Office 365, smarthost, smtp

This article looks at how to configure mail flow from Office 365 (via Exchange Online Protection – EOP) to your On Premises organization to ensure that it is highly available and work in disaster recovery scenarios with no impact. It is based on exactly the same principle to that which I blogged about in 2012: http://c7solutions.com/2012/05/highly-available-geo-redundancy-with-html on creating redundant outbound connections from Exchange on premises.

The best way to explain this feature is to describe it in the way of an example:

For example MCMEmail Ltd have Hybrid set up, and delivery to the cloud first. So the DNS zone for mcmemail.co.uk has MX pointing to EOP.

They then create a new DNS zone at either a subzone (as in this example) or a different domain if they have one available. In the example this could be hybrid.mcmemail.co.uk. Into this zone they add the following records:

10 MX oxford-a.hybrid.mcmemail.co.uk

10 MX oxford-b.hybrid.mcmemail.co.uk

20 MX nuneaton.hybrid.mcmemail.co.uk

The below picture shows an example of this configured in AWS Route 53 DNS (though there are other DNS providers available)

image

In Exchange Online Protection administration pages (Office 365 Portal > Exchange Admin > Mail Flow > Connectors and modify your on-premises connector to point to the new zone. Example shown in the below picture:

image

Then all email is always delivered to the Oxford datacentre and nothing to the Nuneaton one (where the DR servers reside) unless the two Oxford datacentres (A and B) are both offline and so the 10 preference does not answer at all. At that time and that time only does the 20 preference get connected to.

Cannot Send Emails To Office 365 or Exchange Online Protection Using TLS

Posted on 7 CommentsPosted in 2003, 2007, 2010, 2013, exchange, exchange online, Exchange Online Protection, FOPE, hybrid, Office 365, spam, starttls, TLS

I have found this is a common issue. You set up an Exchange Online Hybrid or Exchange Online Protection (EOP) stand alone service and follow all the instructions for the creating of the connectors needed, only to find that your emails queue in your Exchange Server. If you turn on protocol logging you get this error in the log “Connector is configured to send mail only over TLS connections and remote doesn’t support TLS” and if you look at the SMTP protocol verbs that are recorded in the log you see that Microsoft’s servers do not offer STARTTLS as a verb.

STARTTLS is the SMTP verb needed to begin a secure and encrypted session using TLS. Communication between your on-premises servers and Microsoft for hybrid or EOP configurations requires TLS and if you cannot start TLS then your email will queue.

If you are not configuring hybrid or EOP standalone and need to send an email to someone on Office 365 then this is not an issue, because Exchange Server does not require TLS for normal email communication and so the lack of a STARTTLS verb means your email is sent in clear text.

The reason why you are not getting STARTTLS offered is that your connecting IP address is on the Microsoft block list. If you change your connector (temporarily) to allow opportunistic TLS or no TLS at all then your emails will leave the queue – but will be rejected by the Microsoft servers. The NDR for the rejection will tell you to email Microsoft’s delisting service. So now you have an NDR with the answer to the problem in, you can fix it! It takes 1 to 2 hours to get delisted from when Microsoft process your email – so they say it takes 48 hours end to end.

Therefore my recommendation when setting up Exchange Online Hybrid or stand alone EOP is to send an email over plain text to EOP before you configure your service. If you are on the blocklist then you will get back the delisting email and you can process that whilst setting up the connectors to Office 365 and so by the time you are ready to test, you are off the blocklist!

To send a test email over Telnet

  1. Install the Telnet Client feature on your Exchange Server that will be your source server for hybrid or connectivity to EOP for outbound email
  2. Type the following. This will send an email to a fake address at Microsoft, but will hit the TLS error before the message is rejected

    telnet microsoft-com.mail.protection.outlook.com 25

  3. You are now connected to Exchange Online Protection and you should get a 220 response
  4. Type the following to send the email by command line. No typo’s allowed in telnet, so type carefully. Replacing your email address where prompted so that you get the NDR back to you.

    ehlo yourdomainname.com
    mail from: youremailaddress@domainname.com
    rcpt to: madeupaddress@microsoft.com
    data
    from: Your Name <youremailaddress@domainname.com>
    to: madeupaddress@microsoft.com
    subject: testing to see if my IP is blocked

    type something here, it does not matter what, this is the body of the message you are sending
    .

  5. A few points about the above. It must finish with a . (full stop) on a line by itself followed by a carriage return. There must be a blank line between the subject line and the body. And finally, for each line of data you type, the Microsoft SMTP servers will return either a 250 or 354 response.

Whitelisting Salesforce Emails in Exchange Online Protection

Posted on 4 CommentsPosted in EOP, exchange, exchange online, Exchange Online Protection, Office 365, Salesforce, whitelist

In this article, Salesforce list three IP address ranges (by way of CIDR notation) where their emails can come from when you are a Salesforce.com user. To ensure these emails come to all users of your organization if you are using Exchange Online Protection (EOP) then you have to create a transport rule to attempt to bypass any filtering that might be applied to these messages.

The problem with this list of network ranges and EOP is that EOP only accepts CIDR ranges that are /24 or smaller (i.e. /24 to /32) when creating connectors or content filtering and the Salesforce ranges are all larger than that.

To add a range bigger than /24 you must create a Transport rule that operates on the IP address range that sets the spam confidence level (SCL) to Bypass spam filtering (meaning that all messages received from within this IP address range are set to “not spam” and no additional filtering is performed by the service). However, if any of these IP addresses appear on any of Microsoft’s proprietary block lists or on any of their third-party block lists, these messages will still be blocked. So even though it is possible to do this, the emails might still be blocked if the individual addresses are blocked.

To add the transport rule follow these steps:

  1. In the EAC, navigate to Mail flow > Rules.
  2. Click + and then select Create a new rule.
  3. Give the rule a name and then click More options.
  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.
  5. In the specify IP addresses, specify the IP address ranges provided by Salesforce, click Add +, and then click ok.
  6. Under Do the following box, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select Bypass spam filtering, and click ok.
  7. If you’d like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.
  8. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering is bypassed for the IP address range you specified.