We help IT Professionals succeed at work.

Best practice: block phish/spam emails at MS O365 backend or Exchange Online

sunhux
sunhux asked
on
We got quite a bit of phishing/spamming lately so my IT support colleague has recommendation below:
for your inputs/views if the recommendation below is good or any other alternative best practices out there:
We don't have Proofpoint or email security gateway.

"Note that we should keep the Exchange Online rule/filter as empty as possible as rules filtering affects performance on the Exchange Online; every rule/filter is processed on every single email individually, delaying email delivery eventually.

Recommendation is to perform the blocking at our Exchange Online first (for faster turnaround) and highlight the phishing/spamming source to our host (ie MS team supporting O365) and allow them to take the appropriate actions at their end as ultimately, the RBL/DNSBL relies on the origin/host backend infrastructure.

After acknowledgement from the origin/host on the actions taken, we then remove the rule/filter from our Exchange Online"
Comment
Watch Question

Most Valuable Expert 2015
Distinguished Expert 2019

Commented:
Good luck having Microsoft acknowledge ever single spam/phish vector out there. Even if you open a case for every message you report, you will simply get a standard reply back, which is in no way a guarantee that the same messages wont continue to hit your users. In fact, there have been a lot of complaints lately about Microsoft dropping the ball on that end, with many obvious spam/phish messages being delivered to Inbox.

That said, reporting those messages is indeed an important "signal" that Microsoft uses to fine tune the filters. However, you should not rely just on that functionality. There's a reason you are provided with those additional controls, and if you see your users being targetted by specific type of messages, you should configure blocked IPs/ranges, any of the advanced options or good old transport rules. Yes, there is an impact, but that's minor, and generally speaking that's Microsoft's problem. Your users' safety is more important than potential 1s delay in processing.

As a best practice, you should consider ATP if you havent purchased it already, especially the "safe links" and "safe attachments" features are a life savers. Remember though that there's no 100% protection so dont rely just on that, but educate your users and react as soon as possible when you see a new emerging threat.

Author

Commented:
One thought that came to my mind:
often these phishing/spamming from a particular source last for 1 day:
after that they're gone.  So I reckon we can safely remove from our
Exchange Online??

Another thing I noted this morning when we are getting more than 1000
phishing email from that source: the originating IP are already in RBL as
listed by:

https://www.ipvoid.com/ip-blacklist-check/

So like what you said, MS fail to block it from RBL/DNSBL??

Author

Commented:
The other question: is it true that placing too many rules in
Exchange Online will slow down emails delivery as what my
IT support colleague mentioned?
IT Service Manager
Top Expert 2012
Commented:
The other question: is it true that placing too many rules in
Exchange Online will slow down emails delivery as what my
IT support colleague mentioned?

No.. we are running with 300 Rule (which is the max in EXO) and asked Microsoft to increase the limit.. waiting for approval.
Most Valuable Expert 2015
Distinguished Expert 2019
Commented:
If it impacted the servers that much, Microsoft can always disable a specific rule or lower the limit. Dont worry about it.

But yes, in many cases the attacks happen for a very limited duration, so any rules or blocks you place become stale. It makes sense to review them periodically, just for manageability purposes.
Distinguished Expert 2019
Commented:
You'd have to put your rules in Exchange Online unless you had another filtering solution in front of it which you don't. And to slow it down, you'd really have to have a ridiculous number rules, especially complex ones. Not sure where your colleague got that advice from.

One thought that came to my mind:
often these phishing/spamming from a particular source last for 1 day:
after that they're gone.  So I reckon we can safely remove from our
Exchange Online??
Yes, but the annoying part is maintaining the list. How practical is it to assess whether it is a one day or constant threat on the daily basis?

Vasil's advice on ATP is a good one. Should look into that, as it provides protection across most if not all 365 products (assuming you use more than email). If you only use email, then look at ATP *or* a third party mail filtering solution.
AmitIT Architect
Distinguished Expert 2017

Commented:
As advise above, ATP is the best option available from MS currently.

Author

Commented:
We're currently on E3, so ATP is E5 or it provides even better
email filtering?  Shouldn't Exchange Online, regardless of
whether it's E1, E3 or E5 use the same threat intel to filter?

Or ATP employs sandboxing or CDR (Complete Destruction
& Reconstruction) as well?
Rajkumar DuraisamyIT Service Manager
Top Expert 2012
Commented:
Exchange Online with E3 has the default email gateway capabilities.. like Antivirus Engine, Anti-SPAM, Malware etc..

ATP provides.. advanced level sandboxing on Safe Attachment and Safe Link..
AmitIT Architect
Distinguished Expert 2017

Commented:
Microsoft want to earn more money from you. So you need to pay extra money for extra security. They name it as ATP. Which doesn't make any sense to me. That's why i am not big fan of cloud solution.
Distinguished Expert 2019
Commented:
We're currently on E3, so ATP is E5 or it provides even better
email filtering?
You can buy it as an addon for E3. If you have E5, it is included.

Shouldn't Exchange Online, regardless of
whether it's E1, E3 or E5 use the same threat intel to filter?
Huge difference in what capabilities you get access to. Exchange Online gives you *basic* stuff, while ATP gets into analyzing links, attachments, as well being able to protect files in OneDrive, Teams, and SharePoint. Pay more money, you get better security. I recommend reading up on ATP: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description