This article is intended for network and systems administrators
Some customers using email filtering solutions such as Microsoft’s 365 Advanced Threat Protection, and Broadcom’s Messagelabs filtering may need to specifically whitelist emails from the domains provided in the Use EIDO services on enterprise networks guide in order to receive emails sent by EIDO staff and services. This article is to highlight a recent issue with the Microsoft 365 whitelist implementation which may need to be addressed in addition to those changes.
Secure by default
In early December 2020, Microsoft began rolling out a “Secure by default” policy on incoming mail, which overrides admin-created exceptions in the anti-spam allowed senders list if the Microsoft “Intelligent filtering” service classifies that mail as “Malware” or “High Confidence Phish”.
This change was intended to improve the security of customers email services (more information here), however it has also resulted in misclassified emails from previously allowed senders being routed directly to the quarantine mailbox with no notification to either sender or recipient.
Workarounds
Depending on the policy requirements of your organisation, there are several possible workarounds for this issue:
- Actively monitor the quarantine mailbox, and regularly release and submit false-positives to Microsoft for analysis (more information here)
- Modify the default “High Confidence Phishing” policy in Exchange Online Protection to deliver mail to Junk rather than quarantine or delete
- Permit users access to their personal quarantine mailbox and ask them to regularly check there for missing mail, then manually submit false-positives as they are found
Avoiding false detection for outbound messages
As Microsoft’s intelligent filtering is based on machine-learning and AI, there is no clear path to avoiding false-positives on outbound mail, however EIDO has seen an improvement in delivery to customers using Microsoft 365 since enabling the following policies on outbound mail:
- Manually verify DKIM is enabled on your domain and is using at least a 2048-bit key (Microsoft 365 guide). Depending on when your organisation implemented DKIM on outbound mail you may need to refresh the DKIM signing keys in order to upgrade them to 2048-bit as the old default was 1024-bit
- Implement a DMARC policy if your organisation does not presently have one in place (Microsoft 365 guide)
Unfortunately, even with these steps in place mail is still often flagged as “High Confidence Phish” in error by Microsoft’s filtering.