When customers receive an email with a suspected virus, they often ask “What do I do now?”

This blog post helps answer that question and guides you through our recommended process. This is intended for customers using Office 365 or Exchange Online Protection with on-premises Exchange servers.

First, it is important to understand the difference between an infected and uninfected email. Any email that has an attachment containing a script or malicious executable is considered ‘a virus’ for our purposes. This does not include subscription-based messages with links to malicious sites. Those messages would be considered spam and not viruses, and a different approach is used for spam messages (see this and this).

To deal with an email virus, here are some quick actions that you can perform:

1. Start at the filtering layer. We recommend using EOP, as it is the default option for Office 365 users. However, if you are using a third-party filtering mechanism, you will need to contact your vendor to investigate further. If the email virus has gone through Exchange Online Protection (EOP), or if header information is missing, then proceed to the next step.

2. Create a Transport Rule to block the message. Note that Office 365 Small Business and Small Business Premium customers will not have this feature access as mentioned here. See here also for information about transport and inbox rules limits. If you are an EOP customer, you can perform these steps as mentioned in Microsoft Knowledge Base article 2959596:

• Navigate to Mail Flow in the Exchange Admin Center.
• Click + to create a new rule.
• Click More Options.

Under Apply this rule if, choose any attachment has executable content. At this point you can also choose an action under Do the following. We recommended choosing Block the message…

Make sure no other Transport rules exist that would override this rule. See Manage Transport Rules for more information.

3. Submit the email virus sample immediately to Microsoft Malware Protection Center (MMPC) for further analysis. In order to receive analysis updates, please sign into the MMPC Web site, or enter a valid email address. We recommend you to use your Microsoft account email address.

4. Once you have logged in, select O365 and Exchange Online Protection. Follow the instructions outlined on the MMPC to understand if you need to compress the email virus sample before uploading it to the site. Once you have completed the procedure, make note of the final MMPC ID that will be sent to you from the MMPC Submission Support Team.

If you are dealing with an email virus that has a sender of administrator@domain.com or fax@domain.com with domain.com being same as your Office 365 domain, we also recommend blocking the sending server’s IP address and enabling the SPF hard fail in addition to the steps mentioned above. Also, see Best Practices for Configuring EOP.

If you continue receiving infected messages or attachments, then you should copy the message headers from the email virus, and contact Microsoft Customer Service and Support for further assistance. Be sure to have your MMPC ID handy, as well.

Irol Pinto
Technical Advisor, Microsoft Corporation

In the last related blog postwe gave some introduction about Exchange Online Protection (EOP), what needs to be done when EOP is not working as desired and spam email troubleshooting process and classification. In this blog we will be moving further and discussing some more advanced option to stop spam emails.

1. IP Block list

The “IP block list” option enables us to block email messages that came from a specific mail server (specific IP).

EOP - using the the IP Block list

• Login to Office 365 portal, Exchange admin center
• On the left-side menu bar, choose the Protection menu
• On the top menu options, choose the connection filter menu
• Choose the Default connection filter policy
• In the window that appears, choose the option: connection filtering menu.
• In the section: IP block list, Choose the plus icon to add the IP address of the Mail server that sent the spam

Additional reading

• Configure the Connection Filter Policy

2. International spam

The “International spam” is an interesting option that enables us to block or identify mail as “spam” based on the classification of Geographical location or Language.

Note: We need to be cautious when using this option because we can very easily get into the scenario in which legitimate mail is identified as “bad\spam” mail and be blocked.

Using the International spam option

• Login to Office 365 portal, Exchange admin center.
• On the left side menus, choose the protection menu
• On the top menu options, choose the content filter menu
• Choose the Default connection filter policy
• In the window that appears choose the option: international spam menu.

We can use one (or both) of the following options:

Blocking mail written in the specific language

• Choose Filter email messages written in the following languages
• Click on the Plus icon and choose the specific languages that you want to block

Blocking mail by Geographical location

• Choose Filter email messages sent from the following countries or regions
• Click on the Plus icon and choose the specific regions that you want to block

3. Content filter advanced options

Before we begin with instruction of how to use EOP advanced option for spam mail, let’s explore additional classifications of spam mail types and the tools we can use. Using a high level classification, we can define 3 “families” of spam mail types:

• Advertisement mail - negative effect of such mail could be considered as “annoying." No real damage is caused to users besides the fact that the user is troubled by the content of the mail (suggestions to buy different medications, enlarge specific body parts and so on). This type of spam mail is automatically blocked (most of the time) by the Office 365 mail gateways. In case that some Advertisement spam mail manages to “sneak in" we can use a solution such as “rules” for blocking this type of spam mail. 
• Mail with malicious content - this type of spam mail is closer to the definition of “virus” because, the target of the spammer is to cause the destination recipient to click or accept some suggestion that could lead the user to many kinds of attacks such as fraud, phishing and so on.
• “Other spam mail” - in this group, we have other spam mail types that don’t belong to the former families. As an example, we can mention spam mail described as NDR backscatter.

Content Filter - Advanced options

The “Advanced options” section under the Content Filter section enables us to “harden” the default spam policy that is implemented by the Office 365 mail security gateways. To avoid incorrectly marking legitimate messages as spam, we can use the “Test mode” (we can describe this as a “Learning mode”). This mode enables us to use the “additional security filter” and decide what will happen when a specific mail item is recognized as spam by the security filter without actuallyperforming any action. We can choose to block\delete the mail item or just report the mail item (Test mode).

Using Content Filter - Advanced options

• Login to Office 365 portal, Exchange admin center.
• On the left side menus, choose the protection menu
• On the top menu options, choose the content filter menu
• Choose the Default connection filter policy
• In the window that appears choose the option: advanced options menu.

As you can see there are many possible options that we can select. The options are divided into 2 categories: Increase spam Score and, Mark as spam.

To be able to demonstrate options available in the Content Filter - Advanced options let describe two scenarios:

• Scenario 1: Blocking spam mail with malicious content
• Scenario 2: Blocking spam mail classified as NDR backscatter

Scenario 1: Blocking spam mail with malicious content

Over the last month, users were complaining about spam mail that contains malicious content. When users open the mail item, they are automatically redirected to a web site, and once there are invited to download an executable file. To be able to block this spam mail item, we would activate three additional filters: mark as spam if the mail item is or contains:

Empty messages

JavaScript or VBScript in HTML

Frame or IFrame tags in HTML

By default, each of the security filter status is: Off. When we click on the “option arrow," we can see that we can choose the options: “Off," “On” or “Test." In case that we choose the option “On," each mail that contains content that is not allowed by one of the security filters that was selected (such as JavaScript or VBScript in HTML) will be marked as spam.

In case that we just want to test the “new security filter” we can choose the option “Test." In the following screenshot, we can see that we can choose one of the following three options:

• None
• Add the default test X-header text
• Send a BCC message to this address  (Note: This address should have a separate mailbox that is just for testing the security filters.)

Scenario 2: Blocking spam mail classified as NDR backscatter

NDR backscatter is a special kind of spam because the “mechanism” that’s used by the spammer is different from the “Standard spam mail." NDR backscatter is when spammer forges the user’s email address and sends email on their behalf to other recipients. If the “destination mail system” recognizes the mail as a spam or if the mail is sent to non-existing users, the “destination mail system” creates an NDR message that is sent to the organization recipient (the user whose email address was used by the spammer).

Generally speaking, Office 365 security gateway servers are configured to block this kind of spam mails, but in case that the spam mail manages to “sneak” through, we can add the following filter using the Content Filter - Advanced options.

Using Content Filter - Advanced options - NDR backscatter

• Login to Office 365 portal, Exchange admin center.
• On the left side menus, choose the protection menu
• On the top menu options, choose the content filter menu
• Choose the Default connection filter policy
• In the window that appears choose the option: advanced option menu.
• Choose the option: NDR backscatter, and turn on the security filter

That is all for this time. Until we meet again,

Eyal Doron
Tech Lead | Office 365 | Israel

Probes are one of the three critical parts of the Managed Availability framework (monitors and responders are the other two). As I wrote previously, monitors are the central components, and you can query monitors to find an up-to-the-minute view of your users’ experience. Probes are how monitors obtain accurate information about that experience.

There are three major categories of probes: recurrent probes, notifications, and checks.

Recurrent Probes

The most common probes are recurrent probes. Each probe runs every few minutes and checks some aspect of service health. They may transmit an e-mail to a monitoring mailbox using Exchange ActiveSync, connect to an RPC endpoint, or establish CAS-to-Mailbox server connectivity. All of these probes are defined in the Microsoft.Exchange.ActiveMonitoring\ProbeDefinition event log channel each time the Exchange Health Manager service is started. The most interesting properties for these events are:

• Name: The name of the Probe. This will begin with the SampleMask of the Probe’s Monitor.
• TypeName: The code object type of the probe that contains the probe’s logic.
• ServiceName: The name of the Health Set for this Probe.
• TargetResource: The object this Probe is validating. This is appended to the Name of the Probe when it is executed to become a Probe Result ResultName
• RecurrenceIntervalSeconds: How often this Probe executes.
• TimeoutSeconds: How long this Probe should wait before failing.

On a typical Exchange 2013 multi-role server, there are hundreds of these probes defined. Many probes are per-database, so this number will increase quickly as you add databases. In most cases, the logic in these probes is defined in code, and not directly discoverable. However, there are two probe types that are common enough to describe in detail, based on the TypeName of the probe:

• Microsoft.Exchange.Monitoring.ActiveMonitoring.ServiceStatus.Probes.GenericServiceProbe: Determines whether the service specified by TargetResource is running.
• Microsoft.Exchange.Monitoring.ActiveMonitoring.ServiceStatus.Probes.EventLogProbe: Logs an error result if the event specified by ExtensionAttributes.RedEventIds has occurred in the ExtensionAttributes.LogName. Success results are logged if the ExtensionAttributes.GreenEventIds is logged. These probes will not work if you override them to watch for a different event.

The basics of a recurrent probe are as follows: start every RecurrenceIntervalSeconds and check (or probe) some aspect of component health. If the component is healthy, the probe passes and writes an informational event to the Microsoft.Exchange.ActiveMonitoring\ProbeResult channel with a ResultType of 3. If the check fails or times out, the probe fails and writes an error event to the same channel. A ResultType of 4 means the check failed and a ResultType of 1 means that it timed out. Many probes will re-run if they timeout, up to the MaxRetryAttempts property.

The ProbeResult channel gets very busy with hundreds of probes running every few minutes and logging an event, so there can be a real impact on the performance of your Exchange server if you perform expensive queries against this event channel in a production environment.

Notifications

Notifications are probes that are not run by the health manager framework, but by some other service on the server. These services perform their own monitoring, and then feed data into the Managed Availability framework by directly writing probe results. You will not see these probes in the ProbeDefinition channel, as this channel only describes probes that are run within the Managed Availability framework.

For example, the ServerOneCopyMonitor Monitor is triggered by Probe results written by the MSExchangeDagMgmt service. This service performs its own monitoring, determines whether there is a problem, and logs a probe result. Most Notification probes have the capability to log both a red event that turns the Monitor Unhealthy and a green event that make the Monitor healthy once more.

Checks

Checks are probes that only log events when a performance counter passes above or below a defined threshold. They are really a special type of Notification probe, as there is a service monitoring the performance counters on the server and logging events to the ProbeResult channel when the configured threshold is met.

To find the counter and threshold that is considered unhealthy, you can look at Monitor Definitions with a Type property of:

· Microsoft.Office.Datacenter.ActiveMonitoring.OverallConsecutiveSampleValueAboveThresholdMonitor or

· Microsoft.Office.Datacenter.ActiveMonitoring.OverallConsecutiveSampleValueBelowThresholdMonitor

This means that the probe the Monitor watches is a Check probe.

How this works with Monitors

From the Monitor’s perspective, all three probe types are the same as they each log to the ProbeResult channel. Every Monitor has a SampleMask property in its definition. As the Monitor executes, it looks for events in the ProbeResult channel that have a ResultName that matches the Monitor’s SampleMask. These events could be from recurrent probes, notifications, or checks. If the Monitor’s thresholds are reached or exceeded, it becomes Unhealthy.

It is worth noting that a single probe failure does not necessarily indicate that something is wrong with the server. It is the design of Monitors to correctly identify when there is a real problem that needs fixing versus a transient issue that resolves itself or was anomalous. This is why many Monitors have thresholds of multiple probe failures before becoming Unhealthy. Even many of these problems can be fixed automatically by Responders, so the best place to look for problems that require manual intervention is in the Microsoft.Exchange.ManagedAvailability\Monitoring crimson channel. These events sometimes also include the most recent probe error message (if the developers of that Health Set view it as relevant when they get paged with that event’s text in Office 365).

There are more details on how Monitors work, and how they can be overridden to use different thresholds in the Managed Availability Monitors article.

Abram Jackson
Program Manager, Exchange Server

Update 8/26/14: changed the resolution to include the release of Exchange 2013 Cumulative Update 6 (CU6).

An important update is now available to resolve issues customers are currently experiencing when using the Hybrid Configuration Wizard (HCW) to create a new or manage an existing hybrid deployment with Microsoft Exchange Server 2013.

If you currently have an Exchange 2013-based hybrid deployment configured, you will not notice any issues unless you rerun the HCW as part of updating or managing your existing hybrid features. If you need to reconfigure your hybrid deployment, you should instll Exchange Server 2013 (Cumulative Update 6) to correct this issue with the HCW.

For Exchange 2013 organizations creating new or managing an existing hybrid configuration with the HCW, the following HCW error message indicates you are experiencing the issue this update addresses:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites Deserialization fails due to one SerializationException: Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType

If you experience this issue, please install Exchange 2013 Cumulative Update 6 (CU6).

Brian Shiers
Technical Product Manager

FAQ

Q: I’ve already configured a hybrid deployment with Exchange Server 2013 and I don’t need to make any changes to my hybrid configuration or features, do I need to apply this (interim) update?

A: No, you can wait for the fix to be delivered in the next Exchange Server 2013 update as long as you don’t have the need to run the Hybrid Configuration Wizard. EDIT: CU6 is now released and available.

Q. I may need to make updates to my Exchange 2013-based hybrid deployment before the next Exchange Server 2013 update, what are my options?

A. If you need to update your hybrid deployment features, install Exchange Server 2013 Cumulative Update 6 (CU6). Attempting to manually configure a new or update an existing hybrid deployment without HCW can result in unsupported hybrid deployment states.

Q: Are customers who use Exchange Server 2010 impacted by this update?

A: No, this only applies to customers using Exchange Server 2013 to configure a hybrid deployment with Office 365.

Q: If we apply the update specific for SP1 or CU5 do I have to do anything special to update to CU6 or later in the future?

A: The interim update does NOT need to be uninstalled. We allow later CU’s to install over Interim Updates and Security Updates directly as of CU3.

I wanted to write a series of blog posts talking about email spam in Office 365. While majority of spam mail is blocked by the Office 365 mail security gateways, there are no perfect systems that will block 100% of spam all the time, some can still get through. In case that we do experience spam mail, we can use several tools and configuration options that are available for us in Office 365 to deal with it and improve effectiveness.

In this series, we will quickly review different types of spam mail. Then we will present different tools that we can use for fighting spam mail in an Office 365 environment and try to “match” the “spam tool” for the task based on the type of the spam.

Also please note that while we are approaching this from Office 365 viewpoint, many of the procedures listed here apply to both on-premises and hybrid deployments.

Introduction

One of the advantages of using Office 365 is that transparently, behind the scenes, we implement EOP – Exchange Online Protection (the former mail security infrastructure was implemented by FOPE services).

The Exchange Online Protection infrastructure serves as mail gateways, which are responsible for the “Hygiene” of incoming and outgoing mail flow. The purpose of this mail gateway’s is to filter any malware, virus or spam that might be included in the mail flow that comes from external sources to Office 365 recipients (incoming mail flow) and also mail that is sent from Office 365 recipients to external sources. A bit over-simplified but think of it like this:

What should I do when EOP is not working as desired?

EOP aims to provide the best possible protection, but from time to time Office 365 subscribers can experience spam mail that gets into their mailbox.

Before going further into this, let’s not forget that there is no “perfect solution” that will block 100% of spam mail because “spam solutions\gateways”, will always need to face issues of:

• False Positive - a scenario in which the defending systems recognize legitimate mail is bad\spam mail and blocks the mail. 
• False Negative - a scenario in which the defending system doesn’t recognize bad\spam mail and the mail reaches recipients mailbox.

Certainly any hygiene solution, even a cloud-based one, will have times when a few messages originating from a creative spammer sneak through before it is recognized as a threat. The advantage that a cloud-based solution offers is that it is set up to recognize those threats quickly, partially due to the quantity of email that it processes.

Additionally, different users will always have slightly different expectations. It is therefore challenging to have a default configuration setting that is perfect for different business customers, each with unique requirements. One person’s spam email can be another person’s legitimate business email. EOP defaults tend to be slightly less strict rather than risk a false positive. If these defaults are not adequate for your organization, EOP offers great flexibility in allowing customization of anti-spam settings.

This series of blog posts will help you understand what to do in either situation.

Spam mail - Troubleshooting process and classification

To create a clear path of the troubleshooting process, we will need to implement the workflow similar to the one in the following diagram:

Step 1 - Get information about the character of the spam mail.

The most basic step is to get essential information about the spam message. Determine if the mail message is truly a spam message and if so, try to recognize the type of spam. Based on this information, choose the right “tools” for mitigating it (we will cover more of those in future posts).

Questions to answer

Here is a list of questions that could help gather required information:

• Q: Is the mail considered as spam mail or just standard advertisement mail from a well-known\familiar company?
• Q: Is the spam mail sent from a specific sender email address?
• Q: Is the spam mail sent from a specific domain?
• Q: Does the spam mail include specific keywords in the mail subject\body?
• Q: Does the spam mail include specific URLs in the mail body that redirect the recipient to another location?
• Q: Does the spam mail include characters of non-English language?
• Q: Is the spam mail from a specific geographical location?
• Q: Is the spam mail directed to a specific user or distribution list in the organization?

General characteristics:

• Q: Is the spam mail sent on a specific schedule (specific hour or date)?
• Q: What is the percentage of organization users who get the spam mail?
• Q: What is the “amount” of the spam mail (single mail item, tens or hundreds of spam mails)?
• Q: How long has the spam mail been received (days/hours)?
• Q: When was the last spam mail received?

Step 2 – Report\Block spam mail

When we deal with spam mail, we need to try to block the spam mail by using the available option from the “Server side” (Exchange online and EOP) and the “Client side” (Outlook). The process of blocking the spam mail could be implemented as a combined operation of using tools for filtering spam mail and other tools for reporting (sending a sample of the spam mail) to the Microsoft team that manages the EOP infrastructure.

Dealing with spam mail - Client side

1. Microsoft Junk E-mail Reporting Add-in

The Microsoft Junk E-mail Reporting Add-in, is a very useful Outlook add-in that enables each of the users to report the offending message to Microsoft.

By selecting the mail item and then choosing the option of “Report Junk," the mail item will automatically be sent to the Microsoft mail security team for further analysis and investigation to help to improve the effectiveness of our junk e-mail filtering technologies.

Using the Microsoft Junk E-mail Reporting Add-in

• Download and Install the Microsoft Junk E-mail Reporting Add-in.
• Report email as spam

In Outlook 2010\2013, the Microsoft Junk E-mail Reporting Add-in is implemented by additional menu option named: Report junkthat is added to the “Junk” section to be able to report an email as spam. To “mark” mail item as Junk use the following procedure: 

• Choose the mail items you would like to report
• On the Home Tab choose the small black arrow of the Junk option.
• Choose the option Report Junk

A warning message appears and informs the user that the mail item will be reported as spam. Choose the “Yes” option.

When we choose the “yes” option, the following events will occur:

• The mail items that were reported as spam, will be sent to the Junk Email folder.
• A copy of mail items will be sent to abuse@messaging.microsoft.com as attachments, as can be seen in the sent items folder
• An acknowledgement email will be sent back to the recipient.

In Outlook 2007, the option to “report junk” will be added on the top menu option.

2. Outlook Junk option - block sender

Another option that is available for us from “client side” is the Outlook junk component and the option of “block sender” (Add a sender to the Blocked Senders list).

This option is most suitable in a scenario that the spam mail is delivered from a specific recipient email address. In reality, many times the “spammers” mange to send the spam mail by using a different source recipient email address, so the option to “block sender” will not help us in such scenarios.

Add a sender to the Blocked Senders list

In case that you want to block the sender who sends spam mail, we can use the junk menu for blocking this recipient.

• Choose the required mail items,
• In the Home Tab chooses the small black arrow of the Junk option.
• Choose the option Block sender

Additional reading:

• How to obtain the latest Outlook Junk E-mail Filter update
• Overview of the Junk Email Filter

3. Unsubscribe from a mailing list

In case that the user reports “spam mail” and when checking the mail item, we see that the sender is not considered as “spammer” (mail is just a standard advertising email that is sent to a distribution list that the user is on), most of the time the mail will include an option that enables the user to unsubscribe from the mailing list.  So, before we start to use the “heavy artillery," please check if the option of “unsubscribe” exists and unsubscribe from the mailing list.

4. Educate users: How to avoid spam

Educating users to avoid spam belongs to a “proactive” section in which we are trying to avoid a scenario that could lead to spam mail. 

By providing our users instructions and guidance about behavior they should avoid, we can prevent or significantly reduce in advance the occurrence of “spam events."

You can read more information about this subject by using the following link:

10 tips on how to help reduce spam

That is all for today – part 2 (starting to talk about server side solutions) to follow soon!

Eyal Doron
Tech Lead | Office 365 | Israel