Best practices for configuring EOP
Applies to: Exchange Online Protection
Topic Last Modified: 2014-06-26
Follow these best-practice recommendations for Microsoft Exchange Online Protection (EOP) in order to avoid common configuration errors and set yourself up for success. We recommend using the default configuration settings as a general rule. This topic assumes that you’ve already completed the setup process. If you haven’t completed EOP setup, see Set up your EOP service.
If your organization has existing user accounts in an on-premises Active Directory environment, you can synchronize those accounts to Windows Azure Active Directory (AD) in the cloud. Using directory synchronization is recommended. To learn more about the steps needed to set up directory synchronization, see Manage mail users in EOP.
When you set up EOP, you added an SPF (sender policy framework) record for EOP to your DNS records. The SPF record helps prevent spoofing. For more information about how an SPF record prevents spoofing and how you can add your on-premises IP addresses to the SPF record, see Customize an SPF record to validate outbound email sent from your domain.
Manage your content filters by reviewing and optionally changing the default settings. For example, you can change the action for what happens to spam-detected messages. If you want to pursue an aggressive approach to spam filtering, you can configure advanced spam filtering (ASF) options. Before setting an ASF option to on, enable it in test mode first. It’s recommended that organizations who are concerned about phishing turn on the SPF record: hard fail option. Learn more at Configure Content Filter Policies and Advanced Spam Filtering Options.
|If you are using the default content filter action, Move message to Junk Email folder, in order to ensure that this action will work with on-premises mailboxes, you must configure two Exchange Transport rules on your on-premises servers to detect spam headers added by EOP. For details, see Ensure that spam is routed to each user's Junk Email folder.|
We recommend that you review the Anti-Spam Protection FAQ, including the outbound mailing best practices section, which will help ensure that your outbound mail is delivered.
You can submit false negatives (spam) and false positives (non-spam) to Microsoft for analysis in several ways. For details, see Submitting spam and non-spam messages to Microsoft for analysis.
Review and fine tune your malware filter settings in the EAC. Learn more at Configure Anti-Malware Policies.
You can submit malware that made it past the filters or submit a file that you think was incorrectly identified as malware by sending it via the Microsoft Malware Protection Center. To learn more about how to do this, and to also read about other frequently asked questions and answers, review our Anti-malware protection FAQ.
Create transport rules (custom filters) to meet business needs.
When you deploy a new rule to production, select one of the test modes first to see the effect of the rules. Once you are satisfied that the rule is working in the manner intended, change the rule mode to Enforce.
When you deploy new rules, consider adding the additional action of Generate Incident Report to monitor the rule in action.
If you are in a hybrid deployment configuration, with part of your organization on-premises and part in Office 365, you may want to create rules that apply to the entire organization in a seamless manner. You can only do this if you use conditions that are available both on-premises and in Office 365. While most conditions are available in both deployments, there is a small set that are specific to a particular deployment scenario. Learn more at Transport rules.
If you want to inspect email attachments for messages in-transit within your organization, you can do this by setting up transport rules. When you use transport rules for this, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Learn more at Using transport rules to inspect message attachments.
Anti-phishing protection can be accomplished through the detection of personal information in emails exiting the organization. The following regular expressions, for example, can be used in transport rules to detect transmission of personal financial data or information that may compromise privacy:
\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d (MasterCard Visa)
\d\d\d\d\s\d\d\d\d\d\d\s\d\d\d\d\d (American Express)
\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (any 16 digit number)
\d\d\d\-\d\d\-\d\d\d\d (Social Security Numbers)
Spam and phishing can also be prevented by blocking inbound emails that appear to have been sent from your own domain. You can create a transport rule that rejects messages from your company domain sent to the same company domain yourdomain.com to block this type of sender forgery.
|We recommend creating this reject rule only in cases where you are certain that no legitimate email from your domain is sent from the Internet to your mail server. This can happen in cases where a message is sent from a user in your organization to an outside recipient and subsequently forwarded to another recipient in your organization.|
|This rule should only be created if you are certain that no legitimate email from your domain is sent from the Internet to your mail server.|
At a minimum, block the following extensions: EXE, PIF, SCR, VBS.
For increased protection, we also recommend blocking some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh
EOP has a communication portal that provides information from Microsoft about known issues and expected resolutions. You can find this type of information in the Office 365 admin center. If you are affected by a service level event, then you should see a communication alert (typically accompanied by a bell icon) after signing in to the admin center. We recommend that you read and act on any items as appropriate.
Troubleshoot general issues and trends by using the reports in the Office 365 admin center. Find single point specific data about a message by using the message trace tool. Learn more about reporting at Reporting and message trace in Exchange Online Protection. Learn more about the message trace tool at Trace an Email Message.