Microsoft Ignite 2019 – Exchange Online Announcements

I had the opportunity to attend the Microsoft Ignite conference In Orlando Florida last week. I had an amazing time connecting with old friends and making new ones too. I enjoyed talking with other attendees, Microsoft staff and MVPs, and vendors about the value and impact of Microsoft365, Azure and other Microsoft’s services in our daily life.

Coming from an Exchange/Messaging background, it was a little difficult to realize that the Microsoft Exchange product has reached its maturity level and the focus has been diverted into other directions, especially Azure and Security. However, the Microsoft Exchange Team managed to put several amazing breakout sessions with very important announcement that will bring benefits to the end-users and administrators.

Exchange Online Email Enhancements for End Users

  • Support for Plus Addressing

Now you can have addresses such as

  • Send from proxy address (alias)

The ability to send from an SMTP proxy address (alias) and having the that address be preserved in the recipient’s FROM and REPLY TO is one of those enhancements. (Pretty cool feature)

  • Message Recall in Exchange Online

This one is the best feature released. The current Message Recall feature is client-based, and only Outlook for Windows supports it today. The sender needs to use Outlook to recall a message, and the recipient needs to use Outlook for the recall to work. But thanks to M365 that host millions of Mailboxes, Microsoft is now able to implement a cloud-based message recall in the Office 365 datacenters that will recall the message directly from Office 365 mailboxes. It won’t matter which email client the recipient uses to sync with their Office 365 mailbox.

  • Reply-All Storm Protection

For an organization in Office 365, Microsoft will identify what looks like might be a Reply-All storm conversation. Then a temporarily block will be enabled on anyone from replying to all members of the conversation, sending a bounce message (NDR) back to anyone who tries. So, when Exchange Online detects what looks like it might be a Reply-All storm, anyone who subsequently attempts to reply to everyone will get an NDR back instead.


Some of the announcement about email enhancements for Admins

  • Modern Exchange Admin Center (EAC) Portal

Updated to look like all other Office365 admin portals

  • Customizable Recipient Limits

The setting can be found in EAC > Recipients > Mailboxes > Mailbox Features > Mail Flow, and once made available in the first part of 2020, admins will be able to customize the Recipient Limit from 1 to 1000 for individual mailboxes.

Example: Set-Mailbox -RecipientLimits 20
  • Securing SMTP Auth Submissions

Organizations required to use MFA, Conditional Access, Sign-in risk policies, and modern authentication have challenges with compliance especially with printers, scanners, or SMTP relays that does not support modern authentication. To help reduce the potential for exploiting the less secure SMTP authenticated submission protocol, last year the Exchange Team introduced the ability to disable SMTP authenticated submission for both your organization and for individual mailboxes via Remote PowerShell cmdlets.

Prevent Data Leakage using Exchange Online Transport Rules and Raise the Office365 Secure Score

Over the last month, two clients contacted me requesting immediate support to mitigate and stop the data leakage caused by compromised credentials of specific users in Office365 and Exchange Online. The use of Multi-Factor Authentication has become a best practice and could have prevented this situation. However, there are other security controls that we recommend putting in place to prevent data leakage from Office365.

The bad actors’ “modus operandi” it is usually the same. After compromising the account, hackers access the compromised mailbox using OWA or perhaps Outlook, and setup multiple mailboxes rules. Some of these rules are to exfiltrate data of the organization such as auto-forwarding or send phishing emails to saved contacts and expand their malicious activity. Usually, the last mailbox rules we have identified is to automatically delete their activity from the “Sent Items” folder so it will be unnoticeable by the user.

One of the ways we can help stop data exfiltration from client created rules is using Exchange Transport Rules. Implementing a Transport Rule based around the following can stop emails that are set to be Auto-Forwarded to an external address.

In summary you create a rule based on the following logic.

  • IF The Sender is located ‘Inside the organization’
  • AND IF The Recipient is located ‘Outside the organization’
  • AND IF The message type is ‘Auto-Forward’
  • THEN Reject the message with the explanation ‘External Email Forwarding via Client Rules is not permitted’.

Transport Rule

This will stop delivery of the Auto-Forward message and issue an NDR message to the sender. Exceptions can be also created if needed.

Similarly, this will help you to increase your Office365 Secure Score which now has a new security control called ‘Client Rules Forwarding Blocks’ that implements a Transport Rule to help mitigate client created rules that Auto-Forward to external addresses.

Microsoft Cloud Centralize Identity Management (Best Practice 1/10)

I always recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. This overhead increases the likelihood of mistakes and security breaches.

  1. Best Practice: Establish a single Azure AD instance. Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity. Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.
  2. Best practice: Integrate your on-premises directories with Azure AD. Use Azure AD Connect to synchronize your on-premises directory with your cloud directory. Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity.
  3. Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. Also, don’t change the default Azure AD Connect configuration that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
  4. Best practice: Turn on password hash synchronization. Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren’t connected to Azure AD. (Other Microsoft services such as MCAS will be required for this option)
  5. Best practice: For new application development, use Azure AD for authentication. Use the correct capabilities to support authentication:
    • Azure AD for employees
    • Azure AD B2B for guest users and external partners
    • Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications