Delving into Office 365’s email security

I was surprised to learn last week at Microsoft’s MVP Summit that most Exchange MVPs haven’t been invited to the private beta for Office 365. Yet here I was, a new MVP, with beta access, thanks to my columnist connection with InfoWorld, no doubt. (Several infoWorld editors have Office 365 beta accounts, and InfoWorld has published its own take on Office 365’s strengths and weaknesses in its beta incarnation.) It was a no-brainer that I should make friends with my colleagues and peers by giving everyone who wanted it access to Office 365 — which is what I did.

In the process of playing with Office 365 and talking to my MVP colleagues, something new came on the radar: Forefront Online Protection for Exchange (FOPE, pronounced “fa-pee”) is now integrated within the Mail Control security settings. Thus, every Exchange Online customer, of both Business Productivity Online Suite (BPOS) and Office 365, is a FOPE customer.

[ Read J. Peter Bruzzese’s “Making sense of Microsoft Forefront” to learn more about the Forefront security offerings behind FOPE. | Stay up to date on the latest Windows technologies and techniques with InfoWorld’s Technology: Microsoft newsletter. ]

FOPE is a hosted service that protects both incoming and outgoing mail from spam, viruses, phishing scams, and email policy violations through a variety of layered technologies. It’s the latest iteration of what had been previously named Exchange Hosted Filtering (EHF) and Forefront Online Security for Exchange (FOSE).

FOPE is a powerful tool in the hands of Office 365 administrators. It use a bevy of antivirus engines, including those from Kaspersky, Symantec, and Authentium, all three of which scan messages. The FOPE service-level agreement claims it detects 100 percent of known viruses. FOPE servers query the antivirus vendors for support updates to signatures every 15 minutes. FOPE can drill down into archive files (compressed Zip files and the like), but it cannot scan password-protected or encrypted files — FOPE doesn’t have access to the passwords or encryption keys. Keep in mind that FOPE doesn’t work with just Office 365; you can also use it to scan mail that comes in via your own Exchange servers. 

The custom spam filters can allow or block IP addresses, sender domains, sender addresses, and recipient addresses. FOPE doesn’t quarantine a virus upon discovery — it deletes the intruder. For spam, you can set it to quarantine or delete the messages as you prefer. FOPE spam and virus scans work with your existing edge and hub transport servers in Exchange (if you aren’t using Office 365) to stamp mail; it also provides either a header to the message or an added spam confidence level (SCL) rating to help internal servers better manage spam.

Out of the box — or out of the cloud, in the case of Office 365 — FOPE allows for only a handful of mail flow scenarios. For example, you can use it for a fully hosted Exchange environment and a full on-premises environment. But to implement FOPE across a mix of hosted and on-premise Exchange environments, you need connectors that enable complex mail flow paths and allow administrators to provide more granular control.

For example, as is, FOPE lets you create policy rules, but adding connectors lets you provide policies at the network edge, which allow for greater control over every stage of mail flow. Thus, you can establish inbound connectors that examine mail coming into customer domains by looking at the connection (source IP, source domain), the security (opportunistic and forced TLS, aka Transport Layer Security), and the filtering (connection, spam, policy). You can also configure outbound connectors.

Here are examples of the workflows possible with connectors:

• Connectors allow for shared address space with hosted and on-premise Exchange environments, where the MX record points to FOPE with hosted and on-premise mailboxes.
• You can have shared address space with on-premise address rewrite, where the MX record points on premise with hosted and on-premise mailboxes.
• You can have regulated partners with forced TLS (the MX record points to the partner with hosted mailboxes), which requires inbound and outbound TLS to secure all routing channels with business-regulated partners.
• You can have outbound smart host (the MX record points to FOPE with mailboxes on premise or hosted) where FOPE is a smart host, redirecting outbound mail to an on-premise server that performs additional filter work on that mail before sending it out.
• You can have inbound safe listing (the MX record points to FOPE with mailboxes on premise or hosted), which allows mail to skip IP address filtering on inbound mail sent addresses that are on an IP safe list.

Microsoft is really pushing its cloud services, and by integrating FOPE into BPOS today and Office 365 when it becomes available, Microsoft is making it easier for administrators to consider relinquishing more of their on-premise control to a Microsoft-hosted service. It will be interesting to see how Exchange administrators react.

This article, “Delving into Office 365’s email security,” was originally published at InfoWorld.com. Read more of J. Peter Bruzzese’s Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.