Good day security-aware colleagues. There is more on our agendas today than the Solar Eclipse. That being Security.
In the realm of cybersecurity, maintaining a robust defensive posture is key to protecting an organization’s digital assets. Microsoft Defender’s Secure Score offers a comprehensive metric that evaluates the security health of an organization’s Microsoft 365 environment. One critical aspect of bolstering your Secure Score involves addressing the issue of email abuse through the action of “blocking users who reached the message limit.” This blog post aims to explore the nuances of this recommended action.
Rank Recommended action
98 Block users who reached the message limit
Microsoft Security Score
Before Mitigation: 62.73%
After Mitigation:
Secure Score Improvement: +0.10%
General
Description
Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.
Recommended Values: Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
Implementation status
100% of users are affected by policies that are configured less securely than is recommended.
- Default – 1 users (100%)
Implementation
Prerequisites
You have Microsoft Defender for Office 365 P1.
Next steps
Ensure that all users have an assigned outbound anti-spam policy with the ‘Over limit action’ option set to recommended values which is “Restrict the user from sending mail”, by either updating your existing policies or creating new ones.
Recommended Values: Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
Learn more
Configure spam filter policies | Microsoft Learn Navigate to Microsoft 365 Defender https://security.microsoft.com.
- Click to expand Email & collaboration select Policies & rules.
- On the Policies & rules page, select Threat Policies.
- Under Threat Policies, select Anti-spam.
Note: Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create.
Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.
Recommended Values: EOP Outbound Spam Policy Settings Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
Configure outbound spam policies in EOP: Configure outbound spam policies | Microsoft Learn
Use the Microsoft Defender portal to create outbound spam policies
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, select Create policy and then select Outbound from the dropdown list to start the new outbound spam policy wizard.
On the Name your policy page, configure these settings:
- Name: Enter a unique, descriptive name for the policy.
- Description: Enter an optional description for the policy.
When you’re finished on the Name your policy page, select Next.
On the Users, groups, and domains page, identify the internal senders that the policy applies to (conditions):
- Users: The specified mailboxes, mail users, or mail contacts.
- Groups:
- Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren’t supported).
- The specified Microsoft 365 Groups.
- Domains: All senders in the organization with a primary email address in the specified accepted domain.
Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <sender1> or <sender2>). Different conditions use AND logic (for example, <sender1> and <member of group 1>).
- Exclude these users, groups, and domains: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
Important
Multiple different types of conditions or exceptions are not additive; they’re inclusive. The policy is applied only to those senders that match all of the specified sender filters. For example, you configure a sender filter condition in the policy with the following values:
- Users: romain@contoso.com
- Groups: Executives
The policy is applied to romain@contoso.com only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy is not applied to him.
Likewise, if you use the same sender filter as an exception to the policy, the policy is not applied to romain@contoso.com only if he’s also a member of the Executives group. If he’s not a member of the group, then the policy still applies to him.
When you’re finished on the Users, groups, and domains, select Next.
On the Protection settings page, configure the following settings:
- Message limits sections: The settings in this section configure the limits for outbound email messages from Exchange Online mailboxes:
- Set an external message limit: The maximum number of external recipients per hour.
- Set an internal message limit: The maximum number of internal recipients per hour.
- Set a daily message limit: The maximum total number of recipients per day.
A valid value is 0 to 10000. The default value is 0, which means the service defaults are used. For more information, see Sending limits.
Enter a value in the box, or use the increase/decrease arrows on the box.
- Restriction placed on users who reach the message limit: Select an action from the dropdown list when any of the limits in the Protection settings section are exceeded.
For all actions, the senders specified in the User restricted from sending email alert policy (and in the now redundant Notify these users and groups if a sender is blocked due to sending outbound spam setting on this page) receive email notifications.
-
- Restrict the user from sending mail until the following day: This is the default value. Email notifications are sent, and the user is unable to send any more messages until the following day, based on UTC time. There’s no way for the admin to override this block.
- The alert policy named User restricted from sending email notifies admins (via email and on the Incidents & alerts > View alerts page).
- Any recipients specified in the Notify specific people if a sender is blocked due to sending outbound spam setting in the policy are also notified.
- The user is unable to send any more messages until the following day, based on UTC time. There’s no way for the admin to override this block.
- Restrict the user from sending mail: Email notifications are sent, the user is added to Restricted users https://security.microsoft.com/restrictedusers in the Microsoft Defender portal, and the user can’t send email until they’re removed from Restricted users by an admin. After an admin removes the user from the list, the user won’t be restricted again for that day. For instructions, see Remove blocked users from the Restricted entities page.
- No action, alert only: Email notifications are sent.
- Restrict the user from sending mail until the following day: This is the default value. Email notifications are sent, and the user is unable to send any more messages until the following day, based on UTC time. There’s no way for the admin to override this block.
- Forwarding rules section: The setting in this section controls automatic email forwarding by Exchange Online mailboxes to external recipients. For more information, see Control automatic external email forwarding in Microsoft 365.
Select one of the following actions from the Automatic forwarding rules dropdown list:
-
- Automatic – System-controlled: This is the default value. This value is now the same as Off. When this value was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, the effect of this value was eventually changed to Off for all customers. For more information, see this blog post.
- On: Automatic external email forwarding isn’t disabled by the policy.
- Off: All automatic external email forwarding is disabled by the policy.
Note
-
- Disabling automatic forwarding disables any Inbox rules or mailbox forwarding (also known as SMTP forwarding) that redirects messages to external addresses.
- Outbound spam policies don’t affect the forwarding of messages between internal users.
- When automatic forwarding is disabled by an outbound spam policy, non-delivery reports (also known as NDRs or bounce messages) are generated in the following scenarios:
-
- Messages from external senders for all forwarding methods.
- Messages from internal senders if the forwarding method is mailbox forwarding. If the forwarding method is an Inbox rule, an NDR isn’t generated for internal senders.
-
- Notifications section: Use the settings in the section to configure additional recipients who should receive copies and notifications of suspicious outbound email messages:
- Send a copy of suspicious outbound that exceed these limits to these users and groups: This setting adds the specified recipients to the Bcc field of suspicious outbound messages.
Note
This setting works only in the default outbound spam policy. It doesn’t work in custom outbound spam policies that you create.
To enable this setting, select the check box. In the box that appears, click in the box, enter a valid email address, and then press the ENTER key or select the complete value that’s displayed below the box.
Repeat this step as many times as necessary. To remove an existing value, select next to the value.
- Notify these users and groups if a sender is blocked due to sending outbound spam
Important
This setting is in the process of being deprecated from outbound spam policies.
The default alert policy named User restricted from sending email already sends email notifications to members of the TenantAdmins (Global admins) group when users are blocked due to exceeding the limits in the Recipient Limits section. We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users. For instructions, see Verify the alert settings for restricted users.
When you’re finished on the Protection settings page, select Next.
On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you’re finished on the Review page, select Create.
On the New anti-spam policy created page, you can select the links to view the policy, view outbound spam policies, and learn more about outbound spam policies.
When you’re finished on the New anti-spam policy created page, select Done.
Back on the Anti-spam policies page, the new policy is listed.
Exchange Online Sending Limits: Exchange Online limits – Service Descriptions | Microsoft Learn
Exchange Online Protection (EOP) Outbound Spam Policy Settings: Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
- Click on the “+Create Policy”, then “Outbound”.
- For the purposes of this documentation, we are going to apply this Policy to the entire “CONTOSO. com” Domain.
Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn
- Using the chart above obtained from Microsoft recommendations for EOP and Defender for Office 365 security settings | Microsoft Learn enter the “Recommended Strict” values for each field at the “Protection settings” screen.
- <click> “Next”
- At the “Review” screen, validate all values are correct.
- <click> “Create”.
- Confirmation that the policy has been created is received.
- <click> “Done”.
- The new policy shows.
Mitigation
The Corrective Action for “98-Block users who reached the message limit”.