Moves Away From Allow Sender and Allow Domain Lists
Office 365 notification MC226683 “Secure by Default – Honoring EOP/ATP detonation verdicts” published on November 13 is another step along the way to achieving secure by default Exchange Online configurations. Other efforts in this space include the project to remove basic authentication connection protocols from Exchange Online (postponed to mid-2021) and clamping down on automatic mail forwarding.
In this case, Microsoft wants to take allow sender and allow domain lists out of the equation used to determine if phishing messages are allowed through to user inboxes. As they note: “adding senders and domains to an allow list is not best practice and should be considered as a legacy way of filtering.”
Allowed sender lists and allowed domain lists are part of the Exchange Online Protection anti-spam policies (now under the Microsoft Defender for Office 365 brand). These lists are supposed to identify senders and domains the tenant knows are safe to accept email from. This was certainly a good approach in the less complicated and safer world of the early spam period. It’s not the case now where threat from malware constantly evolves. When you define a sender or a domain as safe, you run the risk that an attacker can successfully deliver a message to inboxes which should be filtered but isn’t because it appears to come from a known safe origin.
Suppressing High-Confidence Phish
What’s changing is that Exchange Online Protection will no longer take allowed senders and allowed domains into account when it filters out high-confidence phish (messages that EOP is very sure are phishing attempts). The detonation referred to in the notification title is where suspicious messages are tested in a virtual environment to understand if they are safe. Inside the environment, the message can be opened (detonated) to see what happens. If the message proves to be malware of some kind, it won’t be delivered.
In the past, a detonated high-confidence phish message considered malicious might be delivered if it appeared to come from an allowed sender or domain. This is obviously dangerous because the recipient might assume that the message is safe and interact with its content, including following links to sites where their data might be compromised.
Time to Check Allow Lists
This will no longer happen after Microsoft rolls out the change in Exchange Online Protection at the start of December. The change should be effective worldwide by the end of January 2021. “Normal” spam including lower-confidence phish will continue to be allowed through if it comes from allowed senders and allowed domains, which is an excellent wake-up call for administrators to review the default anti-spam policy used by Exchange Online Protection to check if any allowed senders or domains are defined (Figure 1) and then remove any entries not deemed essential (Figure 2).
Defocusing on tenant allow lists doesn’t affect user-generated safe sender lists maintained with clients like Outlook and OWA. These lists are applied after server checks and don’t influence how EOP deals with high confidence phish.
Use a Mail Flow Rule Instead
Microsoft’s advice is to replace the allowed senders and allowed domains list with a mail flow rule to skip anti-spam filtering for messages originating from absolutely safe sources. The mail flow (transport) rule can be made much more specific about where messages come from, so it is inherently safer than the “accept everything from this domain or sender” approach in allow lists.
Be careful when configuring the mail flow rule to make sure that email is processed the way you think it should be. Microsoft’s prototype rule is certainly effective, but you need to test to ensure that it works as expected in conjunction with other rules your organization already has in production.
For more information about how Exchange Online Protection anti-malware protection works, read Chapter 7 of the Office 365 for IT Pros eBook. We update the book monthly to make sure that important changes like this are captured and incorporated into the text.