EOP Field Notes

Exchange Online Protection: Notes from the field

EOP Field Notes

  • Learn Exchange Online PowerShell with Command Logging

    When you are navigating or making changes in the Exchange Online portal, PowerShell is being executed in the background. Using the Command Logger, you can see exactly what that these background PowerShell command looks like! This tool is a great way to learn PowerShell and can give you a head start in your own scripting.

    Exchange 2010 offered ways to view the Exchange shell to see what was happening in the background when changes were made. This feature disappeared in Exchange 2013, but reappeared in Exchange 2013 SP1. The Command Logger is now also present in both Exchange Online and Exchange Online Protection.

  • EOP Mysteries Solved - Mail queuing in EOP which is destined on-premises

    This is a new series of articles for this blog that were inspired by Mark Russinovich’s Case of the Unexplained series. Each article will tell the story of an Exchange Online scenario that initially made no sense. I’ll then progress through the troubleshooting steps and eventually end up with the root cause. I have a couple of hopes here.

    1. If you have experienced the same or similar issue, you can jump right to the root cause without needing to troubleshoot yourself.

    2. You can learn more about Exchange Online from seeing how I approach solving a problem as I’ll be detailing not only what I did, but why I did it.
  • Support Hot Topics - Reducing the threat of zero-day malware

    Welcome to the second episode in our Support Hot Topics for Exchange Online Protection series. I’m joined in this episode by my co-worker, Jason, and we discuss Exchange Online Protection strategies, including two transport rules, that can help reduce the threat of zero-day malware.

  • An Introduction to the new Spam Filter Allow and Block Lists

    Rather than start this article with an appetizer, I’m going to switch things up and dive right into the meat and potatoes. Very soon, if not already, you will see two new entries to your Spam Filter in Exchange Online Protection, Allow Lists & Block ListsAs suggested by the name, this is a new way to manage allow and block lists within EOP. These new entries certainly don’t replace using Transport Rules to manage allow and block lists, but instead offer a simpler alternative.

  • Scheduling Mail Reports in Office 365

    Obtaining reports in the past was a manual task which had to be performed every time you wanted to pull data. Many of you (most of you?) have asked us to allow for automated reporting in Office 365. Did you catch how I used the words, “in the past,” in the first sentence?

    Well, I’m happy to say that automated reporting in Office 365 has arrived and is now available in your tenant. Reports can be scheduled for delivery either on a weekly or monthly basis.

  • Tips to prevent Zero-Day Malware with EOP

    I have recently seen a lot of zero-day malware attacks and interestingly, these attacks aren’t even trying to be covert. In these cases, the malware is attached to an email in the form of an executable file and the recipient is asked to run the attachment. Being in the technology works, people like you and me don’t fall for this, but a lot of less technical users do and execute the attachment.

    In this article we’ll explore proactive actions that can help prevent zero-day malware from landing in in your employee’s mailboxes.

  • Exchange Online Advanced Threat Protection - now available

    Just a quick note in what will probably be my shortest blog post ever. Advanced threat Protection, a new filtering service that complements Exchange Online Protection, is now available for purchase. This service adds new features to EOP to help detect...
  • Support Hot Topics – Strategies to Mitigate Phishing Attempts

    Welcome to the first episode in a new series called Support Hot Topics for Exchange Online Protection. This series will consist of short videos which will each cover a trending topic relating to Exchange Online Protection. These videos are designed to give you a quick blast of information on a specific topic when you need to learn fast.

  • Noteworthy Exchange and Office 365 Sessions from Ignite

    Last week was Microsoft’s Ignite conference in Chicago. There were many product announcements made and over 670 sessions delivered! I’ve made a list of some of the most popular sessions relating to Exchange Online, Exchange on-premises...
  • In case you missed it - April 2015 edition

    There was a lot of Exchange Online / EOP and Office 365 news in April and I wanted to pull them all together in one place, here! The stories range from product updates all the way to announcing new services. I have placed the articles that directly relate to Exchange Online towards the top of the list.

  • Need details on who and what are triggering your rules? There's a cmdlet for that!

    Need to get a list of all messages that triggered a particular transport rule, or do you want to see all rules that have been triggered by a particular sender? This information can be easily found using the Get-MailDetailTransportRuleReport cmdlet. Looking past the name being much too long, this cmdlet can provide very insightful information about your transport rules.

    What better way to show off this cmdlet than with examples. Here we go.

  • Advanced Threat Protection

    In case you missed it, we have something new coming to Exchange Online. Last week on Office Mechanics, Shobhit Sahay, technical product manager for the Office 365 team, introduced a new service coming to Exchange Online Protection (EOP), Advanced Threat Protection.

    Advance Threat Protection (ATP) adds another layer of security and protection on top of EOP, targeting specific types of advanced threats.

  • Use PowerShell to search for transport rules (updated)

    Update (April 7, 2015): More content and examples have been added to this article since the original posting.

    PowerShell can be used to quickly search for rules matching specific criteria. This can be incredibly valuable for a tenant that contains a lot of rules. While possible to search for transport rules in the EOP portal, PowerShell offers a more comprehensive (and cooler) way to accomplish this. There are also some rule properties that can only be searched for with PowerShell.

  • MS-DOS Mobile has arrived

    I typically avoid the Internet like the plague on April fools day, but this morning I peaked and came across MS-DOS Mobile and just couldn't help but share. This April fools day app brings DOS directly to your Windows phone! Let's take a trip down memory lane and see what we can do with this app.

  • EOP IP Address Additions - March 2015 Edition

    This is a quick public service announcement before the weekend starts. Exchange Online Protection has been allocated a new IP range. Starting in 30 days, EOP will add to the IP pool that is used to deliver mail that passes through custom connectors (ex. EOP outbound connector which routes inbound mail to your on-premises environment). 

  • Troubleshoot a broken junk mail folder

    I recently worked on a very interesting case that I wanted to share. This organization had set EOP to deliver all spam messages to end users junk mail folder.

    This worked great for most users, but a small number experienced EOP delivering spam messages directly to their inbox, as if they weren’t being scanned at all. Very peculiar indeed. Let’s go through the troubleshooting process to figure out what’s happening here. 

  • Determine where a message leaves an Office 365 tenant

    When troubleshooting mail flow it is often important to determine where a message is handed off from a partner to your Office 365 tenant, or from your Office 365 tenant to a partner. This is easy to see in a message header, just look for the receiving host with the domain mail.protection.outlook.com, as this will indicate Office 365 servers.

    But what if your partner is also an Office 365 tenant, then how can we tell when a message left their tenant and entered yours, or vice versa? If troubleshooting a mail delay, this is crucial information as this will let us know which tenant is experiencing the delay.

  • Using DMARC to Prevent Spoofing

    I have recently seen a large number of cases where an organization’s own domain was spoofed to send that company phishing messages. This isn’t all that uncommon, but what was concerning for me was the method used in these cases to do the spoofing. In these cases, only the 5322.From header was spoofed, which cannot be detected by an SPF check.

  • Ensure your SPF Record is Correct

    I've recently seen an increase in cases that involve incorrectly published SPF records that have resulted in sent mail failing the SPF check. Ensuring your SPF record is up to date is great proactive work that can help prevent issues with SPF checks. In this article I'm going to go over how to properly set your SPF record if you are using Exchange Online or Exchange Online Protection.

    There is also a common mistake that organizations sometimes make in their SPF record when they are smart hosting mail out through EOP which I will also highlight.

  • Recipient Notifications

    The ability to send a notification to the recipient when a transport rule triggers. This is a request that we have received from a lot of customers, and I’m happy to let you know that it is now rolling out in the form of an action in EOP transport...
  • IP Ranges Added to EOP

    On TechNet we publish the range of IP addresses that are used when sending mail out of a custom EOP connector. If you have created an EOP on-premises connector to deliver inbound mail to your on-premises mail environment, or an EOP partner connector to...
  • An Ode to EOP

    This is typically a slow week for people, so what better time than to post something fun about Exchange Online Protection! Back in May I presented a session on EOP at TechEd North America 2014 which took place in Houston. To be a little different,...
  • Top Ten Posts of 2014

    I only began this blog in June of this year and so it’s hard to believe that it is already six months old! Looking back over the past six months I have had a blast writing and sharing articles with the community and have received a lot of positive...
  • Message Trace, the PowerShell Way

    From my experience, a very small number of people actually choose PowerShell over the GUI (Graphical User Interface, ie. The Office 365 Portal). But once you get a grasp of PowerShell and write some scripts, you’ll see the light and going back to...
  • Exchange Server December Updates

    Update, Dec 11/14: Exchange Server 2010 SP3 Update Rollup 8 has been temporarily pulled due to a problem. Update, Dec 15/14: Exchange Server 2010 SP3 Update Rollup 8 v2 has been posted While I mainly target Exchange Online Protection with this blog...