Spam

Exchange Online Protection is the built-in cloud-based email filtering service for Exchange Online and Office 365 that helps protect users from unwanted spam and malware. EOP is tightly integrated with Exchange Online and will allow users to easily manage what emails do or do not get delivered to them. The current offering, Sophos Portal, is an on-premise solution that adds additional routing time for messages and could become a potential bottleneck to delivery in certain situations. EOP will offer higher availability and faster delivery than the current solution.

1. The EOP quarantined can be accessed via your mobile device. Clicking on the Review button embedded into a quarantine notification email while viewing on a mobile device will take you directly to the message in the quarantine portal of EOP.
2. Mobile devices enrolled in MobileIron will also have an EOP SpamPortal button that will open a browser directly to the quarantine portal.
3. You can also browse directly to https://protection.office.com/quarantine on your mobile device.

There are a couple of scenarios that can result in getting an email from a sender that was thought to be blocked. Advertising emails from many legitimate companies are often a nuisance and target for blocking.  Companies will often use a 3^rd party service to send these of emails. 3^rd party services will usually send the emails from multiple addresses, so blocking one can still result in receiving a similar message from one of the alternate addresses.  Similarly, many senders of spam email will spoof the display name while using random email addresses to send a message.  It can appear that you are receiving email from the same sender based on the display name, but closer inspection will typically reveal that the actual sender address is not the same as what was blocked.

There are several tools at your disposal to help determine if a quarantined email has been mistakenly marked as spam or if it should truly be avoided.

In the Quarantine you can preview the message before you release it to your Inbox. The preview will allow you to see the message with all hyperlinks disabled.  You can also see who the message is from to help you determine if this is something you were expecting to receive or not.

It is important to also rely on the monthly security training sent to all State users that has detailed various things to look for to spot a malicious email. Below is a summary of some things to look for, but is not an exhaustive list:

• Sender email address is not familiar or does not match the person the email indicates it is from.
• Vague or generic subject line. Usually with a prompt for immediate attention or a warning.
• Poor grammar and misspellings within the email.
• The subject matter of the email does not pertain to anything you were expecting to receive or routinely deal with.

If you are unsure if the email is safe, it is better to err on the side of caution and not release the email to your Inbox.

In addition to EOP, we also employ other tools to help ensure email that is delivered to the mailbox is safe. While EOP does the initial scan of incoming email, it is still possible for a message to get flagged prior to delivery and in those cases, you will get a notification of this message being blocked with a reason for why that happened.  If a message is determined to be malicious, there is no method to release it to the mailbox.  The original sender would need to mitigate the cause for the message to be flagged and then resend.

EOP will send out notification of quarantined emails up to 3 times per day. If an email is quarantined, you will receive a notification email during the next notification cycle. 

The notification cycle is controlled by a Microsoft automated process and the specific timing may vary slightly per user.

You can also log directly into the EOP Quarantine portal at any time to get a live look at what has been quarantined. Messages will show up in the quarantine list even if a notification has not been sent to you yet.

The easiest method is to click the Review button on the notification email. This will open directly to your Quarantined items.

You can also access the Quarantine by browsing to https://protection.office.com/quarantine to directly access your quarantined messages.

IOT will be transferring your allowlist and blocklist of approved or blocked senders that have been configured for each user in Sophos Spam Portal. You will be able to update these lists directly within Outlook Junk Mail settings.

500 addresses can be added to the Blocked Senders list.

1. 1. It is recommended to unsubscribe from unwanted marketing/notification emails if the sender is known to be reputable instead of adding to Blocked Senders.

1024 addresses can be added to the Safe Senders list.

1. 1. 1. It is not recommended to use the option to trust personal contacts as that will automatically add all emails addresses in your contacts to the Safe Senders list. This could greatly reduce the amount of addresses that can be added to the Safe Senders list by adding many addresses that would normally be delivered.

You can easily block specific senders within Outlook. The easiest method is to right click on the email from the sender you want to block and select Junk from the menu, then choose “Block Sender”.  This will add that email address to your Blocked Senders list.

You can also add or manage your Blocked Senders list within Outlook by clicking on the Home tab along the top, then select Junk and finally select Junk Email Options. In the window that opens, you will see a tab named Blocked Senders.  Clicking on this tab will allow you to add the specific email to be blocked.  You can also edit or remove any addresses or domains that had previously been blocked. 

Note: There is a limit of 500 addresses that can be added to the Blocked Senders list. EOP will only process the first 500 addresses in the Blocked Senders list.  Addresses added over that limit may still be filtered by Outlook Junk Mail rules but will not be filtered by EOP at the server level.  A Blocked Sender list greatly exceeding the 500 address limit may result in spam filtering not working properly or at all, so it is highly recommended to keep this list below this limit. 

1. It has been decided to not implement email filtering based on specific keywords moving forward with EOP. Often this resulted in a legitimate email being quarantined and delayed delivery.

Sometimes email is quarantined as spam from a sender that you routinely communicate with. The easiest method is to right click on an email you have received from that sender, select Junk from the menu, and then choose the option “Never block Sender”.  This will add that email address to your Safe Senders list.

You can also add or manage your Safe Sender list in Outlook by clicking on Home, then Junk and finally selecting Junk Email Options. In the window that opens, you can select the Safe Senders tab to manage your personal allowlist. This is where you will be able to add a specific email address as well as remove any names that were added previously. Please note that adding entire domains is not supported at this time.

Note: There is a limit of 1024 addresses that can be added to the Safe Senders list. Addresses added beyond this limitation may wind up being quarantined if EOP designates the message is spam.  Addresses added to this list will result in emails sent to you from those senders completely bypassing spam, spoof and phish filtering. 

EOP will process all emails sent to you and will evaluate the message. If the message is determined to not be spam, it will be delivered directly to your Inbox.  All emails that are classified as spam will be quarantined within EOP.

Emails from senders that have been manually added to your personal Blocked Senders list will be delivered to the Junk Email folder in Outlook.

You will log in with the same credentials as you would use to access your email. Your username should be in the format of your email address and then you will use your current password.

Access your Quarantine to see a list of all emails available to be reviewed. This top-level view will show you general information such as the Sender or Subject, why the message was quarantined and if it has been released or not.  It will also show an expiration date.  Once the expiration date has been met, the message will be removed from quarantine regardless of whether it has been reviewed or not. 

Each quarantined message will have a checkbox next to it. Selecting a message will open a window that will provide details of the message.  Along the top of that box are several buttons.  From there you can choose to Preview the message, allowing you to safely check the message to determine if you want it delivered to your Inbox or not. You will also have the option to Release the message, which will deliver it to your Inbox, or Remove from quarantine, which will permanently delete the message. Please note that emails removed from quarantine will not be recoverable.

Note: It is recommended to not use Internet Explorer to access the Quarantine.  Internet Explorer does not seem to be well supported.  Attempting to release quarantined emails from this browser has been seen to not work properly.  

1. Cloud-based protection alleviates potential for service disruption by utilizing a large network of datacenters.
2. Faster overall email delivery
3. Ability to manage Blocked or Allowed Sender lists directly within Outlook

The Sophos Report Spam button will be removed from Outlook as it is not compatible with EOP. Currently, there is no replacement for this Outlook add-in.