Introduction
Historically, allowlists enabled Exchange Online Protection to ignore the signals indicating an email is malicious. It's commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers are known to take advantage of this mistake and it's a pressing security loophole to have unnecessary allowlist entries. This step-by-step guide walks you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.
What you need
- Microsoft Defender for Office 365 Plan 2 (Included in E5 plans, or trial available at aka.ms/trymdo)
- Sufficient permissions (Security reader role)
- 5-10 minutes to do the following procedures.
Common steps for all the below queries
- Sign in to the security portal and navigate to advanced hunting
- Enter the KQL query into the query box, and press Run Query.
- Pressing the NetworkMessageId hyperlink for individual emails when shown in the results loads a flyout, allowing easy access to the email entity page, where the analysis tab provides further details, such as the transport rules that email matched.
- The results can also be exported by pressing Export for manipulation / analysis offline.
Tip
Changing OrgLevelAction to UserLevelAction will allow you to search for email warnings that were overridden by users rather than administrators, and can also be a useful insight.
Queries
Top override source
Use this query to find where the most unnecessary overrides are located. This query looks for emails that were overridden without any detection that needed an override.
EmailEvents
| where OrgLevelAction == "Allow"
| summarize count() by OrgLevelPolicy, ThreatTypes
Top overridden threat type
Use this query to find the most overridden types of threat detected. This query looks for emails that had the detected threat overridden, DMARC, or Spoof indicates email authentication issues that can be fixed to remove the need for the override.
EmailEvents
| where OrgLevelAction == "Allow" and ThreatTypes != ""
|summarize count() by DetectionMethods
Top overridden IPs
This query looks for emails that were overridden by IP, without any detection that called for an override.
EmailEvents
| where OrgLevelAction == "Allow" and ThreatTypes != ""
|summarize count() by SenderIPv4
| top 10 by count_
Top overridden domains
This query looks for emails that were overridden by sending domain without any detection that called for an override. (Change to SenderMailFromDomain to check the 5321.MailFrom)
EmailEvents
| where OrgLevelAction == "Allow" and ThreatTypes != ""
|summarize count() by SenderFromDomain
| top 10 by count_
Top overridden senders
This query looks for emails that were overridden by sending address without any detection that requires an override. (Change to SenderMailFromAddress to check the 5321.MailFrom)
EmailEvents
| where OrgLevelAction == "Allow" and ThreatTypes != ""
|summarize count() by SenderFromAddress
| top 10 by count_
Learn More
Hopefully you found this article to be useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles:
Learn more about advanced hunting: Overview - Advanced hunting.
Learn more about authentication: Email Authentication in Exchange Online Protection.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for