To Block or Not to Block: A Critical Decision in Exchange Online
Introduction: The Persistent Threat of Phishing
Phishing remains the primary attack vector worldwide in 2023. Many organizations employ services like dnstwister to safeguard their domains. This tool is straightforward: you provide a list of legitimate domains, and it monitors for newly created ones with similar typography.
The Critical Role of Domain and DNS Monitoring
Monitoring new website creations and DNS records, particularly MX records, is crucial. An MX record associates a domain name with a mail server, enabling email sending and receiving. The real concern arises when a domain resembling yours is used for malicious activities, such as spear-phishing, without an associated website.
I made a quick example with my domain :
The Dilemma of Blocking Suspicious Domains
When a similar domain is registered, possibly for malicious intent, the options are limited. Without concrete evidence of malicious activity, domain takeover requests are often denied. The only proactive measure is to block the domain or URL.
Deep Dive into Microsoft 365 Console’s Capabilities
The Microsoft 365 Console offers various tools for email management, including searching emails, creating rules, and blocking senders. A key feature is the allow/block tenant part, which allows blocking of domains, URLs, or files.
Exploring the Allow/Block Tenant Policy
But does blocking truly prevent emails from reaching users? An experiment with a legitimate email address revealed that after blocking, emails were redirected to the junk folder, not completely blocked. This leads to a deeper exploration of the allow/block tenant policy:
- On the Allow/Block tenant policy:
- Blocking a domain results in emails being treated as high-confidence spam, subject to the default spam policy.
- Blocking a URL categorizes emails as high-confidence phishing, invoking the default phishing policy.
- Blocking a file triggers the malware default policy.
Insights from Official Documentation
Microsoft’s official documentation confirms the behavior observed with the allow/block policy. This understanding is crucial for effectively managing email security within the Microsoft 365 environment.
Adjusting Spam Policies for Enhanced Security
The default spam policy, unless altered, directs such emails to the junk folder. For those seeking stricter security measures, modifying this policy is essential. It ensures that emails from blocked domains are quarantined, enhancing organizational security.
Conclusion: The Importance of Informed Configuration
In summary, while the Microsoft 365 Console provides robust tools for managing email security, a deep understanding and careful configuration of the underlying policies are paramount. By fine-tuning these settings, organizations can fortify their defenses against the ever-evolving threat of phishing.