Office 365 Email Protection with DKIM and DMARC

Introduction

Email spoofing is the most common challenge that every organization is facing in current digital world regardless of the size of the organization. Office 365 email protection with DKIM and DMARC helps organization to protect against spoofing that tend to have increased number of spam emails. DomainKeys Identified Mail (DKIM) and Domain-based Messaging and Reporting Compliance (DMARC) checks trusted authenticated sender to prevent untrusted senders from sending spoofed emails.

Inbound validation of DKIM and DMARC is supported in Office 365

What is DKIM?

Domainkeys Identified Mail (DKIM) is a method to validate a digitally signed messaged that appears in the DKIM Signature header in the message headers. It ties an email message to the organization responsible for the message.

Office 365 Email Protection with DKIM and DMARC

More details on DKIM can be found on TechNet.

What is DMARC?

Domain-based Messaging and Reporting Compliance (DMARC) is designed to protect email spoofing when the phisher has spoofed the 5322.From email address that is the email address displayed in email clients like outlook. Sender Policy Framework (SPF) protect the phisher to spoof the emails from 5321.MailFrom. DMARC catches the case that is more deceptive. DMARC results are stamped in authentication header of email.

DMARC evaluate both DKIM and SPF and ensure that the domain matches the domain in 5322.From address. SPF does not protect against 5322.From spoofed emails.

Q: Helo woodgrovebank.com
Q: Mail from: phish@phishing.contoso.com  <– 5321.MailFrom
Q: Rcpt to: astobes@tailspintoys.com
Q: data
Q: To: “Andrew Stobes” <astobes@tailspintoys.com>
Q: From: “Woodgrove Bank Security” security@woodgrovebank.com  <– 5322.From
Q: Reply-To: “Woodgrove Bank Security” <phish@phishing.contoso.com>
Q: Subject: Woodgrove Bank – Action required
Q: Greetings User,
Q: We need to verify your banking details. Please click the following link to accomplish this.
Q: http://short.url/woodgrovebank/updateaccount/12-121.aspx
Q: Thank you,
Q: Woodgrove Bank

The end user will see this information as below.

This email can pass SPF check if the phisher has published the SPF check for woodgrovebank.com but as we know the phisher has spoofed the email using 5321.MailFrom and DMARC will fail on this email. DMARC configurations are already in place in Office 365 for inbound emails and you don’t have to configure anything. In next blog article, we will look into how we can configure DMARC for outbound emails in Office 365.

For more information on office 365 email protection with DKIM and DMARC, please go through the following posts.

Whitelist Senders and domains in office 365 to bypass Spam filters

Introduction

Office 365 provides  number of tools to maximize the security to secure corporate information based on unique business and technical needs. When built-in Office 365 filters over qualify suspected SPAM, there are a few simple steps administrators can take to whitelist senders and domains in Office 365 to bypass spam filters. It can be a bad experience for end users when legitimate email is being quarantined or blocked as spam and landing in a quarantine folder.

It’s recommended that you being an admin should review your filters so that critical messages bypass the spam folder and reach their intended recipients

You can leverage a safe sender list or a custom transport rule to bypass spam filtering and prevent legitimate email messages from getting marked as junk. Marking a legitimate message incorrectly as spam by the spam filter is known as false positive.

Whitelist Senders and Domains in Office 365

To whitelist senders and domains in office 365 to bypass the spam filter requires you to perform the following steps.

Whitelist Senders and domains in office 365 to bypass Spam filters

  • Scroll down to the bottom and expand “Allow List

Whitelist Senders and domains in office 365 to bypass Spam filters

 

  • Click on “Edit” button to add the Allow Sender and Allow Domain list

Whitelist Senders and domains in office 365 to bypass Spam filters

  • Once the users email address is added, click on button to add the users to the safe sender list

Whitelist Senders and domains in office 365 to bypass Spam filters

Emails from safe sender list users will not be checked for spam filters and be delivered to recipients

  • Once the safe sender list of users is configured, next step is to configure the safe sender domain list.
  • Click on “Edit” button to add domains to allowed domain list

Whitelist Senders and domains in office 365 to bypass Spam filters Whitelist Senders and domains in office 365 to bypass Spam filters

  • Once the domains are added, emails from these domains will not be checked by spam filters and delivered to users

It’s important to understand that when you add a safe user or domain to the list, you must know the user or domain is legitimate and will not send you a spam email that can harm business operations. Mostly these lists are being configured for business partners or internal applications when sending an email leveraging another media to deliver the emails to mailboxes hosted on Office 365 or systems leveraging exchange online protection to scan the emails before those are being delivered to end user mailboxes.

Configure Conditional Access for Exchange Online

Introduction to Intune Conditional Access

Microsoft Intune is a cloud based mobile device, application and PC management solution from Microsoft. Intune help organizations to empower employees with access to corporate resources from anywhere on almost any device. While we empower our users to access corporate data from anywhere from any device that leave us to consider the data security as well to protect the confidentiality. Microsoft Intune conditional access gives us the capabilities to restrict the access to corporate data to ensure compliance and confidentiality.

Intune Conditional Access allow administrators to enforce compliance policies to devices before they can access emails or SharePoint online information to their device. Intune Conditional Access policies can restrict access to corporate information based on:

  • Device compliance status
  • Device operating system
  • Application type leverage to access the data

Below diagram depicts how the conditional access works in Microsoft Intune0When a user device will request the access to corporate data in Office 365, Intune will perform the following checks on the device.

  • Verify that the devices is targeted by a conditional policy or not.
  • Verify whether the device is being management by Intune or not, which requires the user to enroll the device with Intune and register the device with Azure AD
  • Verify the policies on device as per compliance policies configured and grant or deny access based on results

Intune conditional access requires Intune subscription and you can get the subscription as standalone or as part of Mobility suite

Intune conditional access configuration is a 2 step configuration. You have to configure a compliance policy and once the compliance policy is in place for devices, next step is to configure the conditional access policy.

Compliance policy includes common device settings like passcode, encryption, and whether or not a device is jailbroken. The device must meet these rules in order to be considered compliant.

Configure Conditional Access for Exchange Online

configuring conditional access for Exchange online requires you to complete the following steps.

  • Configure a Compliance Policy
  • Configure a Conditional Access Policy

Configure a Compliance Policy

To configure a compliance policy, perform the following steps.

  • Login to Microsoft Intune portal
  • Navigate to Policy > Compliance Policies and click on “Add” to create a compliance policy

01

  • Define the compliance policies and deploy the policy to the users.

02

Now, we have the compliance policy created and deployed, we are ready to configure Intune conditional access.

Configure Conditional Access for Exchange Online

To configure conditional access for Exchange online, navigate to Policies > Conditional Access > Exchange Online

capture

  • Enable the Exchange online conditional access policy

2Once the Exchange online policy is enabled, define the conditional access policies based on your security requirements.

3

Once the conditional access is configured, users will get an email regarding the change on what they have to do to use emails on their device. As i have configured the policy to restrict access to devices that are domain-joined. Domain-joined devices must be register with Azure AD for Intune to validate and grant access to users to access data otherwise users will get the following error on their machines.

4

Being a Consultant, I strongly recommend my customers to leverage Intune conditional access policies to secure their data access while empowering the users to access corporate data from anywhere at anytime.

Exchange Online Advanced Threat Protection

Exchange Online Advanced Threat Protection

Exchange Online Advanced Threat Protection

In the modern era, we have seen a steady increase in data security specially the email security against spammer. Spammers are constantly changing the way they send and mask spam/viruses. Microsoft is continuously working to protect their customers against modern era techniques so that customer can enjoy the best in class services. With that being said, On 8-April Microsoft has announced the new advanced robust optional feature to protect against Spam, viruses and malware with Exchange Online Protection. Yes ! I’m talking about new Exchange Online Advanced Threat Protection and I’m excited to deep dive into ATP. Currently ATP is available in private preview only and is expected to be available to commercial customers as optional service by this summer.

ATP will have the following advanced features as optional service.

  1. Protection against unknown malware & Viruses
  2. Real time protection against malicious URLs
  3. URL trace & Rich Reporting

ATP will be available at $2 per user per month for commercial customers and $1.75 for government pricing customers as optional feature.

More details on ATP can be found on Office Blog.