Exchange Online

Hornetsecurity Overview – 365 Total Protection


The Microsoft 365 Suite contains a lot of different solutions; and varying levels of security on those solutions, depending which tier of licensing you have. Microsoft’s security answers have varying levels of user experience, technical requirements, and administrative burdens.

For example, if you’ve used Microsoft native solutions to look at mailflow regularly compared to third-party solutions, you’d probably agree that Microsoft do not provide a quick and easy experience in troubleshooting why an email didn’t arrive. If you have to go back more than 2 days, then you’ll potentially have to wait a few hours just to get the results of the mailflow steps.

Third-party solutions must compete with Microsoft in their own space for security solutions, which means they need to be adding value somehow; cheaper, easier to use, more features, and/or quicker.

Hornetsecurity’s answer to this is their 365 Total Protection solution. I’m fairly experienced with Microsoft’s first party offerings, and a few other third-party mail security solutions, so was interested to see how this stacked up and where it might fit.

Hornetsecurity shows the 3 different tiers of licensing, and an option to start a free trial:

The above pricing based on the feature set seems quite reasonable to me, and from the page you can click on each feature and see more information including a screenshot.

The free trial process is well documented – the first page lays out what you’re in for which will unsurprisingly require tenant admin access to approve tenant permissions for Hornetsecurity.

Once you accept the permission request, a synchronisation will start. As I’m doing this in my own tenant of 1 user, it took about 20 seconds to perform. You’ll then need to update MX records so mail flows through the Hornetsecurity service, so it can do many of the services listed.

Not all services rely on mail flow, there is also an Outlook add-in. For older versions of Outlook it can be downloaded and installed like a traditional add-in, or there’s the much nicer modern method that’s controlled from inside Microsoft 365 admin center to deploy and show for users (I wish more vendors did this!).

Either way, the Outlook add-in provides several functions such as being able to report emails, block/allow emails, and view archived emails.

Some other notable features of the 365 Total Protection solution:

  • Email Archiving – something Microsoft can do, but don’t do a great job of exposing the archived emails. 10 years of email retention should be more than enough for most companies, and even if you have archiving enabled in your tenant natively, this gives you a backup of all your emails.
  • Email Live Tracking – a real time view of mail flow that works quickly and doesn’t require reports to be generated after 2 days that are CSV files.
  • Individual User Signatures – Centralised signatures that are also monitored for people who decide to change them away from the company standard. Different groups can get their own style of signature too. Microsoft still has nothing in this space natively and is still in the early days of having a signature saved to someone’s profile.
  • eDiscovery – Being able to search quickly across all emails in the company for keywords is a handy thing. Another one that Microsoft can do, but it’s clunky and far from quick.
  • Email Continuity Service – If Microsoft’s mail services go down, you can keep going until they’re back – delivering and sending emails directly through Hornetsecurity, then syncing up what happened after the event.
  • Automated backups for mailboxes, Teams, OneDrive and Sharepoint – this is really where all your Microsoft 365 data will live. Again, it gives you somewhere this data can be backed up and restored outside of Microsoft’s ecosystem.

There is of course a lot of security aspects to the solution such as Forensic Analyses, URL Malware Control and Realtime Threat Reports, but I quite like the Malware ex-post alert and Malware ex-post deletion. Malicious emails that get through on any system (and I’ve seen this with other third-party solutions as well as Microsoft) need to be detected and cleaned up, as well as investigated on whether anyone clicked the link. This ties into URL Malware control, which will do URL rewriting. Microsoft do this natively, but I’ve found the cleanup aspect can take a little while to perform and isn’t a seamless process from detection to cleanup.

One last point – it is good to see that they have a data centre in Australia as I see many of these companies ignore our region, which makes it hard when you need to keep your data in-country.

I look forward to playing around with Hornetsecurity further. If you’re curious too, then check out their free trial here.

SMTP to Exchange Online

SMTP is still needed by certain applications and devices, such as printers, which don’t support Modern Authentication and instead require legacy authentication to talk to a SMTP server.

You are able to use Exchange Online as an SMTP server, but this can be tricky to set up if you’ve hardened your environment by requiring Multi-factor authentication through Security Defaults or Conditional Access.

Microsoft have good documentation on “How to set up a multifunction device or application to send email using Microsoft 365 or Office 365” with the recommended approach to use SMTP, but you may need to poke some security holes through your environment.

Assuming you can get out through your firewalls on port 587 or 25 for SMTP, you’ll need to turn off Azure AD Security Defaults if you have them on. If you do this, understand what you’re turning off and rebuild those same settings in Conditional Access. If you have them off, then you should have Conditional Access policies already.

Personally, I have a ‘Block Legacy Authentication’ conditional access policy which as it says, blocks legacy authentication. For an account I want to send emails from via SMTP, I add it as an exception to this policy.

I then have a second policy ‘Allow Legacy Authentication Internal Only’ which I then target this user at, which still blocks legacy auth unless it’s coming from a trusted IP address. These two rules together then block all users from legacy auth, except the ones on the second policy, and then only if they’re coming from inside my network. The goal of this is to prevent anyone externally using spray attacks against accounts to gain a username and password – although they couldn’t log in anywhere beyond SMTP due to MFA policies, they could still start sending emails that would be from a legitimate email address.

If you have IPs restricted on Exchange Online connectors, that does not appear to affect SMTP auth and you shouldn’t need to add your internal IPs there.

The account you want to use for SMTP sending must have a mailbox license, I use ‘Exchange Online Plan 1’ for one of the cheaper options that is pure mailbox. The SMTP settings are listed here.

You also need to allow SMTP auth across your organisation (not ideal), or on a per account basis (much better security wise, plus it overrides the org default – so you can disable at org level and allow at account level). Microsoft Docs covers this in detail but the command (which requires connecting to Exchange Online via PowerShell first) to allow on a single mailbox is:

Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $false

Once these policies and licenses is in place, you can test. The easiest way I found was a 1 liner PowerShell command. You must use the source mailbox’s account as the from address:

Send-MailMessage –From [email protected] –To [email protected] –Subject "Test Email" –Body "Test SMTP Service from Powershell on Port 587" -SmtpServer smtp.office365.com -UseSsl -Port 587 -credential $madeupvariable

When testing, I found that after changing the Conditional Access rules to let a specific account go through as legacy auth took several minutes. Azure AD logs also take several minutes to show auth attempts, so don’t rush and change too many things at once trying to do this.

Ideally, nobody would be using SMTP – but in the real world we still have to, so the above will at least keep login records in Azure AD, and limit it to trusted IPs, certain accounts, or any other Conditional Access rules you can come up with to reduce the risk of allowing this.

Impersonation Protection delivers emails to Junk Folder

Impersonation Protection in Microsoft Defender for Office 365 is part of the Anti-phishing policies, designed to take action if an external email comes in with a match, or near match, to the display name of an employee.

The actions you can take when a match is made are:

  • Redirect message to other email addresses
  • Move message to the recipient’s Junk Email folders
  • Quarantine the message
  • Deliver the message and add other addresses to the Bcc line
  • Delete the message before it’s delivered
  • Don’t apply any action

What I wanted to do, was deliver the message and add other addresses to the bcc line. This could be used to send a copy of the email to helpdesk for investigation, as Impersonation Protection tends to get a lot of false positives from services that like to use people’s actual names from emails they generate, or from people using a personal account to email other employees.

What I found was that the action was applied, but the email was then delivered to the Junk Email folder. If I wanted that to happen, I would have selected the ‘Move message to the recipient’s junk email folders’ option. After logging a case with Microsoft, I found out why.

Any time an email is detected as an Impersonation Protection, and the mail is still allowed to flow through, it will set the header as SCL 5. As per Office 365 standards, this will deliver the email to the recipient’s junk mail folder.

It makes the choices on what actions to take in the Impersonation Protection settings rather misleading; but there is one option that’s still reasonable – Quarantine the message. This should trigger a fairly quick quarantine digest to the recipient for review, allowing them to review and decide if it should be released. If released, it will then deliver to the Inbox rather than Junk Mail.

How to Backup Office 365 Mailboxes with Altaro

Backing up mailboxes in Exchange Online as a part of the Office 365 or Microsoft 365 suite is always a debated topic – some will argue that Microsoft have enough redundancy and backups in their own environments so you don’t need a third party solution and you’ll always be able to get your data back. However, this hasn’t been proven yet (thankfully) in a real world event where mailbox data has been lost by Microsoft. It also doesn’t cover scenarios where there’s outages, account problems or other connectivity problems that can delay your access to your cloud based data. Is it a risk each company will need to decide if it’s worth an investment into reducing.

Altaro asked me to have a look at their product – Altaro Office 365 Backup – to provide a quick run-through on setting it up and seeing what it does. Their solution is fully cloud based, so you don’t need any extra hardware to get going. You can set up a 30 day free trial here. Once signed up, here’s what to do:

After logging in from the link you’ll be emailed, you’ll be presented with this screen:

The wizard here will take you through the setup required, starting with a Company Name and your domain configured in Office 365 (which you can get from https://admin.microsoft.com/Adminportal/Home#/Domains) – I had to use my primary:

Next, you’ll need to grant access for Altaro to be able to access data in your tenant, which makes sense since you want them to back it up:

Following the links you’ll get the standard window advising you what permissions you’re granting and to whom:

If it worked, a successful message will show and you can go back to the setup wizard:

After doing this three times, you can go to the next step where you can choose which users to back up – which as it says, will be this data: “Office 365 User Backups consist of Emails, Calendars & Contacts within Mailboxes and Files stored within OneDrive accounts.”, then “SharePoint Backups consist of Files stored within SharePoint Document Libraries.”

If it all goes well, you’ll then get to the final screen showing a successful setup:

That’s it – backup has been set up. Of course your data won’t be in there instantly, the first backup happens over 24 hours, and then up to 4 times a day ongoing. You can choose if new users are automatically added to backup plans or not, which should turn this into a set and forget backup system.

Set and forget only works if you’re alerted around issues, which is possible in the Alert Settings – you can choose what sort of alerts you receive, such as if a backup job failed:

Restoring is also an easy process – for example if you want to restore an entire mailbox, the Mailbox Restore wizard will take you through the steps and ask where you want to restore – onto that user’s mailbox, another user’s mailbox, an Outlook PST file, or a ZIP file containing each mail item as an individual file:

You can also use the Granular Restore option, to search and restore particular items rather than entire mailboxes and accounts. The granular restore has the same options as the full restore for destinations, so there’s a lot of flexibility based on what you’re after:

If you can’t find what you’re looking for, the ‘Advanced Search’ option lets you define what you’re looking for:

Pricing for Office 365 Backup by Altaro is available at https://www.altaro.com/office-365-backup/#faqs and is a per user, per type (either mailbox or mailbox + OneDrive + SharePoint) model. This also includes 24/7 support and unlimited storage for backups.

After setting this up and trying out all the options, I’m confident in saying this is as good as you could hope for, from a turn-key solution. Setup is literally a few minutes, there’s no software to install anywhere and no infrastructure requirements. The data Altaro backs up is held forever (yes, infinite retention!) assuming you still have a valid subscription. The data is stored in Microsoft Azure, but only in West Europe at the time of writing – so if you have data sovereignty requirements, you’ll need to assess this.

Download your free 30-day trial of Altaro Office 365 Backup

Cloud Voicemail and Out of Office Greetings

Earlier this year, Microsoft changed how voicemail worked for Skype for Business on-premises customers. There was little difference to end users when Unified Messaging changed to Cloud Voicemail, but it did break a few Auto Attendant options for those not in the cloud.

At the time I remember it being rather difficult to find out information on, and the good contacts I had at vendors also struggled to gather intel on how the change would go.

In the end, the migration happened and it was thankfully a non-event. What I didn’t realise at the time, was that it introduced a new portal for Voicemail settings at https://admin1.online.lync.com/lscp/usp/voicemail (which has slight variations where you are in the world, for Australia it’s https://admin1au.online.lync.com/lscp/usp/voicemail – but the links seem to redirect to where they need to go) and there’s a few interesting settings:

The Call Answer Rules section (Choose how you want your calls to be handled when they reach the voicemail service) lets you pick what happens when someone hears your voicemail, including the last option ‘Play greeting, then allow the caller to recording a message or transfer to the target user’. If you set this, you can then enter the number you want calls to go to if someone does press ‘0’ – such as Reception, or your mobile phone. The default setting is ‘Play greeting, then allow the caller to record a message’.

The Prompt Language section (Changing this setting will change the greeting prompt language) will change the language and accent of the greeting – so if you’d like them to sound Australian, you can choose that.

The Configure Out of Office greeting section (Customize an Out of Office greeting message, and choose to play it to callers all the time, based on your Outlook auto-reply status, or calendar OOF status) was the one I liked the most. It can sync with your mailbox to know when you’re Out of Office via your current Outlook status (either with an autoreply, or just in a meeting with the status ‘Out of Office’), and when true, give a different message to the caller saying you’re out of the office.

There’s also another option Text-to-Speech Customized Greeting Option (Customize your Text-to-speech greeting message) that lets you customise the generic Out of Office greeting to whatever you like. Although you can only type your greeting message, the text-to-speech works really well and sounds natural.

To me, this is great. I can set a generic ‘I’m out of the office, please call X on this number’ which only plays when I’m actually out of the office. If I’m not, then a caller will hear my standard greeting and can leave a message, instead of hassling co-workers. I don’t have to remember to set it or change it, it just applies if I do the right thing in my Outlook calendar.

If you’ve got Cloud Voicemail; which you should if you’re on Skype for Business, Skype for Business Online, or Microsoft Teams as your phone system, check it out and save yourself some time from changing your voicemail when you go on leave, or just have a meeting when you’re not around.