Download as PDF, PPTX
![MESSAGE
READY
X-Forefront-
Antispam-Report
[SCL, SFV,CIP,IPV]
AMMAR HASAYEN
12 JAN 2017
X-Microsoft-
Antispam
PCL,BCL
Authentication-
Results
SPF,DKIM,DMARC
TLS
CONNECTOR
Directory Based
Edge Blocking
[Dictionary Attack]
Connection Filter
Allow/Block List
[Static Entries]
Microsoft IP Safe
List
PERIMETER
PROTECTION
EOP CAS
DIRSYNC
IF ALLOWED
IPV:CAL
SCL=-1
Only for
Authoritative
Domains
IF
BLOCKED
Recipient
Doesn t Exist
Reputation Block
ELSE
NEXT
IF MATCH:
IPV:CAL
Not in any
reputation list
IPV:NLI
START
NEXT
Submit Form
https://sender.office.com
NEXT
ELSEELSE
IF BLOCKED
CIP:IP
P1 ENVELOPE
AUTHENTICATION
P2 HEADER
SPF DKIM
DMARC
Stamp with
Authentication-
Results
Header
SCL=-1
DKIM Signature is
stamped inside the
header and not
envelope, so when
forwarding a
message, the
envelope is replaced,
so SPF fails when
forwarding a
message, while
DKIM survive
Succeed If any of SPF or
DKIM succeeded, and P1
Mail From = P2 From
NO ACTION IS TAKEN
EXCEPT:
EXCHANGE ONLINE
EXO CAS
TOEXOHUB
AV Engine 1
AV Engine 2
AV Engine 3
ANTI
MALWARE
RESOLVERResolve
SYNC
Recipient
Email
Address
Block
Sender/Domain
Block
Executables
TRANSPORT USER [ETR]
QUARANTINE
https://admin.protection.outlook.com/Quarantine
7 Days
ADMIN
Spam
Analysts
Common
Attachment
Blocking
Recipient
Primary
SMTP if
synced
Azure
AD
Organization
Domains Spoof
Rules
Bulk Emails
Custom Rule
Allow
Sender/Domain
NEXT
SCL=9
Set SCL =5,6
15 Days
END USER
SPAM PROTECTION
Safe
Attachments
Dynamic
Delivery
ADVANCE THREAT
PROTECTION [ATP]
Only from
External
Senders
Safe Attachment
Feature- Only for
O365 Mailboxes
Processing
Delay
NEXT
SAPM ACTION
SCL=-1 DO NOTHING
SCL=6,5
MOVE TO
JUNK FOLDER
SCL=9
USER
QUARANTINE
SCL=0,1,2
,3,4
False
Positives
NEXT
PHISHING
& BULK
Generate BCL
Generate PCL
Adds
X-Microsoft-
Antispam
Header with
BCL & PCL
If recipient/Group is not
synced, resolver will not do
anything
START
GROUP
Expand
Group if
synced
EXO
DIRECTORY
On-Premise Dynamic
Groups are not synced
RECIPIENT
PRIMARY
ADDRESS
ALWAYS
EVALUATED
Sent To
condition
cannot be
used when the
recipient is
distribution
group, instead
(Is member
of)
SCL=-1
SCL=5,6
DELETE OR
QUARANTINE
Set SCL =0 RESET PREVIOUS SCL=-1 SCL=0
Looks at file content and not just
extension
Block
Attachment
TypesNEXT
NEXT
Only P1 Envelope is
inspected here
P1 ENVELOPE
Bypass Clutter
Other
Allow IP in Connection Filter
If a sender s IP is blocked due to Reputation Connection Filter, then
the best option is to do the following:
- Allow the Sender s IP in Connection Filter. This will bypass
Connection Filter Reputation and will stamp SCL =-1
- Set transport rule to stamp the message with SCL = 0 so that the
message will go to Spam Content Filter and get inspected by Spoof
Detection
- Not doing this means that IP can impersonate all Bank sites for
example.
InternetInternet
Outlook OWA Active-Sync EWS
Multi-function
printer or device
(like scan to email)
Locally-hosted web
service
(like a Payroll
service)
Locally-hosted web
site
(like an HR intranet
site)
SMTP
Port 25 or 587
[TLS 1.0 or
higher]
HTTPS
Your Office
365
mailboxes
Authenticate
using Office
365 credentials
ZAP
Zero-hour auto
purge
smtp.office365.com
Throttling limits
10,000 recipients per
day. 30 messages per
minute.
HYBRID EXCHANGE SERVERS
Services
SMTP PORT 25
EXCHANGE ONLINE PROTECTION SUBMISSION
EMAIL
MESSAGE
P1 ENVELOPE P2 HEADER
ENVELOPE
[Bounce Address]
HEADER
[What users see]
START
MAIL From
RCPT
CIP
Return- Path = Mail
From
FROM
TO
DKIM
Signature
Reply-To
Adding
·CIP:IP
·Return-Path =
Mail From
NEXT
TLS OPTION
Subject:
mail.protection.outlook.com
PARTNER
ORG
EXTERNAL
EMAIL
SAFE
SENDERS
TLS Connector
TLS Connector
IP Added to connection
Filter Allow List
·SFV:SKN
·IPV:CAL
·SCL= -1
SCL=-1
Can relay
email to
external
Normal Score
Outbound Pool
Bulk Mail Outbound
Pool
High Risk Delivery
Pool
DKIM DIGITAL
SIGNATURE
CORPORATE
NETWORK
OFFICE 365 HOSTED
MAILBOXES
PARTNER
ORGANIZATION
OPPORTUNISTIC TLS
EOP will try to use TLS with the
recipient email services if it support
that.
DO NOTHINGNEXT
IF SCL = -1
Bypass
Filtering
Allow/Block
Senders/
Domains
Outlook Safe/
Blocked
Senders
ELSE
SAPM FILTER
SCL=-1
SCL=6
PREVIOUSLY CLEARED
IF ALLOWED
IF BLOCKED
IF SCL = 5,6
Force Spam
NEXT
Safe domains
are not synced
SCL=-1
NEXT
ELSE
SCL=-
5,6NEXT
Force SPAM from
Transport Rule
ELSE
SCL=-1
SCL=9
IF ALLOWED
IF BLOCKED
NEXT
ELSE
HIGH
CONFIDENCE
SPAM
Authentication
[SPF,DKIM.DM
ARC]
International
Filtering
Advance
Spam Options
Content
Scanning &
Heuristics
ContentFilter
Bulk Mail
Filtering
SUSPECTED
SPAM
NOT SPAM
Before Content
Filter:
NO SCL OR
SCL = 0,1,2,3,4
URL Filtering
SCL=0
SCL=5
SCL=9
NEXT
Safe Links
INTERNET
TLS
CONNECTOR
TLS
CONNECTOR
ACCEPTED DOMAINS FILTER
ZAP
Zero-hour auto
purge
EOP/EXO HUB
EXCHANGE ON PREMISE
PRODUCTION EXCHANGE](https://image.slidesharecdn.com/emailedgesecurityarchitecture-publicversion-180213102021/85/Email-edge-security-architecture-EOP-1-320.jpg)
![MESSAGE
READY
X-Forefront-
Antispam-Report
[SCL, SFV,CIP,IPV]
AMMAR HASAYEN
12 JAN 2017
X-Microsoft-
Antispam
PCL,BCL
Authentication-
Results
SPF,DKIM,DMARC
TLS
CONNECTOR
Directory Based
Edge Blocking
[Dictionary Attack]
Connection Filter
Allow/Block List
[Static Entries]
Microsoft IP Safe
List
PERIMETER
PROTECTION
EOP CAS
DIRSYNC
IF ALLOWED
IPV:CAL
SCL=-1
Only for
Authoritative
Domains
IF
BLOCKED
Recipient
Doesn t Exist
Reputation Block
ELSE
NEXT
IF MATCH:
IPV:CAL
Not in any
reputation list
IPV:NLI
START
NEXT
Submit Form
https://sender.office.com
NEXT
ELSEELSE
IF BLOCKED
CIP:IP
P1 ENVELOPE
AUTHENTICATION
P2 HEADER
SPF DKIM
DMARC
Stamp with
Authentication-
Results
Header
SCL=-1
DKIM Signature is
stamped inside the
header and not
envelope, so when
forwarding a
message, the
envelope is replaced,
so SPF fails when
forwarding a
message, while
DKIM survive
Succeed If any of SPF or
DKIM succeeded, and P1
Mail From = P2 From
NO ACTION IS TAKEN
EXCEPT:
EXCHANGE ONLINE
EXO CAS
TOEXOHUB
AV Engine 1
AV Engine 2
AV Engine 3
ANTI
MALWARE
RESOLVERResolve
SYNC
Recipient
Email
Address
Block
Sender/Domain
Block
Executables
TRANSPORT USER [ETR]
QUARANTINE
https://admin.protection.outlook.com/Quarantine
7 Days
ADMIN
Spam
Analysts
Common
Attachment
Blocking
Recipient
Primary
SMTP if
synced
Azure
AD
Organization
Domains Spoof
Rules
Bulk Emails
Custom Rule
Allow
Sender/Domain
NEXT
SCL=9
Set SCL =5,6
15 Days
END USER
SPAM PROTECTION
Safe
Attachments
Dynamic
Delivery
ADVANCE THREAT
PROTECTION [ATP]
Only from
External
Senders
Safe Attachment
Feature- Only for
O365 Mailboxes
Processing
Delay
NEXT
SAPM ACTION
SCL=-1 DO NOTHING
SCL=6,5
MOVE TO
JUNK FOLDER
SCL=9
USER
QUARANTINE
SCL=0,1,2
,3,4
False
Positives
NEXT
PHISHING
& BULK
Generate BCL
Generate PCL
Adds
X-Microsoft-
Antispam
Header with
BCL & PCL
If recipient/Group is not
synced, resolver will not do
anything
START
GROUP
Expand
Group if
synced
EXO
DIRECTORY
On-Premise Dynamic
Groups are not synced
RECIPIENT
PRIMARY
ADDRESS
ALWAYS
EVALUATED
Sent To
condition
cannot be
used when the
recipient is
distribution
group, instead
(Is member
of)
SCL=-1
SCL=5,6
DELETE OR
QUARANTINE
Set SCL =0 RESET PREVIOUS SCL=-1 SCL=0
Looks at file content and not just
extension
Block
Attachment
TypesNEXT
NEXT
Only P1 Envelope is
inspected here
P1 ENVELOPE
Bypass Clutter
Other
Allow IP in Connection Filter
If a sender s IP is blocked due to Reputation Connection Filter, then
the best option is to do the following:
- Allow the Sender s IP in Connection Filter. This will bypass
Connection Filter Reputation and will stamp SCL =-1
- Set transport rule to stamp the message with SCL = 0 so that the
message will go to Spam Content Filter and get inspected by Spoof
Detection
- Not doing this means that IP can impersonate all Bank sites for
example.
InternetInternet
Outlook OWA Active-Sync EWS
Multi-function
printer or device
(like scan to email)
Locally-hosted web
service
(like a Payroll
service)
Locally-hosted web
site
(like an HR intranet
site)
SMTP
Port 25 or 587
[TLS 1.0 or
higher]
HTTPS
Your Office
365
mailboxes
Authenticate
using Office
365 credentials
ZAP
Zero-hour auto
purge
smtp.office365.com
Throttling limits
10,000 recipients per
day. 30 messages per
minute.
HYBRID EXCHANGE SERVERS
Services
SMTP PORT 25
EXCHANGE ONLINE PROTECTION SUBMISSION
EMAIL
MESSAGE
P1 ENVELOPE P2 HEADER
ENVELOPE
[Bounce Address]
HEADER
[What users see]
START
MAIL From
RCPT
CIP
Return- Path = Mail
From
FROM
TO
DKIM
Signature
Reply-To
Adding
·CIP:IP
·Return-Path =
Mail From
NEXT
TLS OPTION
Subject:
mail.protection.outlook.com
PARTNER
ORG
EXTERNAL
EMAIL
SAFE
SENDERS
TLS Connector
TLS Connector
IP Added to connection
Filter Allow List
·SFV:SKN
·IPV:CAL
·SCL= -1
SCL=-1
Can relay
email to
external
Normal Score
Outbound Pool
Bulk Mail Outbound
Pool
High Risk Delivery
Pool
DKIM DIGITAL
SIGNATURE
CORPORATE
NETWORK
OFFICE 365 HOSTED
MAILBOXES
PARTNER
ORGANIZATION
OPPORTUNISTIC TLS
EOP will try to use TLS with the
recipient email services if it support
that.
DO NOTHINGNEXT
IF SCL = -1
Bypass
Filtering
Allow/Block
Senders/
Domains
Outlook Safe/
Blocked
Senders
ELSE
SAPM FILTER
SCL=-1
SCL=6
PREVIOUSLY CLEARED
IF ALLOWED
IF BLOCKED
IF SCL = 5,6
Force Spam
NEXT
Safe domains
are not synced
SCL=-1
NEXT
ELSE
SCL=-
5,6NEXT
Force SPAM from
Transport Rule
ELSE
SCL=-1
SCL=9
IF ALLOWED
IF BLOCKED
NEXT
ELSE
HIGH
CONFIDENCE
SPAM
Authentication
[SPF,DKIM.DM
ARC]
International
Filtering
Advance
Spam Options
Content
Scanning &
Heuristics
ContentFilter
Bulk Mail
Filtering
SUSPECTED
SPAM
NOT SPAM
Before Content
Filter:
NO SCL OR
SCL = 0,1,2,3,4
URL Filtering
SCL=0
SCL=5
SCL=9
NEXT
Safe Links
INTERNET
TLS
CONNECTOR
TLS
CONNECTOR
ACCEPTED DOMAINS FILTER
ZAP
Zero-hour auto
purge
EOP/EXO HUB
EXCHANGE ON PREMISE
PRODUCTION EXCHANGE](https://image.slidesharecdn.com/emailedgesecurityarchitecture-publicversion-180213102021/75/Email-edge-security-architecture-EOP-1-2048.jpg)
More Related Content
Similar to Email edge security architecture EOP
Email edge security architecture EOP
- 1. MESSAGE READY X-Forefront- Antispam-Report [SCL, SFV,CIP,IPV] AMMAR HASAYEN 12JAN 2017 X-Microsoft- Antispam PCL,BCL Authentication- Results SPF,DKIM,DMARC TLS CONNECTOR Directory Based Edge Blocking [Dictionary Attack] Connection Filter Allow/Block List [Static Entries] Microsoft IP Safe List PERIMETER PROTECTION EOP CAS DIRSYNC IF ALLOWED IPV:CAL SCL=-1 Only for Authoritative Domains IF BLOCKED Recipient Doesn t Exist Reputation Block ELSE NEXT IF MATCH: IPV:CAL Not in any reputation list IPV:NLI START NEXT Submit Form https://sender.office.com NEXT ELSEELSE IF BLOCKED CIP:IP P1 ENVELOPE AUTHENTICATION P2 HEADER SPF DKIM DMARC Stamp with Authentication- Results Header SCL=-1 DKIM Signature is stamped inside the header and not envelope, so when forwarding a message, the envelope is replaced, so SPF fails when forwarding a message, while DKIM survive Succeed If any of SPF or DKIM succeeded, and P1 Mail From = P2 From NO ACTION IS TAKEN EXCEPT: EXCHANGE ONLINE EXO CAS TOEXOHUB AV Engine 1 AV Engine 2 AV Engine 3 ANTI MALWARE RESOLVERResolve SYNC Recipient Email Address Block Sender/Domain Block Executables TRANSPORT USER [ETR] QUARANTINE https://admin.protection.outlook.com/Quarantine 7 Days ADMIN Spam Analysts Common Attachment Blocking Recipient Primary SMTP if synced Azure AD Organization Domains Spoof Rules Bulk Emails Custom Rule Allow Sender/Domain NEXT SCL=9 Set SCL =5,6 15 Days END USER SPAM PROTECTION Safe Attachments Dynamic Delivery ADVANCE THREAT PROTECTION [ATP] Only from External Senders Safe Attachment Feature- Only for O365 Mailboxes Processing Delay NEXT SAPM ACTION SCL=-1 DO NOTHING SCL=6,5 MOVE TO JUNK FOLDER SCL=9 USER QUARANTINE SCL=0,1,2 ,3,4 False Positives NEXT PHISHING & BULK Generate BCL Generate PCL Adds X-Microsoft- Antispam Header with BCL & PCL If recipient/Group is not synced, resolver will not do anything START GROUP Expand Group if synced EXO DIRECTORY On-Premise Dynamic Groups are not synced RECIPIENT PRIMARY ADDRESS ALWAYS EVALUATED Sent To condition cannot be used when the recipient is distribution group, instead (Is member of) SCL=-1 SCL=5,6 DELETE OR QUARANTINE Set SCL =0 RESET PREVIOUS SCL=-1 SCL=0 Looks at file content and not just extension Block Attachment TypesNEXT NEXT Only P1 Envelope is inspected here P1 ENVELOPE Bypass Clutter Other Allow IP in Connection Filter If a sender s IP is blocked due to Reputation Connection Filter, then the best option is to do the following: - Allow the Sender s IP in Connection Filter. This will bypass Connection Filter Reputation and will stamp SCL =-1 - Set transport rule to stamp the message with SCL = 0 so that the message will go to Spam Content Filter and get inspected by Spoof Detection - Not doing this means that IP can impersonate all Bank sites for example. InternetInternet Outlook OWA Active-Sync EWS Multi-function printer or device (like scan to email) Locally-hosted web service (like a Payroll service) Locally-hosted web site (like an HR intranet site) SMTP Port 25 or 587 [TLS 1.0 or higher] HTTPS Your Office 365 mailboxes Authenticate using Office 365 credentials ZAP Zero-hour auto purge smtp.office365.com Throttling limits 10,000 recipients per day. 30 messages per minute. HYBRID EXCHANGE SERVERS Services SMTP PORT 25 EXCHANGE ONLINE PROTECTION SUBMISSION EMAIL MESSAGE P1 ENVELOPE P2 HEADER ENVELOPE [Bounce Address] HEADER [What users see] START MAIL From RCPT CIP Return- Path = Mail From FROM TO DKIM Signature Reply-To Adding ·CIP:IP ·Return-Path = Mail From NEXT TLS OPTION Subject: mail.protection.outlook.com PARTNER ORG EXTERNAL EMAIL SAFE SENDERS TLS Connector TLS Connector IP Added to connection Filter Allow List ·SFV:SKN ·IPV:CAL ·SCL= -1 SCL=-1 Can relay email to external Normal Score Outbound Pool Bulk Mail Outbound Pool High Risk Delivery Pool DKIM DIGITAL SIGNATURE CORPORATE NETWORK OFFICE 365 HOSTED MAILBOXES PARTNER ORGANIZATION OPPORTUNISTIC TLS EOP will try to use TLS with the recipient email services if it support that. DO NOTHINGNEXT IF SCL = -1 Bypass Filtering Allow/Block Senders/ Domains Outlook Safe/ Blocked Senders ELSE SAPM FILTER SCL=-1 SCL=6 PREVIOUSLY CLEARED IF ALLOWED IF BLOCKED IF SCL = 5,6 Force Spam NEXT Safe domains are not synced SCL=-1 NEXT ELSE SCL=- 5,6NEXT Force SPAM from Transport Rule ELSE SCL=-1 SCL=9 IF ALLOWED IF BLOCKED NEXT ELSE HIGH CONFIDENCE SPAM Authentication [SPF,DKIM.DM ARC] International Filtering Advance Spam Options Content Scanning & Heuristics ContentFilter Bulk Mail Filtering SUSPECTED SPAM NOT SPAM Before Content Filter: NO SCL OR SCL = 0,1,2,3,4 URL Filtering SCL=0 SCL=5 SCL=9 NEXT Safe Links INTERNET TLS CONNECTOR TLS CONNECTOR ACCEPTED DOMAINS FILTER ZAP Zero-hour auto purge EOP/EXO HUB EXCHANGE ON PREMISE PRODUCTION EXCHANGE