Email Protection Enhancements

• Overview
• Early adopter access
• How to enable, maintain, and enhance spam and phishing protections
• Adjust aggressiveness policy
• Adjust Proofpoint score translation
• Support

Overview

UW Office 365 adds multiple layers of additional email protection and options for users of Exchange Online mailboxes beyond those provided by the UW Email Infrastructure service. The protections added include:

• Junk E-Mail folder protections to help block phishing and protect privacy from embedded email content
• Personal Safe Sender or Domains list of up to 1,024 entries
• Personal Blocked Sender or Domains list of up to 500 entries
• In the Outlook desktop client, additional processing of Safe or Blocked senders based on root domains, languages, or country of origin
• Preserves emails detected as spam and phishing for user review, rather than rejecting delivery outright (This only applies to emails not already rejected by the Email Infrastructure service)
• Microsoft’s advanced scanning and scoring for spam and phishing email
• Adds filtering for some spam and phishing email identified after delivery by moving messages to Junk E-Mail from other parts of the mailbox
• Further leveraging of the UW Sophos email spam score by filtering lower confidence spam to Junk E-Mail
• User-customizable policies and options to fit a wide range of needs and preferences

UW Office 365 Exchange Online email protection early adopter access

UW Office 365 Exchange Online now offers early adopter access to enhancements for spam and phishing protections to employees and students. These new layers of protection:

• Further leverage the UW Email Infrastructure service’s Proofpoint spam score for filtering low-confidence spam
• Adds Microsoft’s advanced spam and phishing email scanning and scoring
• Adds filtering for spam and phishing email identified after email has already been delivered to a mailbox
• User-customizable policies and options to fit a wide range of needs and preferences
• Further enhances and leverages the individual user “Safe senders and domains” list (aka “Safe Senders” list) and “Blocked senders and domains” list (aka “Blocked Senders” list)

How to enable, maintain, and enhance UW Office 365 Exchange Online spam and phishing protections

Optimal utilization of UW Office 365 Exchange Online spam and phishing protections requires enabling, maintaining, and potentially enhancing these protections.

Enable

1. Enable early adopter spam and phishing protections by clicking the “Join this group” link for the UW Group here: https://groups.uw.edu/group/u_msca_ea_enable-email-protections. (This will step will not be needed once UW Office 365 Exchange Online spam and phishing protections move to General Availability for UW Office 365 Exchange Online.)
2. Once you enable the early adopter program by clicking “Join this group”, it is recommended (but not required) that you delete inbox rules based on the UW Proofpoint spam score (aka “X-Uwash-Spam header”). The new protections you’ve enabled already leverage this score, and inbox rules do not respect allow lists such as an individual’s Safe Senders list nor the UW’s allow list for important business processes. The new protections leverage these scores in a way that respects allow lists. (See the “Optional enhancements” section for details.)
3. Start watching your Junk E-mail folder for false positives (i.e. emails that were incorrectly delivered to your Junk E-mail folder)
   • Use the “Report Message” add-in for Outlook to report “Not Junk” for false positives, which automatically:
     • Moves the email to the inbox
     • Adds the sender of the email to your Safe Senders list
     • Reports the false positive email to the UW Office 365 service team
     • Reports the false positive email to Microsoft’s spam protection services
   • Use the “Report Message” add-in for Outlook to report “Junk” and “Phishing” emails, which automatically:
     • For reported junk email, moves the email to the Junk E-Mail folder
     • For reported phishing email, moves the email to the Deleted Items folder
     • Adds the sender of the email to your Blocked Senders list
     • Reports the junk or phishing email to the UW Office 365 service team
     • Sends the junk or phishing email as an attachment to reportedspam@cac.washington.edu
     • Reports the junk or phishing email to Microsoft’s spam protection services

Please note: Although it is possible to configure UW Office 365 Exchange Online to also send user-reported emails to other UW systems for further spam and phishing analysis, this has not yet been implemented.  Therefore, please also follow this process to report spam and phishing email.

Maintain

1. Review your Blocked Senders list and Safe Senders list on Outlook on the web (aka OWA). (Special note for @uw.edu, @u.washington.edu, and @washington.edu email addresses – you cannot add these email addresses and domains to your Safe Senders list. You can add subdomains and associated email addresses to your Safe Senders list. You also cannot add these these domains to your Blocked Senders list, but you can block individual email addresses.)
   • Clean-up your Blocked Senders list. When enabling enhancements for spam and phishing protections for the first time as an early adopter or when moving to a more restrictive policy option, it is likely you will not need all of the blocked entries on your Blocked Senders list that you needed before. As you are only allowed a total of 500 blocked senders and domains, it is important to keep the list clear of entries that are no longer needed.
   • Clean-up your Safe Senders list.  You are only allowed a total of 1,024 safe senders and domains.
   • Create domain-wide entries instead of adding individual email addresses to your Blocked Senders list and Safe Senders list.
     • For Outlook desktop email client users: When creating a domain-wide entry, leave the “@” in front of the domain. Removing the “@” on an Outlook desktop client will convert the server-side setting to a local setting that is processed only if that specific Outlook desktop instance is open and logged in
     • For Outlook on the web users (aka OWA): Remove the “@” for the server-side setting
     • Recommendation: For this and other reasons we recommend using only Outlook on the web (aka OWA) to manage Safe Senders and Blocked Senders.
2. Review existing inbox rules for rules involving critical email addresses. Inbox rules do not run on emails when a server-side process determines an email to be junk, as server-side processes act on an email before inbox rules, so it is important to add critical email addresses to your Safe Senders list.

Optional enhancements

Optionally, select a higher or lower level of protection. The UW Office 365 Exchange Online service team believes the default policy level, which requires no additional action beyond what is detailed above, will work well for most users. The default policy will mark email from some senders with high Bulk Complaint Level scores as spam, which will result in more false positives than users are accustomed to, but this is mitigated by reporting such emails as “Not Junk” as detailed above.

To adjust the level of aggressiveness at which junk and phishing protections will move emails to the Junk E-Mail folder, you can click the “Join this group” link for the UW Groups listed below:

• Maximum_policy is not recommended but the service team has made it available for testing or unusual situations. It will result in a large number of false positives, restrict some common email types, involve significantly more work to manage your Safe Sender list, and require you to access some emails only available for recovery in “quarantine”. Currently, it is the only policy that will move emails into quarantine.
  • https://groups.uw.edu/group/u_msca_enable-email-protection-policy-maximum
• Increased_policy reduces the tolerance for email addresses and domains that have had a large number of complaints lodged against them. If you select this policy, you will likely find that you have to add email distribution lists, newsletters, and other common emails to your Safe Senders list. This issue stems from many users improperly using spam and phishing reporting to block or move emails from senders to the Junk E-mail folder instead of unsubscribing. It also filters on common “sensitive words” which may be more widely used in an academic or medical setting, leading to more false positives.
  • https://groups.uw.edu/group/u_msca_enable-email-protection-policy-increased
• Decreased_policy moves only high-confidence spam and phishing emails to your Junk E-Mail folder. Low-confidence spam email gets marked with a “X-UW-ExO-EOP-MarkOnly-Decreased_Policy” email header, which you can then leverage using an inbox rule if desired, but there is otherwise no visible way for you to determine low-confidence spam email from normal email.
  • https://groups.uw.edu/group/u_msca_enable-email-protection-policy-decreased
• Minimal_policy is recommended if you have a low tolerance for (or a high occurrence of) false positive junk email (i.e. emails that were incorrectly delivered to your Junk E-mail folder). It moves only high-confidence phishing email to your Junk E-Mail folder. High-confidence spam, low-confidence spam, and low-confidence phishing email gets marked with a “X-UW-ExO-EOP-MarkOnly-Minimal_Policy” email header, which you can then leverage using an inbox rule if desired, but there is otherwise no visible way for you to determine low-confidence phishing or spam email from normal email. It effectively provides an alternative to enabling almost full-bypass of junk and phishing protections while leaving minimal phishing protections in place.
  • https://groups.uw.edu/group/u_msca_enable-email-protection-policy-minimal

Select an optional level of the UW Email Infrastructure service’s Proofpoint spam score translation

By default, UW Office 365 Exchange Online standard junk and phishing protections will mark email as low-confidence spam when an email scores at the Email Infrastructure service’s recommended level of “low-confidence” spam. However, additional options are available using the UW Groups referenced below, which treat email as high-confidence spam based on scores from “X” (low-confidence) to “XXXXXXXXX” (high-confidence). The option with the lowest score will be applied, if you have joined more than one UW Group, and no score at all will be applied if you have joined the “bypass group” UW Group. Click the “Join this group” link for a UW Group listed below to enable one of these options, if the default is not desired.

• To utilize the Proofpoint “X” to “XXXXXXXXX” scores, join the UW Group matching the lowest setting desired:
  • https://groups.uw.edu/search/?name=u_msca_enable_uw-spam-above&stem=&member=&owner=&type=effective&scope=one
• To bypass Proofpoint score translation:
  • https://groups.uw.edu/group/u_msca_enable-email-protection-bypass-uwspam-default-score

Support

If you need further assistance, please contact UW-IT at help@uw.edu or 206-221-5000.