Contents Introduction .................................................................................................................................................. 2

Mail flow in Office 365 .................................................................................................................................. 3

Best practice for setting up authentication .............................................................................................. 3

Best practice for configuring MX records ................................................................................................. 4

Best practice for setting up hosted mail flow ........................................... Error! Bookmark not defined.

Domains .................................................................................................................................................... 4

Customizing mail flow ............................................................................................................................... 4

Spam filtering ................................................................................................................................................ 6

Anti-spam filter policies ............................................................................................................................ 6

A. Spam and bulk email actions ........................................................................................................ 7

B. Allow lists ...................................................................................................................................... 9

C. Block lists ....................................................................................................................................... 9

D. International spam ........................................................................................................................ 9

E. Spam properties .......................................................................................................................... 10

F. Applied to .................................................................................................................................... 11

Connection filter policy ........................................................................................................................... 11

Outbound spam filter policy ................................................................................................................... 12

Best practices for Exchange transport rules ........................................................................................... 13

Reviewing message headers ................................................................................................................... 14

Malicious email filtering .............................................................................................................................. 15

Anti-malware filter policies ..................................................................................................................... 15

Lowering the phish threshold by using Exchange transport rules ............. Error! Bookmark not defined.

Advanced Threat Protection ....................................................................................................................... 18

Creating a safe attachments policy ......................................................................................................... 18

Creating a transport rule to bypass safe attachments ........................................................................... 20

Creating a new safe links policy .............................................................................................................. 22

Modifying the default safe links policy ................................................................................................... 24

Creating a transport rule to bypass safe links ......................................................................................... 25

Additional recommendations ..................................................................................................................... 28

Using the Report Message add-in ........................................................................................................... 28

Enabling multi-factor authentication ...................................................................................................... 29

Introduction The transition to the cloud is not one to be taken lightly. There’s little question that organizations will be

able to save money moving to Microsoft Office 365, but the planning and processes involved in

transitioning from an established infrastructure to a cloud environment can be a major undertaking.

Office 365 provides access to Exchange Online, SharePoint Online, Skype for Business, OneDrive for

Business, and many other platforms and services. With so many different products in the Office 365 Suite,

comprehensively covering the migration process is a challenge and outside the scope of this paper.

Instead, this document will help you understand the areas you need to consider as you transition to

Exchange Online in Office 365. In particular, it lays out the best practices for getting the most out of

Exchange Online Protection and Office 365 Advanced Threat Protection.

If you are interested in learning more about managing and migrating to Exchange Online, see the

following:

• Exchange Online

• Ways to migrate multiple email accounts to Office 365

Note: This document assumes that you have signed up for Office 365 and that your subscription includes

Exchange Online. For the premium Office Advanced Threat Protection topics, a license of Office ATP is

required either through Office 365 E5 or when consumed as a standalone service.

Mail flow in Office 365 Office 365 gives you flexibility in determining the best arrangement for how email is delivered to your

organization’s mailboxes. The path email takes from the Internet to a mailbox and vice versa is called mail

flow. Most organizations want Office 365 to manage all their mailboxes and filtering, and some

organizations have more complex mail flow setups to account for such things as specific regulatory or

business needs.

The three scenarios for routing mail when using Exchange Online Protection are:

• Fully hosted. All mailboxes are hosted in Exchange Online.

• Standalone. All mailboxes are hosted on-premises.

• Hybrid. Some mailboxes are hosted in Exchange Online and others are hosted on-premises.

This section provides a checklist for setting up mail flow in a fully hosted and hybrid deployment. If you

are in a standalone scenario and want to protect your mailboxes with EOP, see Set up your EOP service

and Mail flow in EOP.

Best practice for setting up authentication In Office 365, four DNS records are particularly important: MX, SPF, DKIM, and DMARC records.

Office 365 has built-in anti-spoofing protection designed to detect legitimate cases of spoofing while

shielding your organization from the illegitimate ones. However, sometimes the service doesn’t have

enough intelligence, or history, to make that determination. For instance, this can happen if a new sender

starts sending email as you, or the volume of email is too small to generate a positive reputation.

It is for these reasons that it is recommends, using sender authentication techniques such as SPF, DKIM,

and DMARC to aid in detecting those legitimate cases of spoofing and preventing unwanted spoofing and

phishing. For customers who have Office 365 Enterprise E5 or have purchased Advanced Threat

Protection licenses, the Spoof Intelligence feature in the Office 365 Security & Compliance Center (SCC)

also provides insight into senders who are spoofing your domains into your organziation. You can review

senders who are spoofing your domain and then choose to allow the sender or block the sender.

Important: For optimal protection against phishing and spoofing, it is recommended that you implement

all three authentication methods – SPF, DKIM, and DMARC.

For more information, see Set up SPF in Office 365 to help prevent spoofing and How Office 365 uses

Sender Policy Framework (SPF) to prevent spoofing.

..

DKIM (DomainKeys Identified Mail) exchange online establish two keys for every customer and signs all

outbound mail using these keys by default. To ensure alignment it is recommend that the appropriate

DNS entries be created for each custom domain. For more information, see Use DKIM to validate

outbound email sent from your custom domain in Office 365.

DMARC (Domain-based Messaging and Reporting Compliance) provides protection both inside and outside the organization and it is recommended that this be setup with a p=reject policy. Best practices for implementing DMARC in Office 365 and Enhanced email protection with DKIM and DMARC in Office 365.

For more information regarding spoof intelligence, see Learn more about spoof intelligence.

Best practice for configuring MX records MX (Mail Exchanger) records provide an easy way for mail servers to know where to send email. You can

think of the MX record as a type of postal address. For example the MX record for contoso.com below

would mean that all mail is delivered to Office 365 first.:

Hostname: contoso-com.mail.protection.outlook.com

Priority: 0

TTL: 1 hour

Exchange online provides a layered approach to security and as part of that layering understanding where

the message originated helps ensure that the right action is taken on the message. For this reason it is

recommended that you always have your MX record point to Office 365. This ensures that the maximum

information is available and is not limited due to all messages coming from, a single source such as on-

premises. You can route messages to on-premises, in hybrid cases for example, after processing in the

cloud. Go here for more details on best practices for setting up mail flow for your Office 365 environment.

Important: Routing via on-premise or another service will have a detrimental affect on EOP effectiveness.

Domains Office 365 uses domains, like contoso.com, to route email messages. When you set up email in Office 365,

you typically switch from the default domain that you got when you first signed up for Office 365 (the

domain ending with .onmicrosoft.com) to your organization’s domain. Domain names, like contoso.com,

are managed by using a worldwide system of domain registrars (for example, GoDaddy, HostGator, or

Moniker) and databases called the Domain Name System (DNS). DNS provides a mapping between

human-readable computer hostnames and the IP addresses used by networking equipment. If you’re new

to DNS, we recommend that you read DNS basics.

When you add your domain(s) to Office 365, it’s called an accepted domain. This means that users in a

given domain can send and receive mail. For more information on how to add your domain to Office 365

using the Office 365 admin center, see Add your domain to Office 365.

After you add your domain(s) using the Office 365 admin center, you can use the Exchange admin center

(EAC) to view your accepted domains and configure the domain type.

Important: You should ensure that you register all your domains.

For more information, see Manage accepted domains in Exchange Online.

Customizing mail flow Your email service in Office 365 is provided by either Exchange Online and Exchange Online Protection

(EOP). But if you have special circumstances, you can configure connectors, which are a collection of

instructions that customize the way your email flows.

For more information, see Configure mail flow using connectors in Office 365 and Test mail flow with the

Remote Connectivity Analyzer.

Remember that if you create connectors be sure to consider the impact they may have on your EOP

effectiveness.

Layered Approach Exchange Online Protection provides a layered approach to email security and customers can influence

the behavior at some of these layers. For example, administrators can choose what type of content they

allow into their organization by block content with certain extensions, or control which type of bulk

content they allow.

Office 365 Advanced Threat Protection builds upon these layers by adding advanced security features to

further protect against malicious content and spoofing.

Neither EOP or ATP are intended to replace competitive solutions for network or endpoint security.

Rather, the combination of EOP and ATP provides comprehensive protection against attacks originating

in email. Specifically, EOP provides protection from commodity spam and malware, whereas ATP protects

organizations from advanced targeted threats such as zero-day malware and malicious URLs that are often

used in advanced phishing attacks.

The following sections cover the standard and advanced items that are available for an admin to influence

the various layers and best practices for configuring the layers.

Spam filtering Spam filtering is enabled by default and in most cases will handle most cases for an organization. However

as an admin, you can edit the default anti-spam policy so that it’s tailored to best meet the needs of your

organization. You can also create custom content filter policies and apply them to specified users, groups,

or domains in your organization as needed. Custom policies always take precedence over the default

policy, but you can change the priority (that is, the running order) of your custom policies.

Note: We recommend viewing the following series of introductory videos about how to get started with

protecting your email messaging environment: Videos for getting started with protecting your email.

Basic spam filter settings include selecting the action to take on messages identified as spam, either place

the message into the junk folder or to quarantine the messages. When an email message goes through

spam filtering it is evaluated and an individual Spam Confidence Level (SCL) rating is assigned to the

message. The service takes actions upon the messages depending upon the spam confidence

interpretation of the SCL rating. For more information, see Spam confidence levels.

NOTE: Spam-filter policy settings are applied to inbound messages only.

Anti-spam filter policies There are several key elements of the Anti-spam filtering policy that can impact your origination Below is a list of the key elements and how they can impact filtering in your environment.

A. Spam and bulk email actions Expanding spam and bulk actions lets you configure the actions to take for spam, high confidence

spam, phishing email, and bulk email. The actions that you can set for each of these are:

• Move message to Junk Email folder. Sends the message to the Junk Email folder of the

specified recipients. This is the default action for both confidence threshold levels.

• Add X-header. Sends the message to the specified recipients but adds X-header text to

the message header that identifies it as spam. Using this text as an identifier, you can

optionally create rules to filter or route the messages as needed. The default X-header

text is This message appears to be spam.

• Prepend subject line with text. Sends the message to the intended recipients but

prepends the subject line with the text that you specify in the Prefix subject line with this

text input box. Using this text as an identifier, you can optionally create rules to filter or

route the messages as needed.

A

.

B

C

D

E

F

• Redirect message to email address. Sends the message to a designated email address

instead of to the intended recipients. Specify the “redirect” address in the Redirect to this

email address input box.

• Delete message. Deletes the entire message, including all attachments.

• Quarantine message. Sends the message to quarantine instead of to the intended

recipients. If you select this option, in the Retain spam for (days) input box, specify the

number of days during which the spam message will be quarantined. (It will automatically

be deleted after the time elapses. The default value is 15 days which is the maximum

value. The minimum value is 1 day.)

Note: For information about how administrators can manage email messages that reside

in the quarantine in the EAC, see Quarantine and Find and release quarantined messages

as an administrator. For information about configuring end-user spam notification

messages to be sent to end users, see Configure end-user spam notifications in EOP or

Configure end-user spam notifications in Exchange Online.

Bulk email

Bulk mailers vary in their sending patterns, content creation, and list acquisition practices. Some

are good bulk mailers that send wanted messages with relevant content to their subscribers.

These messages generate few complaints from recipients. Other bulk mailers send unsolicited

messages that closely resemble spam and generate many complaints from recipients. Office 365

scores each bulk message as either 1 (generally good sender) to 9 (generally bad senders)

When managing your spam filter policies, you can select a threshold to treat bulk email as spam.

This threshold is based on the bulk complaint level of the message. You can choose a threshold

setting from 1 - 9. The default setting of 7 allows most good bulk messages to be delivered,

however adjusting to 5 or 6 is a good practice if you feel you are receiving too much spam. The

service then performs the configured action, such as sending the message to the recipient’s Junk

Email folder.

For more information, see Bulk Complaint Level values and What's the difference between junk

email and bulk email?.

B. Allow lists On the Allow Lists page, you can specify entries, such as senders or domains, that will always be

delivered to the inbox and most filtering is skipped for the messages. This list should be used with

caution and is not recommended that large ranges or Ips or domains be placed in this list..

• Add trusted senders to the Sender allow list. Click Add , and then in the selection dialog

box, add the sender addresses you wish to allow. You can separate multiple entries using

a semi-colon or a new line. Click ok to return to the Allow Lists page.

• Add trusted domains to the Domain allow list. Click Add , and then in the selection

dialog box, add the domains you wish to allow. You can separate multiple entries using a

semi-colon or a new line. Click ok to return to the Allow Lists page.

Warning: If you allow top-level domains, it's likely that email you don't want will be

delivered to an inbox.

C. Block lists On the Block Lists page, you can specify entries, such as senders or domains, that will always be

marked as spam. The service will apply the configured high confidence spam action on email that

matches these entries.

• Add unwanted senders to the Sender block list. Click Add , and then in the selection

dialog box, add the sender addresses you want to block. You can separate multiple entries

using a semi-colon or a new line. Click Ok to return to the Block Lists page.

• Add unwanted domains to the Domain block list. Click Add , and then in the selection

dialog box, add the domains you want to block. You can separate multiple entries using a

semi-colon or a new line. Click Ok to return to the Block Lists page.

Warning: If you block top-level domains, it's likely that email you want will be marked as

spam.

D. International spam On the International Spam page, you can filter email messages written in specific languages, or

sent from specific countries or regions. Office 365 uses information in the message to determine

the language and it is recommended to use this to block messages as desired. You can configure

up to 86 different languages and 250 different regions. The service will apply the configured action

for high confidence spam.

• Select the Filter email messages written in the following languages check box to enable

this functionality. Click , and then in the selection dialog box, make your choices (multi-

selection is supported). For example, if you select to filter messages written in Arabic (AR),

and Quarantine message is your configured action for high confidence spam messages,

then any messages written in Arabic will be quarantined. Click ok to return to the

International Spam pane.

• Select the Filter email messages sent from the following countries or regions check box

to enable this functionality. Click , and then in the selection dialog box, make your

choices (multi-selection is supported). For example, if you select to filter all messages sent

from Australia (AU), and Quarantine message is your configured action for high

confidence spam messages, then any messages sent from Australia will be quarantined.

Click ok to return to the International Spam pane.

Note: By default, if no international spam options are selected, the service performs normal spam

filtering on messages sent in all languages and from all regions. Messages are analyzed and the

configured actions are applied if the message is determined to be spam or high confidence spam.

E. Spam properties Under Spam properties, you are able to configure the following advanced options, however these

are generally not necessary:

• Increase spam score. Let’s you specify whether to increase the spam score for messages

that include various types of links or URLs.

• Mark as spam. Let’s you specify whether to mark messages that include various

properties as spam. This is also where you can enable or disable the SPF record: hard fail,

Conditional Sender ID filtering: hard fail, and NDR backscatter settings.

Important: It is recommended that you do not enable SPF record: hard fail except in

extraordinary circumstances because doing so may result in a large number of false

positives.

• Test mode options. Let’s you configure the test mode options for when a match is made

to a test-enabled advanced option. Options include the following:

o None. Take no test mode action on the message. This is the default.

o Add default X-header text. Checking this option sends the message to the specified

recipients but adds a special X-header to the message that identifies it as having

matched a specific advanced spam filtering option.

o Send Bcc message. Checking this option sends a blind carbon copy of the message to

the email address you specify in the input box.

F. Applied to For custom policies only, expand Apply to and then create a condition-based rule to specify the

users, groups, and/or domains for whom to apply this policy. You can create multiple conditions

provided that they are unique.

• To select users, select The recipient is. In the subsequent dialog box, select one or more

senders from your company from the user picker list and then click add. To add senders

who aren’t on the list, type their email addresses and click Check names. In this box, you

can also use wildcards for multiple email addresses (for example: *@domainname).

When you are done with your selections, click ok to return to the main screen.

• To select groups, select The recipient is a member of and then, in the subsequent dialog

box, select or specify the groups. Click ok to return to the main screen.

• To select domains, select The recipient domain is and then, in the subsequent dialog box,

add the domains. Click ok to return to the main screen.

You can create exceptions within the rule, for example you can filter messages from all domains

except for a certain domain. Click add exception and then create your exception conditions similar

to the way you created the other conditions.

Connection filter policy Connection filtering allows you to bypass filtering of messages or block messages from a set of IP

addresses or ranges. Using these policies should be used with care as allowing an IP address to send

information without filtering could allow spoofing of a domain. For example if you allow IP address

10.0.0.1 then filter will be skipped from this address and they are also able to spoof any domain...

You create an IP Allow list or IP Block list by editing the connection filter policy in the Security &

Compliance Center (SCC). The connection filter policy settings are applied to inbound messages only.

1. In the Security & Compliance Center, click Threat management > Policy, then click Anti-spam.

2. Click the Custom tab on the Anti-spam settings page.

3. Expand Connection filter policy (always ON), then click Edit policy.

4. Create your Allow and/or Block lists by clicking Edit as appropriate.

5. In the subsequent dialog box, specify the IP address or address range, and then click ok. (You can

also edit or remove IP addresses after they have been added.)

Important: Adding entries here may be risky and result in other protection schemes being skipped. It is

recommended that you review all entries closely. For more information, see Configure the connection

filter policy.

Outbound spam filter policy Outbound filtering checks to make sure your users aren’t sending spam. For instance, a user’s computer

may get infected with malware that causes it to send spam messages, so we build protection against that

into the service.

Outbound spam filtering is always enabled if you use the service for sending outbound email, thereby

protecting organizations using the service and their intended recipients. If a customer continues to send

outbound spam through the service, they will be blocked from sending messages.

Although outbound spam filtering cannot be disabled or changed, you can use the Security & Compliance

Center to configure several company-wide outbound spam settings via the default outbound spam policy.

1. In the Security & Compliance Center, click Threat management > Policy, then click Anti-spam.

2. Click the Custom tab on the Anti-spam settings page.

3. Expand Outbound spam filter policy (always ON), then click Edit policy.

4. On the Outbound spam filter policy page, you can select from the following check boxes

pertaining to outbound messages, and then specify an associated email address or addresses in

the accompanying input box (these can be distribution lists if they resolve as valid SMTP

destinations):

• Send a copy of suspicious outbound email messages to specific people. These are

messages that are marked as spam by the filter (regardless of the SCL rating). They are

not rejected by the filter but are routed through the higher risk delivery pool. Note that

the recipients specified will receive the messages as a Blind carbon copy (Bcc) address

(the From and To fields are the original sender and recipient).

• Notify specific people if a sender is blocked due to sending outbound spam.

5. Click save. A summary of your default policy settings appears in the right pane.

When a significant amount of spam is originating from a particular user, the user is disabled from sending

email messages. The administrator for the domain, who is specified using this setting, will be informed

that outbound messages are blocked for this user. To see what this notification looks like, see Sample

notification when a sender is blocked sending outbound spam. For information about getting re-enabled,

see Removing a user, domain, or IP address from a block list after sending spam email.

Best practices for Exchange transport rules Transport rules allow you a large degree of flexibility over the way messages are handled and processed

by Exchange Online. One option when creating an ETR is to skip spam filtering based on a set of conditions.

Just like skipping spam filtering within the spam filtering policy it is important to make sure that if you are

skipping filtering in an ETR that you combine multiple criteria about the domain/sender or ip to ensure

they match what is expected and are not being spoofed. It is recommended that you ensure you combine

the following elements:

• Limit the IP range

• Ensure you identify the domain(s) or sender(s)

• Ensure that authentication passes

You should also ensure that you don’t include large consumer domains such as Yahoo.com, gmail.com

due to the wide range of potential accounts.

• Below is a example of rule that uses a combination of IP + Domain + Authentication

Reviewing message headers When Exchange Online Protection scans an inbound email message it inserts the X-Forefront-Antispam-

Report header into each message. The fields in this header can help provide administrators with

information about the message and about how it was processed. The fields in the X-Microsoft-

Antispam header provide additional information about bulk mail and phishing. In addition to these two

headers, Exchange Online Protection also inserts email authentication results for each message it

processes in the Authentication-results header.

For information about how to view an email message header in various email clients, see Message Header

Analyzer. You can copy and paste the contents of the message header into the Message Header

Analyzer tool. When you select a message in the quarantine in the Exchange admin center, the View

message header link also easily lets you copy and paste the message header text into the tool. Once in

the Message Header Analyzer tool, click Analyze headers in order to retrieve information about the

header.

For more information, see Anti-spam message headers.

Malicious email filtering EOP offers multi-layered malware protection that’s designed to catch all known malware traveling

inbound to or outbound from your organization. Malware filtering is automatically enabled in your tenant

via the default anti-malware policy. As an administrator, you can view and edit the default anti-malware

policy, but you can’t delete it. For greater granularity, you can also create custom content filter policies

and apply them to specified users, groups, or domains in your organization. Custom policies always take

precedence over the default policy, but you can change the priority (that is, the running order) of your

custom policies.

If malware is detected in an email attachment, the entire message will be quarantined and can be released

only by an admin. By default, users aren’t notified if this happens. But you do have the ability to change

the detection response setting so that users are automatically notified using either a default response or

one that you create yourself.

Anti-malware filter policies You need to be assigned permissions before you can perform this procedure. In this case, you must be a member of the Organization Management or Hygiene Management role groups. For more information about role groups, see Understanding management role groups.

1. In the Security & Compliance Center, click Threat management > Policy > Anti-malware.

2. On the Anti-malware page, do one of the following:

• Double-click the default policy in order to edit the company-wide policy.

• Click the New icon to create a new policy that can be applied to users, groups, and

domains in your organization. You can also edit existing custom policies by double-clicking

them.

3. For custom policies only, specify a name for this policy. You can optionally specify a more detailed

description as well. You cannot rename the default policy.

Note: When creating a new policy, all configuration settings appear on a single screen, whereas

when editing a policy you must navigate through different screens. The settings are the same in

either case, but the rest of this procedure describes how to access these settings when editing a

policy.

4. Click the Settings menu option. If malware is detected in an email attachment, the message will

be quarantined and can be released only by an admin. In the Malware Detection

Response section, use the option buttons to configure recipient notifications:

• No

• Yes and use the default notification text

• Yes and use custom notification text

5. In the Common attachment types filter filter section, choose which file types you want to have

the Malware Detection Response option selected above applied on. New policies have the most

commonly used malicious file types selected to be detected as malware by default. The filter

supports both true file types when available and file extensions.

• There are several types of files that typically deliver malware through email and this on and off setting will prevent the selected files from being delivered to your inboxes as well as sent by your users.

• The list of files the malware filter detects can be customized per policy by choosing and adding the additional file types to the list.

6. In the Notifications section, you have the option to send a notification email message to senders

or administrators when a message is detected as malware and is not delivered. These notifications

are only sent when the entire message is deleted.

a. In the Sender Notifications section, select the check boxes to Notify internal senders (those within your organization) or to Notify external senders (those outside your organization) when a detected message is not delivered.

b. Similarly, in the Administrator Notifications section, select the check boxes to Notify

administrator about undelivered messages from internal senders or to Notify administrator about undelivered messages from external senders. Specify the email address or addresses of the administrator in their respective Administrator email address fields after selecting one or both of these check boxes. The default notification text is “This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.” The language in which the default notification text is sent is dependent on the locale of the message being processed.

c. In the Customize Notifications section, you can create customized notification text to be

used in place of the default notification text for sender and administrator notifications. Select the Use customized notification text check box, and then specify values in the following required fields:

• From name. The name you want to be used as the sender of the customized notification.

• From address. The email address you want to be used as the sender of the customized notification.

• Messages from internal senders. The Subject and Message of the notification if the detected message originated from an internal sender.

• Messages from external senders. The Subject and Message of the notification if the detected message originated from an external sender.

d. For custom policies only, click the Apply to menu item and then create a condition-based

rule to specify the users, groups, and/or domains for whom to apply this policy. You can create multiple conditions provided that they are unique.

• To select users, select The recipient is. In the subsequent dialog box, select one or more senders from your company from the user picker list and then click add. To add senders who aren’t on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname). When you are done with your selections, click ok to return to the main screen.

• To select groups, select The recipient is a member of and then, in the subsequent dialog box, select or specify the groups. Click ok to return to the main screen.

• To select domains, select The recipient domain is and then, in the subsequent dialog box, add the domains. Click ok to return to the main screen.

You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click add exception and then create your exception conditions similar to the way you created the other conditions.

e. Click Save. A summary of your default policy settings appears in the right pane.

Advanced Threat Protection Once email passes through the front-line defenses provided by EOP, it is further analyzed by ATP for

anything suspicious. ATP’s safe attachments feature analyzes attachments by detonating them in a

hypervisor sandbox environment where the attachment undergoes behavioral analysis to determine if it

delivers a malicious payload that modifies the registry, system settings, access rights, etc. ATP’s safe links

feature checks any URLs that are embedded in the message body by validating them against a list of URLs

that are known to be malicious. If URL detonation is enabled and a link that is embedded in a message or

attachment points to a file on an external web server, safe links will download the file to the sandbox

environment where it is analyzed in the same manner as a suspicious email attachment.

Note: Advanced Threat Protection is available with Office 365 Enterprise E5. If your organization is using

another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on.

Creating a safe attachments policy Before you can create a safe attachment policy, you must be assigned the appropriate permissions. In this case, you must be a member of the Organization Management or Hygiene Management role groups. For more information about role groups, see Understanding management role groups. Important: It is recommended that you apply ATP safe attachment policies to ALL users in your organization.

1. Open the Security & Compliance Center by navigating to https://protection.office.com and sign in using your admin account credentials.

2. In the left navigation pane, click Threat management > Policy.

3. Click ATP Safe Attachments.

4. Click the New (+) icon to open the new safe attachments policy page.

5. Enter a name and description (optional) for your policy.

6. Under Select the action for unknown malware in attachments, choose from one of the following options:

• Off. Attachments will not be scanned for malware.

• Monitor. Continue delivering the message after malware is detected and track the scanning results.

• Block. Blocks the current and future emails and attachments with detected malware.

• Replace. Blocks the attachments with detected malware but continues to deliver the message body to the user.

• Dynamic delivery. Immediately delivers the message body without attachments and reattaches attachments after scanning if they are found to be safe.

7. Under Redirect attachment on detection you have the ability to enable one or both of the

following settings:

• If you want to forward attachments that are blocked, replaced, or monitored to a security administrator in your organization for further investigation, check the Enable redirect checkbox and enter an email address.

• You can also have those attachments forwarded if the scanning process should time out by selecting the Apply the above selection if malware scanning for attachments times out or error occurs checkbox.

8. Under Applied To, click the drop-down list above the add condition button to specify the users, groups, or domains that the policy will be applied to. You can select from one of the following options:

• The recipient is

• The recipient domain is

• The recipient is a member of You can add multiple conditions, if required. For instance, you could select a combination of a distribution group in your organization and someone in your organization who is not a member of that group. Or, you can apply a policy with a less restrictive action to one set of users while applying a more restrictive policy to another set of users.

9. Unless you are creating multiple policies for different sets of users, select The recipient domain

is option so that your policy is applied to all users in the organization.

10. You can also add exceptions. For example, you could configure a condition to specify a particular domain in your organization while excluding the security team.

11. When you have finished with the settings, click Save. Note: You can set up multiple safe attachments policies for your organization. These policies will be applied in the order they're listed on the ATP safe attachments page. It can take up to 30 minutes for the safe attachments policy changes to take effect.

Creating a transport rule to bypass safe attachments Sometimes it is useful to allow mail to flow without delay from internal senders such as scanners, faxes,

that send attachments that are known to be safe and from a trusted source. It is not generally recommend

to skip filtering for all internal messages as a compromised account would be able to potentially send

malicious content. You can create a transport rule, also known as a mail flow rule, in the Exchange admin

center (EAC) to bypass safe attachments scanning.

1. Open the Office 365 Admin portal by navigating to https://portal.office.com and sign in using your admin credentials.

2. On the Office 365 Home page, click the Admin tile or select it from the App launcher to open the Office 365 Admin center.

3. In the left navigation pane, click Admin centers > Exchange.

4. In the EAC, select mail flow in the left navigation pane.

5. Select rules in the top navigation list.

6. Click the New (+) icon, and then click Create a new rule.

7. Specify a name for your new rule.

8. In the Apply this rule if… list, select an option, such as The sender is located… > Inside the

organization, and then click OK. Note: You can choose from several options, such as The sender is a member of... or The sender address includes.... You can also set other criteria, including specifying senders, recipients, distribution group members and attachment types.

9. Choose More options....

10. In the *Do the following… list, select Modify the message properties… > set a message header.

11. In the Set the message header phrase, click the first instance of *Enter text..., enter X-MS-Exchange-Organization-SkipSafeAttachmentProcessing as the header name, and then click OK.

12. In the Set the message header phrase, select the remaining *Enter text..., and then type something, such as a space, and then choose OK. (This value is not actually used by the system even though something is required for the rule to work.)

13. To save your settings, click Save.

Creating a new safe links policy Safe links provides protection for end users by checking the link at time of click. This helps protect the

end user, where a link was originally sent without a malicious pay load but is updated after delivery to

include the malicious content. Safe links is both client and location agnostic, in that the location and

device being used by the end user will not affect the behavior of wrapped links. Additionally, safe links

can be configured to support links in Office 2016 clients where the user is signed in with their Office 365

credential.

Safe links includes a default policy that controls global settings such as which links to block and which links

to wrap. You can’t delete this policy, but you can edit it in your environment as needed. For example, to

block a malicious link specific to your environment.

You must create a policy that defines how links are handled in messages and associate this with the users

in your organization, by group or domain for them to be protected by safe links.

.

Important: It is recommended that you apply ATP safe links policies to ALL users in your organization.

1. Go to https://protection.office.com and sign in using your admin account credentials.

2. In the left navigation pane, click Threat management > Policy.

3. Click ATP Safe Links.

4. Under Policies that apply to specific recipients, click the New (+) icon to open the new safe links policy page.

5. Enter a name and description (optional) for your policy.

6. Under Select the action for unknown potentially malicious URLs in messages, select On so that

URLs will be rewritten and checked.

7. Select Use Safe Attachments to scan downloadable content to enable URL detonation to scan files hosted on web sites. For example, if an email contains a link such as http://contoso.com/maliciousfile.pdf, the .pdf file is opened in a separate hypervisor environment and, if the file is found to be malicious, users will see a warning page if they click the link.

8. Select Apply safe links to messages sent within the organization to provide the same level of protection when links are sent by email within the organization.

9. Do not select Do not track user clicks so that you are able to track and monitor when users click links that are determined to be malicious.

10. Select Do not allow users to click through to the original URL to prevent users from proceeding

to the target web site if it is found to be malicious.

11. If users frequently receive links from web sites that are known to be safe, you can enter those

URLs under Do not rewrite the following URL. For example, you might add the URL to a partner’s website if users frequently receive emails from the partner that include URLs to the external organization’s website. Note: To learn more about safe links policy options, see Learn about ATP safe links policy options.

12. Under Applied To, click the drop-down list above the add condition button to specify the users, groups, or domains that the policy will be applied to. You can select from one of the following options:

• The recipient is

• The recipient domain is

• The recipient is a member of

12. Unless you are creating multiple policies for different sets of users, select The recipient domain is option so that your policy is applied to all users in the organization.

13. To save your settings, click Save. For more information, see Set up a custom "do not rewrite" URLs list using ATP safe links and Set up a custom blocked URLs list using ATP safe links.

Modifying the default safe links policy The following steps illustrate how you would use the Security & Compliance Center to modify the

default policy to enable safe links in Office 2016 documents.

1. Go to https://protection.office.com and sign in using your admin account credentials.

2. In the left navigation pane, click Threat management > Policy.

3. Click ATP Safe Links.

4. Under Policies that apply to the entire organization, click the Edit icon (looks like a pencil) to

open the safe links policy for your organization.

5. Under Safe links policy for your organization page you have the ability to configure the following

options:

• Block the following URLs. Keeps a list of website addresses that will be automatically

blocked for all users in the organization. When users click a hyperlink pointing to any

website in this list, they'll be taken to a warning page that explains why the website is

blocked.

• Office 2016 on Windows. When selected, ATP safe links protection is applied to

hyperlinks in documents that are open in Office ProPlus 2016 applications including Word

2016, Excel 2016, PowerPoint 2016, or Visio 2016 running on Windows. (Recommended)

• Do not track when users click safe links. When selected, click data for hyperlinks is not

kept. It is recommend that you do not enable this as it provides the ability to understand

if a user clicked on a link that was subsequently identified as bad.

• Do not let users click through safe links to original URL. When selected, users cannot

proceed past a warning page to a website that is determined to be malicious.

(Recommended)

6. To save your changes, click Save.

Creating a transport rule to bypass safe links Similar to bypassing safe attachments, you can also create a transport rule to bypass safe links.

1. Open the Office 365 Admin portal by navigating to https://portal.office.com and sign in using your admin credentials.

2. On the Office 365 Home page, click the Admin tile or select it from the App launcher to open the Office 365 Admin center.

3. In the left navigation page, click Admin centers > Exchange.

4. In the EAC, select mail flow in the left navigation pane.

5. Select rules in the top navigation list.

6. Click the New (+) icon, then click Create a new rule.

7. Specify a name for your new rule.

8. In the Apply this rule if… list, choose an option, such as select The sender is located… > Inside the

organization, and then choose OK.

Note: You can choose from several options, such as The sender is a member of... or The sender address includes.... You can also set other criteria, including specifying senders, recipients, distribution group members and attachment types.

9. Choose More options.... 10. In the *Do the following… list, select Modify the message properties… > set a message header.

11. In the Set the message header phrase, select the first *Enter text... phrase, enter X-MS-

Exchange-Organization-SkipSafeLinksProcessing as the header name, then click OK.

12. In the Set the message header phrase, select the remaining *Enter text..., and then type something, such as a space, and then choose OK. (This value is not actually used by the system even though something is required for the rule to work.)

13. To save your settings, click Save.

Lowering the phish threshold by using Exchange transport rules EOP provides a number of protections against phishing messages including the use of first and third party

reputation data, heuristic clustering and machine learning. Within ATP an additional set of machine

models are used to further analyze messages for phishing and these models can be controlled through an

ETR. Machine models return a score based on the probability of a message being phish. Based on this

score certain actions are taken. At a higher score stronger actions are taken than at lower scores, however

for certain users in the organization you may want to take stronger actions on the message even if the

score is lower. To achieve this you can use a transport rule to set a threshold for where the strongest

action is taken. Since the scoring is non-liner we recommend setting this to a value of 2 (medium).

To lower the phish threshold, you will need to create a transport rule that stamps a new header on

inbound messages for the users that the phishing threshold is to be lowered for. This is reasonable simple

to do via the Office 365 Portal as follows:

1. Login to the Office 365 Admin portal, https://portal.office.com/AdminPortal/Home#/homepage.

2. In the left-hand navigation page, click Admin Centers > Exchange.

3. Select mail flow from the left-hand navigation. Once loaded you should see a screen similar to

the following.

4. Click on the “+” and select Create new rule.

5. In the dialog box that comes up, complete the following:

a. Click on “more options…” at the bottom of the dialog box. This is necessary to show all

fields required to complete the rule.

b. Name – Name the rule something that makes sense for your organization such as “Exec

Phish Threshold”

c. Apply this rule if… -

i. Sender condition - Select The sender… | is external/internal, followed by Outside

my organization in the dialog box, then click OK.

ii. Click Add Condition so you can add a restriction on who to perform the action

for.

iii. The recommendation is to use a group by selecting The recipient… | is a member

of this group and selecting the group from the resulting dialog box.

d. Do the following… -

i. Select Modify the message properties… | set a message header.

ii. Click on *Enter text… next to Set the message header.

iii. Set the value of the message header to MS-Exchange-Organization-

PhishThresholdLevel and click OK,

iv. Click on *Enter text... after to the value

v. Set the header value to 2, then click OK. Acceptable values are 4 default, 3 High,

2 Medium. We recommend medium as the starting point.

e. The rule should appear similar to the following:

f. Click Save.

Note: The new rule should take effect within about 15 – 30 minutes.

Additional recommendations Before we conclude this overview of best practices for implementing EOP and ATP, there are two more

recommendations you should be aware of.

Using the Report Message add-in We recommend deploying this for the entire tenant as described in this article. Messages that your Office

365 email account marks as junk are automatically moved to users’ Junk Email folder. However, spammers

and phishing attempts are continually evolving. If you receive a junk email in your inbox, you can use the

Report Message add-in to send the message to Microsoft to help us improve our spam filters. If you find

an email in your Junk Email folder that's not spam, you can use the Report Message add-in to mark it as a

legitimate email, move the message to your Inbox, and report the false positive to help Microsoft improve

our spam filters. This add-in works with Outlook 2016 and can be easily deployed for one or all users. To

download the add-in, see Report Message add-in. For information about enabling the add-in, see Enable

the Report Message add-in.

Note: Before sending samples to Microsoft, refer to Anti-spam message headers and analyze the message

headers from the email that users are receiving. Did these messages get through because of rules

(SFV:SKA, SFV:SKN) or user safelist configurations (SFV:SFE)? Before sending samples to Microsoft, refer

to Submitting spam back to Office 365.

Enabling multi-factor authentication Users often use a combination of the same password and email address which can be risky, especially

when they are used to access resources outside of your organization. To help prevent users’ credentials

from being compromised, it’s recommended that you enable multi-factor authentication (MFA).

For instructions about enabling MFA in Office 365, see Set up multi-factor authentication for Office 365

users.

After you have enabled MFA on your tenant, your users can refer to Set up 2-step verification for Office

365 to set up their second sign-in method for Office 365.

Common scenarios This section describes scenarios you should be aware of that are frequently observed in customer

deployments.

1. Multiple spam filters. Some customers will want to use EOP in conjunction with another filtering solution (i.e. IronPort). For optimal effectiveness against spam, you should point the MX record at EOP. That said, there are scenarios when this is supported and scenarios when it is not supported. For example, one scenario where this is not supported is when the MX record points to a third-party solution without spam filtering, because doing so breaks EOP’s ability to filter spam. When it is supported, several things will not work properly including IP reputation blocks, IP throttling, sender authentication checks such as SPF and DMARC, spam filter rules, etc. If you must configure EOP alongside another solution, we recommend that you place the third-party solution behind EOP. For more information, see Hooking up additional spam filters in front of or behind Office 365.

2. Compromised users. Malicious email sometimes originates from users in an organization whose accounts have been compromised. If you have reason to suspect this is happening, encourage the customer to consider Azure Active Directory Identity Protection to identify the compromised users and mitigate the issue.

3. Unrealistic expectations. Ensure customers understand that EOP provides spam, bulk, and malware

protection but very basic protection against phish. ATP is also required to protect against advanced phishing attacks and zero-day malware.

4. Filter tuning. When managing your spam filter policies, you can select a bulk complaint level (BCL) to treat bulk email as spam. The default setting of 7 allows most good bulk messages to be delivered. However, adjusting to 5 or 6 is a good practice if you feel you are receiving too much spam. Rule of thumb: If there is a high rate of false positives, these may be too sensitive; if there is a high rate of false negatives, these may be not sensitive enough. If the customer has enabled ATP, click here for guidance on tuning the phish threshold.