Table of Contents
New Author to Handle Mail Flow Issues Like Impersonation Protection
We are delighted to announce that Michel de Rooij has joined the Office 365 for IT Pros eBook team as the author responsible for the Mail Flow chapter. Michel is a Microsoft MVP for Office Apps and Services, and a senior consultant at Rapid Circle, a Microsoft partner in the Netherlands. He has extensive experience in designing, implementing, and managing Exchange and Office 365 environments for various customers. You can contact Michel through his blog or Twitter.
Michel takes over from Gareth Gudger, who has been a valuable contributor to the Office 365 for IT Pros eBook for several years. We thank Gareth for his dedication and the care he lavished on the Mail Flow chapter, and we wish him all the best in his future endeavors.
Practical PowerShell
Apart from his expertise with Exchange, Michel is a PowerShell wizard. He’s started to share his experience in a new “Professional PowerShell” column published on Practical365.com. Starting with the March 2024 update (monthly update #105), I’m sure that Michel will look for opportunities to use his PowerShell talents to automate some common mail flow operations over the coming months.
Automating Impersonation Protection
For example, I’m a big fan of the impersonation protection settings in anti-phishing policies (available when a tenant has Microsoft 365 Defender for Office 365). Impersonation protection allows tenants to protect up to 350 internal or external email addresses against impersonation attempts. When Microsoft first introduced impersonation protection in late 2020, policies were limited to just 60 addresses, so the bump to 350 is appreciated.
Basically, this happens when spammers send email from addresses that are very close (usually just one character different) to a real address. For instance, Kim.Akers@office365ltpros.com instead of Kim.Akers@office365itpros.com.
Although there is a GUI option to update the list of protected users (Figure 1), to automate the process, I use an Azure Automation runbook that executes a scheduled job every Saturday. The job:
- Signs into Exchange Online using a managed identity.
- Finds the set of mailboxes with a custom attribute set to “VIP.”
- Creates an array of mailbox display names and user principal names in the format used by anti-phish policies.
- Updates the default anti-phish policy with the new list.
- Checks that the updated policy protects the expected number of mailboxes and declares success.
Here’s the basic PowerShell code executed by the scheduled job:
[array]$PhishUsersToProtect = $null
# Find the set of mailboxes to protect
[array]$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -Filter {CustomAttribute1 -eq "VIP"} -Properties CustomAttribute1 | Select-Object Displayname, UserPrincipalName
# Create an array in the required format with details of protected users
ForEach ($User in $Mbx) {
[string]$UserAdd = ("{0};{1}" -f $User.DisplayName, $User.UserPrincipalName)
$PhishUsersToProtect += $UserAdd
}
# Find the default anti-phish policy
$DefaultPhishPolicy = Get-AntiPhishPolicy | Where-Object IsDefault -match $True
# Update the set of protected users in the policy if there are less than 350 mailboxes
If ($PhishUsersToProtect.count -lt 350) {
Set-AntiPhishPolicy -Identity $DefaultPhishPolicy.Identity -TargetedUsersToProtect $PhishUsersToProtect -EnableTargetedUserProtection $true
[Array]$TargetedUsers = Get-AntiPhishPolicy -Identity $DefaultPhishPolicy.Policy | `
Select-Object -ExpandProperty TargetedUsersToProtect
Write-Host ("Policy {0} now protects {1} mailboxes" -f $Policy.Identity, $TargetedUsers.count)
} Else {
Write-Host ("{0} mailboxes identified for protection but the maximum supported is 350" -f $PhishUsersToProtect.count)
}
Functional Not Professional PowerShell
Of course, my PowerShell code is not polished. It’s functional rather than professional PowerShell. But now that the Office 365 for IT Pros eBook author team has a real pro on staff, I’m sure that the quality and beauty of the code featured in the book (well, at least in the Mail Flow chapter), will improve dramatically.
Learn more about how Exchange Online and the Microsoft 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.
Great to hear. Phishing, backscatterer and impersonation and are other attacks are becoming more and more common and sophisticated. Also to my knowledge, microsoft is improving its routing mechanisme. For instance high risk mails are routed over a designated server pool. I sure like to know more about it.
Also, about powershell; it is indeed my companion but still struggle with the graph. What is the best the way to connect? And modules or SDK? Maybe you can dedicate a few articles on that, just to explain the basics as they are now?
Thank you for the great articles. Really appreciate them!
Hi Tony
interesting article!
there’s just a tiny typo in the basic script example ( identityy instead of identity):
Set-AntiPhishPolicy -Identity $DefaultPhishPolicy.Identityy -TargetedUsersToProtect $PhishUsersToProtect -EnableTargetedUserProtection $true
KR
I fixed that bug (caused by cut and paste woes) before I published the article so I have no idea how it crept back in. Have I said that I hate software?
Seriously, this is why I now refer people to GitHub to download and access code. It avoids issues with pasting code in from PowerShell…