Best practices for configuring EOP
Applies to: Exchange Online Protection
Topic Last Modified: 2016-11-11
Follow these best-practice recommendations for Exchange Online Protection (EOP) in order to set yourself up for success and avoid common configuration errors. We recommend using the default configuration settings as a general rule. This topic assumes that you’ve already completed the setup process. If you haven’t completed EOP setup, see Set up your EOP service.
We recommend that you use a test domain, subdomain, or low volume domain for trying out service features before implementing them on your higher-volume, production domains.
If your organization has existing user accounts in an on-premisesActive Directory environment, you can synchronize those accounts to Azure Active Directory in the cloud. Using directory synchronization is recommended. To learn more about the benefits of using directory synchronization, and the steps for setting it up, see Manage mail users in EOP.
When you set up EOP, you added an SPF (sender policy framework) record for EOP to your DNS records. The SPF record helps prevent spoofing. For more information about how an SPF record prevents spoofing and how you can add your on-premises IP addresses to the SPF record, see Set up SPF in Office 365 to help prevent spoofing.
Mange your connection filter settings by adding IP addresses to IP Allow and IP Block lists, and by selecting the Enable safe list option, which should reduce the number of false positives (good mail that’s classified as spam) you receive. Learn more at Configure the connection filter policy. For more spam settings that apply to the whole organization, take a look at How to help ensure that a message isn't marked as spam or Block email spam with the Office 365 spam filter to prevent false negative issues. These are helpful if you have administrator-level control and you want to prevent false positives or false negatives.
Manage your content filters by reviewing and optionally changing the default settings. For example, you can change the action for what happens to spam-detected messages. If you want to pursue an aggressive approach to spam filtering, you can configure advanced spam filtering (ASF) options. We recommend that you test these options first before implementing them in your production environment (by turning them on) It’s recommended that organizations who are concerned about phishing turn on the SPF record: hard fail option. Learn more at Configure your spam filter policies and Advanced spam filtering (ASF) options.
|If you are using the default content filter action, Move message to Junk Email folder, in order to ensure that this action will work with on-premises mailboxes, you must configure Exchange mail flow rules, also called transport rules, on your on-premises servers to detect spam headers added by EOP. For details, see Ensure that spam is routed to each user's Junk Email folder.|
We recommend that you review the Anti-spam protection FAQ, including the outbound mailing best practices section, which will help ensure that your outbound mail is delivered.
You can submit false negatives (spam) and false positives (non-spam) to Microsoft for analysis in several ways. For details, see Submit spam, non-spam, and phishing scam messages to Microsoft for analysis.
Review and fine tune your malware filter settings in the Exchange admin center(EAC). Learn more at Configure anti-malware policies. We also recommend reading about other frequently asked questions and answers pertaining to anti-malware protection in our Anti-malware protection FAQ.
If you’re concerned about executable files containing malware, you can create an Exchange mail flow rule that blocks any email attachment that has executable content. Follow the steps in How to reduce malware threats through file attachment blocking in Exchange Online Protection in order to block the file types listed under “Supported executable file types for transport rule inspection” in Use mail flow rules to inspect message attachments.
You can use the Common Attachment Types Filter in the EAC. Select protection > malware filters. You can create an Exchange mail flow rule, also known as transport rule, that blocks any email attachment that has executable content.
For increased protection, we also recommend using mail flow rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh. This can be done by using the Any attachment file extension includes these words condition.
Administrators and end users can submit malware that made it past the filters, or submit a file that you think was incorrectly identified as malware, by sending it to Microsoft for analysis. For more information, see Submitting malware and non-malware to Microsoft for analysis.
Create mail flow rules, also called transport rules or custom filters, to meet your business needs.
When you deploy a new rule to production, select one of the test modes first to see the effect of the rule. Once you are satisfied that the rule is working in the manner intended, change the rule mode to Enforce.
When you deploy new rules, consider adding the additional action of Generate Incident Report to monitor the rule in action.
If you are in a hybrid deployment configuration, with part of your organization on-premises and part in Office 365, you can create rules that apply to the entire organization. To do this, use conditions that are available both on-premises and in Office 365. While most conditions are available in both deployments, there is a small set that is specific to a particular deployment scenario. Learn more at Mail flow or transport rules.
If you want to inspect email attachments for messages in-transit within your organization, you can do this by setting up mail flow rules. Then, take action on the messages that were inspected based on the content or characteristics of those attachments. Learn more at Use mail flow rules to inspect message attachments.
You can improve anti-phishing protection by the detecting when personal information exits the organization in email. For example, you can use the following regular expressions in mail flow rules to detect transmission of personal financial data or information that may compromise privacy:
\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d (MasterCard Visa)
\d\d\d\d\s\d\d\d\d\d\d\s\d\d\d\d\d (American Express)
\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (any 16-digit number)
\d\d\d\-\d\d\-\d\d\d\d (Social Security Numbers)
Successful spam and phishing campaigns can also be reduced by blocking inbound, malicious emails that appear to have been sent from your own domain. For example, you can create a mail flow rule that rejects messages from your company domain sent to the same company domain to block this type of sender forgery.
|We recommend creating this reject rule only in cases where you are certain that no legitimate email from your domain is sent from the Internet to your mail server. This can happen in cases where a message is sent from a user in your organization to an outside recipient and subsequently forwarded to another recipient in your organization.|
If you’re concerned about executable files containing malware, you can configure anti-malware policies to block any email attachment that has executable content. Follow the steps in Configure anti-malware policies.
For increased protection, we also recommend that you block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh.
Troubleshoot general issues and trends by using the reports in the Office 365 admin center. Find single point specific data about a message by using the message trace tool. Learn more about reporting at Reporting and message trace in Exchange Online Protection. Learn more about the message trace tool at Trace an email message.