Since ChatGPT launched in 2022 there has been a marked increase in malicious phishing emails. As of November 2023 there was a 1265% increase, and this figure is always rising. The ease and low cost of generating convincingly human emails has become a huge security concern, especially for Outlook and Office 365 security administrators.Â
These attacks can be used for many reasons: from changing bank details to gaining credit card information or leaking private data. The reasons may differ but there is no denying the increased attempts by bad actors with this technology firmly in their grasp. Â
Finding a solution has certainly been a challenge for modern-day email security vendors. As technology advances, so do the tactics used by cybercriminals, making it crucial to understand potential vulnerabilities. Security professionals will be surprised to learn that users are able to open the door for potential bad actors, often without realising it.Â
So, how and why might users accidentally bypass the security measures that email security administrators have set up for their protection, specifically in the case of Outlook and Office 365 security?Â
How was this Outlook and Office 365 security problem detected?Â
Following a recent troubleshooting session with a customer as to why junk emails were landing in their inbox despite their security tools marking the email as malicious, we began to work through the problem. Â
First, we checked to see if there were any mailbox rules that may be re-directing the email back into the inbox. The customer indicated that there weren’t any mailbox rules in place. As it turns out, the junk email configuration is saved in a hidden inbox rule in the user’s mailbox, but we didn’t know that at the time.Â
Running the command in PowerShell on the user’s machine gave us no results, indicating that there were no rules directing emails to their inbox.Â
Get-InboxRule -Mailbox user@yourdomain.com | fl
There are two ways in which this could have taken place:Â
The first way is through the link that is generated in Outlook at the top of the email labelled: “I trust content from [email protected] | Show blocked content.”Â
Choosing the “I trust content from [email protected]” option will add this email address into the user’s Allow List, which can be found in the “Safe senders and domains” section of Settings -> Junk email -> Safe senders and domains.Â
The Safe Senders feature allows users to add email addresses and domains to a block or allow list. While this looks like an innocent setting at first, adding entries to the safe sender list can impact the amount of phishing or spam emails that are delivered to the end user’s inbox.Â
The second way this could have taken place are from emails that end up in the user’s Junk folder. They are presented with similar options: “It’s not junk | Show blocked content and enable links.”
Clicking on “Show blocked content and enable links” allows the end user to view the content and enable links within the message, but retains its place in the Junk folder. “It’s not junk” will add the sender to the Allow List. From this point, any emails received from that sender could be malicious.Â
Why is this a problem for Outlook and Office 365 security?Â
This may solve the problem for the end users but can have unexpected consequences for the security team. Firstly, the allow list will cause Defender to set the SCL (Spam Confidence Level) to -1. The SCL rating is a number from -1 through 9. A higher SCL rating indicates that a message is more likely to be spam. Typically, 5 – 9 are considered spam. The SCL assigned value of -1, allows the message to bypass the antispam scanning.Â
Despite the message being seen as malicious by Outlook and Office 365 security, the user has overridden the protections put in place.Â
This was surprising to both the customer and to us, as it effectively disabled the email security for any address that is in the allow list. If a sender has their inbox hijacked, they are then able to send out malicious files or messages which aren’t checked by the security tool. It was also noted that, while the end user might want to see the blocked content of the email, they may have inadvertently added the email to the Allow List. It isn’t immediately clear which option they have selected and over time the Allow List will continue to grow if left unchecked.Â
It is worth seeing if your Outlook and Office 365 security allows you to re-classify and move emails with an API post-delivery to the inbox.Â
How do we detect and remediate this issue with Outlook and Office 365 security?
For IT Professionals, there are ways to detect and remedy this if you have an Office 365 Plan 2 license for Microsoft Defender. You can use the Threat Explorer and the “Primary override” filter to see the emails that are being delivered to user’s inboxes because of their allow list. By selecting “Allowed by user policy”, you can view all emails delivered to the inbox because of a safe sender entry.
Running the following command in Exchange Online PowerShell allows us to check the junk email configuration, where this hidden rule will become clear:
Get-MailboxJunkEmailConfiguration -Identity user@yourdomain.com
From here we will be presented with a number of key properties to check:Â
- EnabledÂ
- If the value is true, this setting is enabled and will affect spam filtering
- TrustedSendersAndDomainsÂ
- Entries in this list can bypass the built-in EOP scanning depending on the type of detectionÂ
- TrustedRecipientsAndDomainsÂ
- This setting is reserved for Microsoft and cannot be updated. In testing, it is the same value as the TrustedSendersAndDomains settingÂ
- BlockedSendersAndDomainsÂ
- Emails from recipients on this list are delivered to the junk folderÂ
This is a great way of determining on a case-by-case basis if this configuration is causing the problem. We can turn this off by running the following PowerShell command:Â
Set-MailboxJunkEmailConfiguration -Identity user@yourdomain.com -Enabled $false
Â
When this junk mail configuration is disabled, the entries in the allow list are ignored when Exchange Online checks to see if the email should be delivered to the inbox or junk folder/quarantines.Â
This is a bit of a nuclear approach to solving the problem and only works for a single user. Fortunately, we can automate this process with the following script to disable the Allow Lists for all users within Exchange. Then you can use Allow lists with your third-party security protection, such as Check Point’s Harmony Email & Collaboration, to give back control to your security team.Â
Connect-ExchangeOnline -ManagedIdentity -Organization yourdomain.onmicrosoft.com
[array]$mailboxes = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
foreach ($mailbox in $mailboxes) {
$currentJunkConfiguration = (Get-MailboxJunkEmailConfiguration $mailbox.UserPrincipalName).Enabled
if($currentJunkConfiguration -ne $false){
Write-Host "Updated configuration $($mailbox.UserPrincipalName)"
Set-MailboxJunkEmailConfiguration $mailbox.UserPrincipalName -Enabled $false
}
}
If the same configuration applies to all users, you will need to run this script continuously. This can be achieved by running an Azure Automation runbook set on a schedule.Â
Despite disabling the junk email configuration for all mailboxes, this does not mean there is no use case for safe senders. The main advantage of safe senders is that images within emails from entries in the safe senders lists are automatically downloaded, but your security protections are not circumnavigated.Â
If the IT Administrator deems that there are allowed senders, an allow list can be added to the email security platform. This puts the power back with the Admin team, giving them peace of mind that they can control who is deemed safe, whilst preventing users from being able to override the security systems that have been put in place to protect them.Â
It’s important to note that the product is configured in such a way that the end user isn’t given another way to interact with the malicious emails. By making sure that the email security platform is configured not to use ‘move to junk’ for ‘phish’ or ‘malware’ rules. Using these rules would then allow the user to open/interact with the malicious email in their junk folder.Â
Conclusion: Preventing a User-Driven Allow List Vulnerability in Outlook and Office 365 SecurityÂ
Having email security is only half the battle. Ensuring it is configured correctly is the other half.
While troubleshooting with a customer, we were able to identify a potential hidden vulnerability with their Outlook and Office 365 security: users unknowingly bypassing email security measures through the “Safe Senders” feature.
This can allow malicious emails to bypass spam filters and potentially compromise your system.
Our recommendations:
- Contact us at SEP2 to get your free 14-day Email Health Checkup
- Educate your users about the dangers of phishing emails and the “Safe Senders” feature
- Utilise security platforms like Check Point’s Harmony Email & Collaboration with Allow List management for administrators
- Configure your security platform to avoid moving phishing or malware emails to Junk folders, preventing user interaction
By following these steps, you can significantly reduce the risk of users unknowingly compromising your email security. Remember, a layered approach combining user awareness and robust security tools provides the best defense against cyber threats.
