Run Report to Check Anti-Spam and Anti-Malware Settings in an Office 365 Tenant
ORCA is the “Office 365 Advanced Threat Protection Recommended Configuration Analyzer.” It’s a PowerShell module written by Cam Murray, a Microsoft Senior Premier Field Engineer based in Sydney, with lots of help from Daniel Mozes and other people in Microsoft.
The idea behind ORCA is that you can run a simple PowerShell cmdlet (Get-ORCAReport) to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by Exchange Online Protection (EOP) in an Office 365 tenant. Most value is gained if you have licenses for Advanced Threat Protection (ATP) because more settings exist to be checked against best practice. Or at least, best practice as it exists in the minds of the ORCA team.
December 23: The latest version of ORCA is 1.3.2, accessible from the link above.
Running ORCA
Running ORCA is simple. Install the module, start a PowerShell session logged in with an administrator account and run the Get-ORCAReport cmdlet. Because Exchange Online uses Remote PowerShell rather than a module, the cmdlet checks for the presence of the Connect-EXOPSSession command, which means that you need to have either the REST module installed or connect to Exchange Online with MFA. All Office 365 administrator accounts should use MFA, but you don’t need to use MFA to use ORCA.
When it starts, the cmdlet makes some checks, connects to Exchange Online, and then starts to fetch details of the various anti-malware policies configured in the tenant (Figure 1).
Figure 1: Running the Get-ORCAReport cmdlet
There’s no magic here in retrieving policy settings as they are all easily accessed with PowerShell cmdlets or by going to the Threat Management section of the Security and Compliance Center and then selecting Policy.
The ORCA Report
The magic is in the report generated by ORCA because it’s here that comparisons and checks are made against the settings in a tenant and the values recommended by the Advanced Threat Protection developers and other experts inside Microsoft. You can agree or disagree with their conclusions, but it’s good to have a baseline to argue from.
After ORCA finishes, it opens the HTML report in a tab in your default browse (Figure 2). The report is divided up into an overall summary plus different sections of mail hygiene such as Spam Action and Domain Whitelisting where recommendations are offered.
Figure 2: The ORCA Report
After perusing the recommendations, it’s up to you decide if any of them make sense in your environment and modify the relevant policy through the Security and Compliance Center. Figure 3 shows the settings for the anti-malware policy in my tenant.
Figure 3: Reviewing the Office 365 Anti-malware policy settings
Nice Addition to the Toolkit
ORCA is a nice addition to the Office 365 administration toolkit. It can be hard to keep up to date with all the changes made by Microsoft to enhance and expand the various policies used to defend Exchange Online against malware and spam, and being able to run a check every so often just to make sure that everything is as it should be makes a heap of sense.
Chapter 17 of the Office 365 for IT Pros eBook explains the anti-malware and anti-spam policies used by EOP and ATP in great detail. Subscribe now to make sure you understand what all the settings mean.
PS C:\Windows\system32> Get-ORCAReport
11/15/2019 21:32:35 Performing ORCA Version check…
ORCA requires either the Exchange Online PowerShell Module (aka.ms/exopsmodule) loaded or the Exchange Online
PowerShell module from the PowerShell Gallery installed.
At C:\Program Files\WindowsPowerShell\Modules\ORCA\1.1\ORCA.psm1:1308 char:9
+ Throw “ORCA requires either the Exchange Online PowerShell Mo …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (ORCA requires e…lery installed.:String) [], RuntimeException
+ FullyQualifiedErrorId : ORCA requires either the Exchange Online PowerShell Module (aka.ms/exopsmodule) loaded o
r the Exchange Online PowerShell module from the PowerShell Gallery installed.
The code that checks if the ‘module’ is installed is just purely looking for the presence of the ‘Connect-EXOPSSession’ command. This is a little ‘work around’ that has to be done as the traditional ‘Exchange Online PS Module’ isn’t a real PowerShell module per se. E.g we can’t do a “Import-Module” or a “Get-Module” to determine if its installed.
——
I knew this but imagined that most Office 365 admins now use MFA and connect to EXO with Connect-EXOPSSession. I will update the post.
More info here including details of a forthcoming BPA for O365 ATP and the ability to subscribe to `standard` or `strict` baselines to ensure you stay aligned to best practices as they develop over time
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Should you remove the new REST API module in order to run this?
No. I ran ORCA successfully with that module installed.
PS C:\Windows\system32> Get-ORCAReport
11/15/2019 21:32:35 Performing ORCA Version check…
ORCA requires either the Exchange Online PowerShell Module (aka.ms/exopsmodule) loaded or the Exchange Online
PowerShell module from the PowerShell Gallery installed.
At C:\Program Files\WindowsPowerShell\Modules\ORCA\1.1\ORCA.psm1:1308 char:9
+ Throw “ORCA requires either the Exchange Online PowerShell Mo …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (ORCA requires e…lery installed.:String) [], RuntimeException
+ FullyQualifiedErrorId : ORCA requires either the Exchange Online PowerShell Module (aka.ms/exopsmodule) loaded o
r the Exchange Online PowerShell module from the PowerShell Gallery installed.
From the developer:
The code that checks if the ‘module’ is installed is just purely looking for the presence of the ‘Connect-EXOPSSession’ command. This is a little ‘work around’ that has to be done as the traditional ‘Exchange Online PS Module’ isn’t a real PowerShell module per se. E.g we can’t do a “Import-Module” or a “Get-Module” to determine if its installed.
——
I knew this but imagined that most Office 365 admins now use MFA and connect to EXO with Connect-EXOPSSession. I will update the post.
More info here including details of a forthcoming BPA for O365 ATP and the ability to subscribe to `standard` or `strict` baselines to ensure you stay aligned to best practices as they develop over time
https://www.itpromentor.com/o365-atp-bpa/