Fix EOP Mailflow - Users can bypass most of EOP
While creating a mail flow rule I found a security issue with how incoming e-mail navigates to either the recipient's mailbox or system quarantine. If an end-user blocks an e-mail sender or allows an e-mail sender from within Outlook, the incoming mail from those senders is inserted into the mail flow at the Content Filtering step. From there it goes to either the quarantine or recipient mailbox.
I first confirmed this to be happening on blocked messages. I have all my junk mail in our organization going to a system quarantine instead of the junk mail folders for our users to deal with. I wanted to create a mail flow rule that would look at the e-mail header (X-Forefront-Antispam-Report) where it matches ‘SFV:BLK’. I wanted to prepend the subjects in the quarantine, so I could easily scroll through our quarantine and ignore the items my users already do not want (regardless of spam/legitimacy, they intentionally blocked it). The problem is if the user has blocked that sender, the X-headers don't exist on the e-mail yet, or it completely bypasses the mail flow rules. This is because the message does not go through the earlier steps in the EOP (ie: transport rules)! I have mail flow rules that look at the exact same x-header, so I know it should exist at the policy filtering step.
On the flip-side of this, a user can bypass the EOP steps by allowing a sender. This is what scares me, and the MS O365 tech support sent me the link to this uservoice site to make sure their 'back-end team' knows about this. If someone sends an e-mail infected with Malware to 2 of our users, 1 that allowed the sender and 1 that did not, both e-mails would take a different route through EOP. The user that doesn't have the allowed sender set up would not receive the message as it would be deleted by connection filtering, anti-malware, or quarantined due to transport rules or the spam filter. The recipient that set the sender on their allow list would receive the message in their inbox without the message passing through the connection filtering, anti-malware, or transport rule policies. This opens up for many potential issues with malware, as well as allowing end-users to override strict transport mail flow policies that may be in place to block certain content, senders, etc. This can be confirmed by the inability to flag allowed sender messages based on the x-headers in the transport rules (ie: SFV:SFE).
According to Microsoft tech support and the MS documentation, this is by design. I’m not sure if this was initially configured this way in the back-end as a work-around to allow end-users some control over allow/block of senders in their own mailbox, or if it was just an outdated mail flow model. Hopefully Microsoft will come up with an easy solution (that still allows users to whitelist/blacklist senders) to make sure all mail is sent through all of the EOP steps to ensure the secure delivery of mail that abides by organizational control. Here is Microsoft’s EOP mail flow diagram: https://docs.microsoft.com/en-us/office365/securitycompliance/eop/exchange-online-protection-overview. The diagram doesn’t show where anti-spam message headers are injected into the message, but one thing is for sure: they don’t exist in the steps prior to the connection filter for e-mail that is allowed/blocked by our mail users. Mail gets to the quarantine or recipient mailbox without going through all the EOP steps.
I hope you're right about the malware filtration taking place, but according to my phone conversations with MS and the diagram they sent me to, it bypasses EOP. I may be able to test the malware filter by sending a test malware into our system with a whitelisted sender address. I'm going off of Microsoft's mail flow that they sent me when they confirmed what I'm talking about is their expected behavior. If a sender address is in the recipient's allow/deny list in Outlook it bypasses the spam filter as well as the transport/content rules (in the page you linked, transport rules is described as Phase 2). That is part of the issue. The X-headers aren't applied at all to bypassed messages. My users can allow things that we statically block in Exchange and we have no way to over-rule that with our transport rules. My users also block e-mail senders (which is fine), but on the Exchange side, I can't control anything there either. I'd like to alter the subject so stuff in their junk mail is easily separated if they intentionally block it.
I'm in an Exchange Online hosted environment. No hybrid configuration. I'm not sure if it works different when in a hybrid or on-premise setup. I was able to reproduce this with Microsoft on the phone and they said they see the problem and I should take it to office365.uservoice.com. They'll probably fix this mailflow issue right after they allow DNSSEC (hahaha).
The info in the page you linked says it exits the whole spam protection pipeline and spam content filtering (it doesn't say that it bypasses anything else, but it does).
only the spam filters are bypassed when a user adds someone to their safe senders list, not the malware or phishing filters of EOP. for a really good overview of the engine see this blog post https://blog.ahasayen.com/eop-exchange-online-protection-architecture/