SECOPS : Risks of using an antispam in front of Exchange Online Protection and solutions

EOP : Exchange Online Protection

· M365

Although M365 messaging services come with the excellent Exchange Online Protection (EOP) anti-spam, many organizations choose to purchase a second anti-spam configured upstream of M365 :

broken image

This choice may be motivated by the desire to have dual anti-spam for added protection or to leverage features such as attachment sandboxing or URL rewriting, which may be costly with Microsoft but available at slightly lower prices from other anti-spam solution providers.

However, it is often overlooked that adding an anti-spam in front of EOP can mislead EOP regarding the actual sending IP of an email, which can decrease EOP’s performance and incorrectly classify emails as spam that should not have been.

To avoid these complications, it is important to consider a few configuration points before setting up MX records to point your inbound email flows to your newly acquired anti-spam:

1 — Configure Enhanced Filtering for Connectors in Exchange Online to inform EOP about the IPs allocated to the anti-spam upstream of EOP.

Without this functionality, EOP considers that it’s the IP of your anti-spam that has sent an email, which can lead to email authentication issues, particularly with systematic SPF errors :

broken image

Once the IPs of your anti-spam are specified in Enhanced Filtering for Connectors, EOP can observe the real sending IP of the emails and validate their authenticity with SPF:

broken image

As you can see, Enhanced Filtering for connectors allows IP address and sender information to be preserved, which has also the following benefits:

- Improved accuracy for the Microsoft filtering stack and machine learning models, which include:

  • Heuristic clustering
  • Anti-spoofing
  • Anti-phishing

- Better post-breach capabilities in Automated investigation and response (AIR)

- Able to use explicit email authentication (SPF, DKIM, and DMARC) to verify the reputation of the sending domain for impersonation and spoof detection. For more information about explicit and implicit email authentication, see Email authentication in EOP.


PS : If you have mail flow rules (also known as transport rules) that set the SCL to -1 for messages that flow through this connector, you must disable those mail flow rules after you enable Enhanced Filtering for Connectors

2 — Ensure that the anti-spam located upstream of O365 does not modify received emails, which could break DKIM signatures and cause DMARC email authentication tests to fail.

If your anti-spam modifies email content, ensure that your anti-spam checks DMARC (to prevent spoofed emails from passing through) and disable DMARC enforcement at the EOP anti-phishing policy level.

broken image


As you can see, purchasing and adding an anti-spam upstream of Exchange Online requires some configuration to avoid decreasing the effectiveness of Exchange Online Protection (EOP) and blocking the receipt of legitimate emails due to failures in DKIM/SPF/DMARC authenticity tests.