Exchange Online Protection overview
•Eliminate threats with multi-layered, real-time anti-spam and multi-engine antimalware protection.
•Protect your company's IP reputation - separate outbound delivery pools for
high-risk email.
•Five financially backed SLAs including protection from 100% of known viruses
and 99% of spam.
•Globally load-balanced network of datacenters helps to ensure a 99.999%
network uptime.
•Manage and administer from the Exchange Administration Center—a single
web-based interface.
•Near real-time reporting and message traces
•Active content, connection, and policy-based filtering enables compliance
with corporate policies and government regulations.
•IT-level phone support 24 hours a day, 7 days a week, 365 days a year at no
additional cost.
•No hardware or software required to install, manage, and maintain.
•Predictable payment schedule - subscription-based service. Multiple EOP plans.
•Automatic queuing - no email is lost or bounced if the destination email server is
unavailable.
•Get up and running quickly with a simple MX record change.
Standalone
All mailboxes are located on-premises
Purchasable on its own or Part of Exchange Enterprise CAL with Services
Fully hosted
All mailboxes are hosted in the cloud with Microsoft Exchange Online
Exchange Online license
Hybrid
Some mailboxes are hosted in Exchange Online, and some mailboxes on-premises
Exchange Online license
Exchange Online Protection
Architecture Overview
Protection Overview
1.
2.
3.
4.
5.
6.
Viruses are NOT quarantined
Spam is quarantined for 15 days (default)
Messages quarantined by transport rule are kept for 7 days.
Users cannot access the transport-rule quarantine
Options are to release to all/specific recipients, plus report as false-positive
Messages stay after release until they expire, but cannot be released to same user twice



Online viewer only supports up to 500 messages
More can be viewed via PowerShell Get-QuarantineMessage Cmdlet
Can only release in bulk through Release-QuarantineMessage Cmdlet
Mailflow Overview
Message Traces
Basic Message Trace vs. Extended (Detailed) Message Trace
“Basic” Message Trace
“Extended” Message Trace
(Historical Search)
Data Set
Between approx. 15 minutes & 7 days
Between approx. 8 hours & 90 days
View Results
In EAC + Powershell
Download CSV file
Results
In seconds
In minutes/hours (can configure
notification email address)
Routing Details
Basic detail only
Full detail optional
Maximum Size
500 in EAC
5,000 (3,000 for detail)
Max Queries / Day
Reasonable limits
15 per tenant
Accepted Domains,
Remote Domains &
Connectors
Powershell
<# SET CREDS
Write-Host -ForegroundColor Yellow "Updating your full Office365 tenant credentials..."
read-host "Please enter your full Office365 user name." | out-file O365_Webcast_1.txt
read-host "Please enter your full Office365 password." -assecurestring | convertfromsecurestring | out-file O365_Webcast_2.txt
#>
# LOGON
Write-Host -ForegroundColor Yellow "Commencing Full Office365 Tenant logon"
$O365_UN = get-content O365_Webcast_1.txt
$O365_PW = get-content O365_Webcast_2.txt | convertto-securestring
$UserCredential = new-object -typename System.Management.Automation.PSCredential argumentlist "$O365_UN",$O365_PW
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic AllowRedirection
Import-PSSession $Session
• Get-MessageTrace | Get-MessageTraceDetail
• Start-HistoricalSearch
• Get-HistoricalSearch
• Sample commands:
•
•
Return all transport rules in a table:
Get-TransportRule |ft Priority,Name,Description -Wrap
Return quarantined messages in a table: Get-QuarantineMessage |ft
ReceivedTime,SenderAddress,Subject,Type –Wrap
•
Export a basic message trace to a .csv file:
Get-MessageTrace -StartDate 2016-06-16 -EndDate 2016-06-24 |Get-MessageTraceDetail
|Export-Csv -NoClobber -NoTypeInformation -Path "C:\0 Data\MT-Webcast1.csv" -Append
•
Run an extended message trace (full details):
Start-HistoricalSearch -ReportType MessageTraceDetail -RecipientAddress
[email protected] -StartDate 2016-04-01 -EndDate 2016-06-24 -NotifyAddress
[email protected] -ReportTitle "160621 MessageTrace"
Advanced Threat Protection
What is Advanced Threat Protection?
• 2 features:
• Safe Attachments – scans files after normal malware scan to inspect behaviour
• Safe Links – links are redirected in mails
to ATP in realtime. ATP inspects the URL and
can block it, if found to be malicious.
• New reporting: URL Trace
• Policies to include desired users/groups.
• Service is provided at additional cost
• $2/user/month; “most competitive rate in the industry”
Sender
Detonation chamber
(sandbox)
Executable?
Registry call?
Elevation?
……?
Unsafe
Multiple filters + 3 antivirus engines
with Exchange Online protection
Attachment
• Supported file type
• Clean by AV/AS filters
• Not in Reputation list
Links
Safe
Recipient
Safe links rewrite