Exchange Online Protection

2. Understanding Zero Hour Auto Purge

If you're using Exchange Online for your email system, you may have had a user come to you with concern that there was a message in their mailbox, but they never opened it, and the message disappeared from their mailbox. That was actually an intentional act by Microsoft. Does Microsoft have something called zerohour autopurge?They apply to their environments because while Microsoft's Exchange Online Protection and Advanced ThreatProtection are trying to protect you from various malicious pieces of software and spam coming in, sometimes they do get through. That's where zero hour autopirch comes into play, right? Zap, which is the abbreviation for it,detects messages that were previously undetected. So if I sent to your inbox junk mail or malware, and it was previously tagged as goodmail, but now with a new virus definition fileor with some new information about the sender, we determine that that's malware or spam. It can be treated as such even after the fact that it's been put into your user's inbox. It can be zapped out of that mailbox, right? So if I've sent you or you've had delivered to your inbox mail and you haven't opened it, and that mail is determined to be spam after the fact, if you haven't opened it, it's going to move it over to the junk mail folder, right? So it was in the inbox, it was unopened,and all of a sudden it's gone because it got moved over to the junk mail folder. right? Now if it was delivered to your mail folder and you opened it and looked at it, there's no reason for us to move it at that point in time, right? because it's not malicious software. It's not something that's going to hurt you. There's no reason to necessarily move it to the junk mail folder, right? If a piece of malware was delivered, I've got an email. It's got a file attached to it. It's got a malicious file attached to it. It's going to be removed regardless of whether you've opened that message or not. That attachment is going to be stripped from that message. So this way, with Zero Hour autopurge, Microsoft can extend the protection beyond just windmills arriving,but also with additional information coming in, they can even react to mail that has already been delivered to that end user.

3. Spoofing and Phishing Protection

Working with exchange online, there are different things that we can do to help with spoofing and phishing in our organizations. One of those is that EOP supports email authentication. We have the ability to create an SPFtext record or a centre policy framework record. By registering your SPF record, what you're doing is identifying the fact that exchanges online are allowed to be sent on behalf of your domain. So when you send a message to somebody, they can do a reverse lookup and look for the SPF record to make sure the message is coming from an allowed sender. In addition to that, we have thedomain keys, identified mail, or DKIM environment. DCM will allow you to digitally sign the message. The digital signature in the header can verify that the message came from a trusted source, so you can actually set up DCM for your organisation so that you can digitally sign the headers of your environment. And then we have DMARQ domain-based message and reporting compliance. This actually helps with anti-fishing, where we have the ability to go out there and make sure that nobody is spoofing the from address,the five, three, two from address. We want to make sure that that is coming from a legitimate source and deemarc has the ability to protect that and make sure it's coming from an authorised source. In addition to that, when it comes to working with spoofing, we have this thing called spoof intelligence. Spoof intelligence gives us basically the ability to see who is actually spoofing our domains. Who's going in and sending mail to people in my organisation and pretending like it's coming from people in my organization when in fact it's not, right? With spoof intelligence, we can either allow these senders to keep continuing to spoof, or we have the ability to go out there and stop them from being allowed to do it again. If I had hired a marketing company to send messages to all of my employees on behalf, it makes sense that I would go into myspoof intelligence and actually allow that to occur. But if I didn't want that to happen by default,we could go ahead and have it start blocking those messages would no longer get in. We have the ability to go through and actually work with that. Now the spoof intelligence policy exists automatically. It's nothing I have to create. I don't have to go in there and build a new policy to have spoof intelligence. It's there by default, right? What I have is I have the ability to go in there and approve or deny spoofing for somebody if they're using it by default. If it picks somebody up as spoofing, they're going to actually deny it. But you can go in there and turn that from a no to a yes to allow them to do that if that's what you wanted to do. So we get the ability to stop some of that fishing, some of that spoofing that's going on in our organisation using some of the tools that are provided to us with Exchange Online.

4. Configuring with Exchange AntiSpam

Exchange Online has a built-in anti-spam filter. There's a default filter already configured, but you do have the ability to either modify that one or, if you want to, you can create a separate different one that might apply to different people within the organization. Let's take a look at how you can either modify the default one or create new ones. So here I am in the Microsoft 365 Admin Center, and I'm going to actually open up the Exchange Admin Center. So in the 365 Admin Center, under Admin Centers,I'm going to click on Exchange. That's going to open up a new tab and take me to the EAC, or the Exchange Admin Center. in the Exchange Admin Center. I'm going to scroll down and click on Protect. And under Protection, I'm going to go over and click on Spam Filters. Now you'll see I have a default spam filter. And if you examine the spam filter, you'll actually see that it's going through, it's detecting spam, and it's moving all spam to the junk mail folder. So all the spam is going into the junkmail folder, regardless of whether it's high confidence spam or just spam, all of it's going there, right? Bulk mail checks, it's going out there and looking for a threshold of seven for the default bulk mail environment, right, sender blocks. We're not configuring a lot of this, and you can see there's a lot of different settings that are set to not configured. Okay, so the default spam filter is looking for certain properties, but there's a lot of opportunity for you to fine tune it. So I could edit that and change it, or if I wanted to, I could go and create a new one. So let's go ahead and click on the plus sign to create a new spam filter. Now in this one, we'll go ahead and give this one a name. We'll call this one our account spam filter. Put in a description of it. The first thing you'll notice is that I have a choice that I can make. We have spam and high confidence spam, right? Spam gets rated with what's called a spam confidence level. If something is considered spam, it would fall into that confidence level range, anywhere from around three to five. If it's in the three-to-five realm, it'll be considered spam. If it goes six and above, it's going to be considered high confidence spam. And maybe you want to reduce the amount of junk mail showing up in your end users' junk mail folder. You could separate these out and say, "You know what, okay, if it's spam, let's put it in the junk mail folder." But if it's high confidence spam, let's route that instead to, say, the quarantine, for example. Now you'll notice here that I get a warning here that we may want to enable the end users' spam notifications so that they can release their own from the quarantine. And that makes it so that your users don't have to come to you if there's something in spam that they're looking for, right? So we can go out there and treat those separately. Again, no bulk mill there. We can go out there and allow that to go through. And you can see the quarantine. The messages will sit there for 15 days, which is fine. Now, with some additional settings that we have, I can block specific senders. So if we're getting a whole bunch of emails from a specific address, I can block that user as part of the spam. If we're getting a whole bunch of emails from an already blocked domain, I can block the domain. I can also whitelist. I can allow certain users to bypass spam to ensure that their emails or their domains, any mail from their domain, doesn't get stopped by the spam filter. In that case, it would be marked with a spamconfidence level of negative one, which means just go ahead and bypass the spam filter and deliver it. We're not going to treat it. If it's malware, it's still not going to get delivered, but if it's spam, it'll bypass it. We won't have a false positive going out there and causing us some problems. You can see we have some international spam options where if I check the box here, I have the ability to go out there and select, you know, what if it's written in a given language, right? If somebody sends an email and it comes in from a given language,like, for example, Afrikaans, we can just add that in. or Arabic. or Armenian. We just got all the A's there. We go out there, and if any messages come in from those languages, if they're written in those languages, it'll increase the spam level, the spam confidence level. We can also do it based on country of origin, so I can filter it based on where it's coming from. Different IP blocks are tied to different regions around the globe. So if we're getting a message, if it's coming from Algeria, right, if we have something coming from Antarctica, because we don't have a lot of mail coming from there these days, we can increase the spam confidence level on that and have the ability to go out there and use those as additional tools. They weren't part of that default message. Now, in addition to that, there are some advanced options with things like, am I getting an IP address in a message that is a numeric one instead of a URL with a name in it? Is it an info or a business environment? All of this increases the spam confidence in those messages. So once you set all of the settings that you want for your new policy, you also have to decide who you want it to apply to. I could apply to specific individuals. The recipient is just click on the individuals I want this to apply to. I could apply it to my entire domain if I wanted to, or to a specific group of users. So if we said that the member is if the user is a member of right, and we'll go out there and say if they're part of the accounts group there, then this spam policy would apply to them. So we go through and we actually save the spam policy. Now, what you'll note is that the spampolicy gets assigned a priority number. So if I created one for accounts and one for it and one for marketing, and a user might have been a member of multiple groups, whichever one has the highest ranking, which is the lowest number, would be the one to apply to that user out there right now. I also have the ability to go out there and see the settings that we've set right here. I can get a quick view of those. And we talked about the fact that, with high confidence spam going into the quarantine, we may want to enable end-user spam notification by highlighting the default filter there. You'll notice I get the ability to configure end-user spam notifications here. I can simply click on that and go out there. If it was not enabled, I would enable it and decide how many times I wanted them to get it. Once a week, once every day, every two days. I can put that in there. And now they will get an email list of all the messages that went to quarantine based on this. They could release their username and password to their inbox if they wanted to. So it gives them the ability to manage their end-user spam notifications there.

5. Configuring Exchange AntiMalware

With Exchange online protection, there is a default built-in antimalware policy. You do not have the ability to delete that policy. In other words, all malware will be stopped. Right. They're not going to allow you to deliver malware within your organisation that way. So we have the ability to go out there and actually modify it if we want to and/or create our own malware policies. In the Exchange Admin Center, if I go down here to protection, you'll see the first tab is the malware filter. You'll note that right now with our malware,all malware here is not going to be notified. So nobody's going to be notified that the malware was sent to us, right? No senders are going to be notified. No admins are going to be notified. It's just going to be stopped. Malware is just going to be deleted. Right. We're not going to go out there and actually deliver the malware. If you wanted to, you have the ability to modify that default one, or you could create your own malware filter. Now, when you create your own malware filter, let's just go ahead and give this one a name. We'll say this one is going to be our IT malware policy here. Maybe we want the IT organisation to have slightly different behavior, like some notifications, for example. Right. So one of the things we can do is when malware is detected here. If malware is detected in an email, the attachment will be quarantined and can be released only by the admin. We'll turn that to yes. And we can even use the default notification text that malware was detected on this message. And if you want to talk to an administrator,it's in quarantine, and they could go out there and analyse it or release it. Right now we can use a custom notification, in which case we could type in exactly what we wanted to appear here in the environment and have the ability to do that. Notice there are some common attachment types of filters. If your organization, for whatever reason, needed to have files that ended with an app extension delivered to your users, you could remove that as a common attachment type. So you can modify the common attachment typefilter here in the Exchange admin environment. Now, in terms of notifications, do we want to notify the senders that they sent us malware? Probably not. If they're an external user, definitely not. Right. because that external user will have notification. We caught their message. We caught what was going on, and we don't want that to happen. Now internally, yeah, maybe somebody's trying to send something. It's not really malware, but it's being picked up, and maybe we want them to be aware of that so when they start getting a call from a recipient saying, "How come you never sent me that message?" They will have received a reply back from it. It was detected as malware and they may have to deal with that. So, if you want, you can check that out there and notify, say, internal senders. We could notify administrators about undelivered messages from internal or external senders if we wanted to. We can go out there and add some in and decide who we want that to go through as well. But then the other thing we have to ask is who is this going to apply to? And again, individual recipients that we can choose. We can choose the entire domain or multipledomains in a multidomain environment, or we can go out there and choose specific people that are members of a given group. And I could go through and choose the helpdesk, for example, and everybody that's part of the help desk would now have this one applied So they'll get oops and it looks like I left. It would help if I uncheck that since I'm not sending it to an administrator. We'll go out there and save that policy. Now, again, this policy is going to get a priority number of zero. If you're a member of the group, that malware policy will apply to you, but if not, the default one will apply if I create others and you're part of multiple groups, whichever everyone has the highest priority is the one that would apply to your messages.

6. Creating a Safe Attachment Policy

If your subscription includes advanced threat protection, you have the ability to go in and actually create a safe attachment policy for your organization. Now there isn't one on by default, so just having ATP is not going to give you safe attachment protection. You must go in and actually create a safe attachment policy. In order to do that, you would go into the Security and Compliance Center. So we'll open that up in the Security and Compliance Center. I'm going to go in under threat management and then threat management. If you open that, you can scroll down to policy. So, the Threat Management policy and in there you will see the opportunity to go through and create an advanced threat protection safe attachment policy. So we'll just click on that and open it up. As you can see, there is no policy on by default. One of the things I'd like to point out to you is the fact that you do have the ability to turn on advanced threat protection for SharePoint OneDrive and Microsoft Teams, alright? Those options are right there. You simply have to check that box, and if I do that, then safe attachments will apply to them as well. So documents that are uploaded into the environment or downloaded from the environment will be confirmed as safe before the user has the opportunity to interact with that document. So you can simply go in there and put a check in that box to turn that on for those locations. Now if I come in here and click on thePlus, I have the ability to create a new safeattachment policy. We'll go through it and we'll just give this one. We'll call this our Safe Attachment Policy. We'll just give it a name there. The next step is to choose the method that you want safe attachment processing to actually occur in your tenant account. And what you'll see is that you have several choices. The first one is just being off. If it's set to off, it's just like not having a safe attachment policy at all, right? All messages that pass through EOP that have attachments will just be delivered to the end user. No additional scanning or operations would be held. If I turn it to monitor, so if I go in and I check the monitor section here, if I fill that in right, the message is still going to be delivered, right? The malware is going to be detected, but the message is going to be delivered, and they're going to scan or track the results of that. You might want to do this. If I have an environment where we want to test something and we want to see the behaviour that occurs in an isolated environment somewhere, you might do that. If you go through and you choose block, if I'm going to block that, it's going to receive an attachment, it's going to open it up into a sandbox environment and monitor the behaviour If it's determined to be of a malicious type, it won't deliver the message or the attachment to the user. Now the scanning has to be completed before the user sees the mail, which means there will be a delay in the message arrival for the end user out there. In addition to that, once Safe attachments has actually detected a malware, right, a previously unknown malware, any new messages coming in that contain that same malware will be detected now, and it will block all those future ones as well. If you choose the option to replace If we go out there and choose to replace, it's going to block the attachment that has the malware on it, right. So that won't get delivered, but the message will get delivered. And instead, the end user will see a little icon letting them know that the attachment was blocked by Safe Attachments. But again, there's going to be a little bit of a delay in the message because it has to analyse the attachment before it actually delivers the message. Now, the last choice is dynamic delivery. If you choose Dynamic Delivery, what happens is the message is delivered as soon as it arrives with the attachment to the end user, but there is a placeholder placed on that message to let the user know that the attachment is currently being scanned. Now, if it's of a type that we have preview available, it'll still let the user preview it. So, if I send that user a document or a PDF file, the user can preview the message by clicking on it; they still have access to the content, even if they can't download it and start working with it. Once it's been safely scanned, it will then reattach the document to that message. So, Dynamic Delivery will not slow down that option. So let's go ahead and choose Dynamic Delivery here. We'll just click and check that box there. Now, there are also some options to enable redirectedmessages, right, where we can send messages that are considered to be malicious to somebody else. That assumes that we're going out there and using the block or the replace or dynamic,in which case if it detects something, it'll redirect it out there in our environment. Notice I have the ability to apply this to certain people, right, again,based on individual recipients, based on domains. So maybe I want my entire domain,my entire male domain to have this. In that instance, I'd be able to go in there and say if the recipient domain is just pick the entire domain for my organization. And now every message to my domain will actually have that policy applied to them. Now, one of the things I want you to take note of is that when I choose Dynamic and I go to save this, I'm going to get a popup box letting me know that there's going to be a behavioural difference because you can actually use EOP to scan for both on-premises and cloud-based exchange organizations. So if I have advanced threat protection and I've got dynamic delivery, the behaviour for my cloud users is as described. The message will get delivered, they'll have the ability to preview it, and eventually the attachment will be attached, and they won't have any delay in the message delivery. If it's an on-premises user in an Exchange hybrid solution in that scenario, Now they're not going to have the dynamic delivery,as you can see here, for 365hosted boxes only in this environment, right on premises. We'll go out there and have the replacement action. It will have a replacement action. So they'll get the message with the attachment or they'll get the message with a placeholder saying that the message is being scanned and it's malicious and they don't have the ability to view it. So they won't get that preview capability that the dynamic delivery will give them, right? So you go out there, click OK, and again it's letting us know that there's going to be some redirect going on because it's going to have to monitor the message. And again, it gives you that second message, telling you the same thing, letting you know that onpremises and dynamic are going to be different. And we'll click OK. And now I have a safe attachment policy for my Exchange online organization.

ExamSnap's Microsoft MS-101 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft MS-101 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.