Pages

Notes on Exchange Online Protection

Steps on how EOP processes inbound email

  • connection filter - adds CIP, X-Forefront-AntiSpam-Report, DBEB (directory-based edge blocking), allow/block list (IPV:CAL or dropped), safe list (SCL -1, SFV:SKN) reputation block (not in list IPV:NLI) go to sender.office.com (to exclude)
  • anti-malware - protects from virus, spyware, ransomware (quarantined, only released by admin)
  • transport rules
  • advanced threat protection - scan URLs/attachments (safe links/attachments), requires Defender license
  • content filter - (anti-spam/spoof) SCL rating, SFV:* (NSPM, BLK, SKA, SFE, SKB, SKQ, SPM); PCL (phishing) 1-3 not, 4-8 phishing; BCL (bulk complaint) 0-not, 1-3 moderate, 4-7 more, 8-9 high; validates SPF/DKIM/DMARC (ARC:*)
  • zap - post-delivery (X-Microsoft-Antispam-ZAP-Message-Info)

Steps on how EOP processes outbound email

  • almost reverse: anti-spam, transport rules, anti-malware

Notable headers for troubleshooting

  • X-Forefront-Antispam-Report, CAT (AMP: Anti-malware, BIMP: Brand impersonation, BULK: Bulk, DIMP: Domain impersonation, FTBP: Anti-malware common attachments filter, GIMP: Mailbox intelligence impersonation, HPHSH or HPHISH: High confidence phishing, HSPM: High confidence spam, INTOS: Intra-Organization phishing, MALW: Malware, OSPM: Outbound spam, PHSH: Phishing, SAP: Safe Attachments, SPM: Spam, SPOOF: Spoofing, UIMP: User impersonation)
  • CIP:[IP address] - can be used in IP allow/block list
  • IPV:CAL - skipped anti-spam because in IP allow list; IPV:NLI - IP not on any reputation list
  • SFTY - phishing, 9.19 domain impersonation, 9.20 user impersonation, 9.25 first contact from sender
  • SFV (spam filtering verdict)
    • SFV:BLK - sender in user block list
    • SFV:SFE - sender in user safe-sender list
    • SFV:SKA - sender in allow list of anti-spam policy
    • SFV:SKB - sender in block list of anti-spam policy
    • SFV:NSPM - not spam
    • SFV:SKN - transport rule tag SCL-1, bypassed content-filter
    • SFV:SKS - transport rule tag SCL 5-9, bypassed content-filter
    • SFV:SKQ - released from quarantine
    • SFV:SKQ - spam by content filter by content filter
    • SRV:BULK - bulk by content filter by content filter, check BCL header
  • Authentication-results
    • spf=<pass (IP address)|fail (IP address)|softfail (reason)|neutral|none|temperror|permerror> smtp.mailfrom=<domain>
    • dkim=<pass|fail (reason)|none> header.d=<domain>
    • dmarc=<pass|fail|bestguesspass|none> action=<permerror|temperror|oreject|pct.quarantine|pct.reject> header.from=<domain>

No comments:

Post a Comment

Subscribe to: Posts (Atom)