Impersonation Protection delivers emails to Junk Folder

Posted on by Adam Fowler

Impersonation Protection in Microsoft Defender for Office 365 is part of the Anti-phishing policies, designed to take action if an external email comes in with a match, or near match, to the display name of an employee.

The actions you can take when a match is made are:

  • Redirect message to other email addresses
  • Move message to the recipient’s Junk Email folders
  • Quarantine the message
  • Deliver the message and add other addresses to the Bcc line
  • Delete the message before it’s delivered
  • Don’t apply any action

What I wanted to do, was deliver the message and add other addresses to the bcc line. This could be used to send a copy of the email to helpdesk for investigation, as Impersonation Protection tends to get a lot of false positives from services that like to use people’s actual names from emails they generate, or from people using a personal account to email other employees.

What I found was that the action was applied, but the email was then delivered to the Junk Email folder. If I wanted that to happen, I would have selected the ‘Move message to the recipient’s junk email folders’ option. After logging a case with Microsoft, I found out why.

Any time an email is detected as an Impersonation Protection, and the mail is still allowed to flow through, it will set the header as SCL 5. As per Office 365 standards, this will deliver the email to the recipient’s junk mail folder.

It makes the choices on what actions to take in the Impersonation Protection settings rather misleading; but there is one option that’s still reasonable – Quarantine the message. This should trigger a fairly quick quarantine digest to the recipient for review, allowing them to review and decide if it should be released. If released, it will then deliver to the Inbox rather than Junk Mail.

Security Panel Discussions / Table Talks for March 2021

Posted on by Adam Fowler

For March 2021, I’m lucky enough to be doing two different events around Security, and they’re both free to attend!

First is for Microsoft Ignite where on Thursday, March 4|11:30 AM – 12:00 PM ACDT I’ll be in the event Table Talk: Security Best (and Worst) Practices where we’ll talk for half an hour about what bad security practices we hear and see, and how to make them better. That session was 100% full last time I checked, but you might get in if someone drops out, so have a look. There’s also a huge amount of other Microsoft Ignite content that isn’t people limited, so register now if you haven’t already

Then, on March 11, 2021 10:30 AM – 12:00 PM CET (convert to your local time by adding your city here) I’ll be in another event being run by Acronis:

A New Playbook to Protect Your Users from Cyberthreats in 2021

The online event is free, and I’ll be a part of the round table / panel discussion on “Reality Check. Why SMBs are Targets”.

Looking forward to that one too, as it’s my first time chatting with the Acronis team and I’m sure they’ll have some great discussion points for us.

I even went out and bought a Blue Yeti USB Microphone for that proper speaker experience, rather than wearing a gaming headset :)

Since Covid hit, everyone has had to move all these events on line. What I’ve personally realised as both an attendee and presenter, is that the round table style is generally a lot more enjoyable to both be a part of, and listen to. It’s like a podcast really, with people talking about the topics they’re passionate about. Sure, there’s a general idea on what dot points will be discussed, but beyond that, it’s people talking off the top of their head on things they know, and bouncing off each other.

This revelation came to me at the end of 2020, when we did a user group round table on ‘How to stay up to date with Microsoft’ – I co-run the Adelaide Microsoft IT Pro Community, and had a great time chatting with Andrew, Brett, and Tiffany.

I’m really looking forward to both of these events, and hopefully get a chance to do more in the future!

How to (really) factory reset a Poly CCX 500

Posted on by Adam Fowler

Hi,

Quick one here, I was testing a few Poly CCX 500 devices for Teams Calling, and wanted to do a factory reset.

The official documentation says:

Procedure

  1. Disconnect the power, then power on the Poly phone.
  2. As soon as the Poly logo shows on the screen, press and hold the four corners of the LCD display. Note: It may take several tries to get the timing right or to find the correct spots to press on the LCD display.
  3. Release the LCD display when the Mute indicator on the lower-right corner of the phone begins flashing red, amber, and green.

However, I tried this many times without success. Doing large crab claw fingers to cover the 4 corners of the screen was doing nothing beyond hurting my fingers.

I ended up working out it was a timing thing, and the Poly logo shows twice. It will first show, then go to a black screen for a second or two, then re-show the Poly logo. If you press the 4 corners before the Poly logo comes up for the second time – nothing happens. You have to press the 4 corners of the touch screen straight away AFTER the Poly logo has come up for the second time. It won’t register if you do it earlier, and leave your fingers in the right place.

They actually have a video showing this correctly:

https://community.polycom.com/t5/video/gallerypage/video-id/6198164788001

Hope this saves someone time! I assume this is the same for CCX 400, CCX 600, Poly Trio C60 etc but haven’t tested those.

Note the default admin password for these phones is ‘456’ and you should be changing this, which is easily done automatically via a Teams Configuration Profile

How to Backup Office 365 Mailboxes with Altaro

Posted on by Adam Fowler

Backing up mailboxes in Exchange Online as a part of the Office 365 or Microsoft 365 suite is always a debated topic – some will argue that Microsoft have enough redundancy and backups in their own environments so you don’t need a third party solution and you’ll always be able to get your data back. However, this hasn’t been proven yet (thankfully) in a real world event where mailbox data has been lost by Microsoft. It also doesn’t cover scenarios where there’s outages, account problems or other connectivity problems that can delay your access to your cloud based data. Is it a risk each company will need to decide if it’s worth an investment into reducing.

Altaro asked me to have a look at their product – Altaro Office 365 Backup – to provide a quick run-through on setting it up and seeing what it does. Their solution is fully cloud based, so you don’t need any extra hardware to get going. You can set up a 30 day free trial here. Once signed up, here’s what to do:

After logging in from the link you’ll be emailed, you’ll be presented with this screen:

The wizard here will take you through the setup required, starting with a Company Name and your domain configured in Office 365 (which you can get from https://admin.microsoft.com/Adminportal/Home#/Domains) – I had to use my primary:

Next, you’ll need to grant access for Altaro to be able to access data in your tenant, which makes sense since you want them to back it up:

Following the links you’ll get the standard window advising you what permissions you’re granting and to whom:

If it worked, a successful message will show and you can go back to the setup wizard:

After doing this three times, you can go to the next step where you can choose which users to back up – which as it says, will be this data: “Office 365 User Backups consist of Emails, Calendars & Contacts within Mailboxes and Files stored within OneDrive accounts.”, then “SharePoint Backups consist of Files stored within SharePoint Document Libraries.”

If it all goes well, you’ll then get to the final screen showing a successful setup:

That’s it – backup has been set up. Of course your data won’t be in there instantly, the first backup happens over 24 hours, and then up to 4 times a day ongoing. You can choose if new users are automatically added to backup plans or not, which should turn this into a set and forget backup system.

Set and forget only works if you’re alerted around issues, which is possible in the Alert Settings – you can choose what sort of alerts you receive, such as if a backup job failed:

Restoring is also an easy process – for example if you want to restore an entire mailbox, the Mailbox Restore wizard will take you through the steps and ask where you want to restore – onto that user’s mailbox, another user’s mailbox, an Outlook PST file, or a ZIP file containing each mail item as an individual file:

You can also use the Granular Restore option, to search and restore particular items rather than entire mailboxes and accounts. The granular restore has the same options as the full restore for destinations, so there’s a lot of flexibility based on what you’re after:

If you can’t find what you’re looking for, the ‘Advanced Search’ option lets you define what you’re looking for:

Pricing for Office 365 Backup by Altaro is available at https://www.altaro.com/office-365-backup/#faqs and is a per user, per type (either mailbox or mailbox + OneDrive + SharePoint) model. This also includes 24/7 support and unlimited storage for backups.

After setting this up and trying out all the options, I’m confident in saying this is as good as you could hope for, from a turn-key solution. Setup is literally a few minutes, there’s no software to install anywhere and no infrastructure requirements. The data Altaro backs up is held forever (yes, infinite retention!) assuming you still have a valid subscription. The data is stored in Microsoft Azure, but only in West Europe at the time of writing – so if you have data sovereignty requirements, you’ll need to assess this.

Download your free 30-day trial of Altaro Office 365 Backup

Organization Branding for Safe Link Warnings

Posted on by Adam Fowler

Two new little features have turned up for Safe Links as part of the Microsoft 365 Security & Compliance suite.

  • Display the organization branding on notification and warning pages

The first option is to show your organization’s branding on warning pages. This should help users identify that it’s a legitimate warning they’re seeing, as default Microsoft warning pages are often used by malicious actors to look legitimate themselves.

  • Use custom notification text

This lets you put a message that sounds like it’s actually from your own company when a webpage gets blocked. This means you can put in contact details or a process you want users to follow when they hit a site – which could be sending an email or calling helpdesk.

Here’s how the custom text and logo looks on a blocked page:

The custom branding will appear above this warning as a banner and a small logo for your company.

If you haven’t set up branding already, have a read on Microsoft Docs on how to do it for Azure AD and Microsoft 365 (do both!).