Exchange News

Getting Ready for Basic Auth Deprecation in Exchange Online
In this session, Greg Taylor discusses the roadmap for basic authentication, all the great work done so far, and how organizations can opt to keep basic auth until December. Topics include:

• Organizations leveraging basic auth are more suspectible to compromise (1:10 mins)

• 99%+ of password spray attacks use legacy auth
• 97%+ of credential stuffing use legacy auth
• 60% of users re-use passwords
• 921 password attacks every second (almost double last year
• 50 million password attacks launched every day (Q4 2021)

• POP
• IMAP
• EWS
• MAPI
• RPC
• OAB
• ActiveSync
• Exchange Online Remote PowerShell

• Autodiscover
• SMTP AUTH

• Prior delay due to needing more time
• Prior delay due to pandemic
• Disabled basic auth for tenants not using it
• Disabled basic auth for protocols not using it
• Disabled basic auth temporarily for some tenants for 48 hours
• Disabling basic auth for all tenants October 1st, 2022 (unless opt-out or extension requested)
• Backfill disabling basic auth in tenants with security defaults enabled, test tenants, etc.
• Basic auth deprecation for 21Vianet will begin on March 31st, 2023

Microsoft Exchange Tips and Tricks
In this session, Scott Schnoll shares his top Exchange tips and tricks. Topics include:

• Exchange Server codebase (2:43 mins)
  • Exchange Server major releases and cumulative updates were historically forks of the Exchange Online code. This could introduce code not applicable to Exchange on-prem or introduce bugs.
  • Exchange Online and Exchange Server now have separate codebases
  • Exchange Online features are ported and fully validated in Exchange Server when desired
  • Separate codebase means less changes for on-prem customers and less chance of update regression
  • Exchange Server team retroactively cleaning up code that only applies to Exchange Online
• Current Exchange landscape (6:10 mins)
  • Most customers still on Exchange 2013 or 2016
  • Over a 2-week period 500,000 Exchange Servers submitted analytics to Microsoft.
  • 100,000 running Exchange 2019
  • 50,000 running Exchange 2010
  • Few thousand running Exchange 2007
• Customers struggle to stay on latest cumulative update

• 25% on latest CU
• 44% on N-1 CU
• 7% on N-2 CU
• 24% on unsupported CUs

• 13% of Ex13 CU23 on the latest SU
• 33% of Ex16 CU22 on the latest SU
• 50% of Ex16 CU23 on the latest SU
• 65% of Ex19 CU11 on the latest SU
• 50% of Ex19 CU12 on the latest SU

• Available as both a MSP and self-extracting EXE package
• Self-extracting EXE package automatically elevates with administrative rights.
• EXE added to address issue where MSP file was not run with elevated permissions which resulted in installations issues.

• Up to $26k awarded per bounty
• $127k awarded in bounties

• TLS 1.3 support for Exchange in H2 2023
• Supported Exchange versions can leverage Windows Server 2022 DCs

• HCW will allow admins to pick which steps to perform or skip
• HCW will support a what-if function so admins can see what the HCW will change
• Scheduled for H1 2023

• 300k server
• 175 datacenters
• 210 network POPs
• 1.4 EB of data
• 42 trillion items
• 7.3 billion mailboxes
• Daily Stats

• 9.2 billion messages
• 2.4 billion spam blocked
• 1.9 trillion items read/opened

• MRM Retention Tags, MRM Retention Policies, and Journal rules moved to Microsoft Purview
• Changes to Tenant Allow/Block Lists (TABL)
• Custom email notifications and policy tips added to DLP policies
• 42 new sensitivity labels added to protect credentials

• Exchange Online PowerShell v3 module will be GA on September 20th, 2022.
• Ability to block sender, URL, or attachment while submitting to Microsoft for analysis
• Configure label to apply S/MIME automatically (expected October 2022)

• Identifies Exchange Servers that are behind on CUs, SUs, or are out of support
• Currently in private preview.

• Exchange Online PowerShell Module v1 retires on Dec 31st, 2022
• Classic Exchange Admin Center going away on Jan 2023
• Replace action going away on Anti-Malware policies. Any existing policies will be converted to Block action instead. This work is currently in progress.
• Redirect messages in the Anti-Malware policy will only be available for the Monitor action.
• Basic authentication going away

Deep Dive on Hybrid Mail Flow
In this session, Hien Nguyen takes a deep dive into hybrid mail flow tackling topics such as message attribution, configurations that could impact hybrid mail flow from being stamped as internal, and advanced routing topics such as other tenants being able to bypass your MX records. Topics include:

• The Challenge (2:28)
  • Making two separate Exchange environments (Exchange Online and On-prem) appear as one.
  • We want this, so it is seamless for the user and provides minimal (if any) impact on the business.
  • We implement this with the Hybrid Configuration Wizard
• The Solution (3:11)
  • MRS moves mailboxes maintaining the existing Outlook profiles and OSTs
  • Organization relationships to allow for free/busy, OWA redirection, and Mail Tips
  • Trusted mail flow between Exchange Online and on-prem
• Concepts (3:45)
  • The difference between internal mail is that it is authenticated (external is anonymous)
  • Mail can be authenticated when sent via Outlook, SMTP Auth, or a secure connector.
  • Physical location does not matter when it comes to authenticating mail
• Internal vs. External (4:50)
  • On-prem Recipient <> EXO recipient should always be marked as internal
  • If not, the messages can be externally tagged, subject to spam and phishing policies, messaging to distribution lists can fail, incorrect OOF, and problems booking resources
  • We can track if a message is considered internal (authenticated) or external (anonymous) via message headers using the X-MS-Exchange-Organization-AuthAs attribute
• SCENARIO: On-prem to Office 365 (6:40)
  • For mail to be processed as INTERNAL
    • Tenant.mail.onmicrosoft.com must be an accepted domain on-prem
    • Send Connector in Exchange On-Prem must be set to CloudServicesMailEnabled = $true
    • Inbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
      • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
    • Exchange On-Prem copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers.
    • Exchange Online copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers.
• DEMO: On-prem to Office 365 (9:42)
  • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
  • This will export these messages as EML files that you can open (be careful with sensitive data)
  • Email sent as Amy (On-Prem) to Hien (EXO) is delivered as INTERNAL
  • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and MS-Exchange-CrossPremises
• DEMO: On-prem to Office 365 (16:00)
  • Changing the CloudServicesMailEnabled = $false on the on-prem send connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• DEMO: On-prem to Office 365 (19:15)
  • Changing the CloudServiceMailEnabled = $false on the Exchange Online inbound connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• Message Attribution (24:00)
  • EXO is a shared service, and mailboxes from different companies can sit on any database, server, and infrastructure
  • Message attribution is how Exchange Online determines which tenant the message belongs to
  • If the certificate subject name, sending IP, or sender domain matches an accepted domain
    • The email is attributed to the tenant with the accepted domain
    • X-MS-Exchange-Organization-MessageDirectionality = ORIGINATING
  • If origination fails (no matching certificate, sending IP, sender domain) and recipient domain matches an accepted domain
    • The email is attributed to the tenant with the accepted domain
    • X-MS-Exchange-Organization-MessageDirectionality = INCOMING
  • If message attribution fails, it sends a non-delivery report to the sender.
• SCENARIO: Office 365 to on-prem (30:52)
  • For mail to be processed as INTERNAL
    • An accepted domain must exist in Exchange Online
    • Outbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
      • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
    • Receive connector for Exchange On-Prem must have TLSDomainCapabilities:{mail.protection.outlook.com:AcceptedCloudServicesMail}
    • Exchange Online copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers
    • Exchange On-Prem will offer SMTP command XOORG to Exchange Online
    • Exchange Online sets MAILFROM domain in XOORG command to one of Exchange On-Prem’s accepted domains
    • Exchange On-Prem copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers
• DEMO: Office 365 to On-Prem (33:45)
  • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
  • This will export these messages as EML files that you can open (be careful with sensitive data)
  • Email sent as Hien (EXO) to Amy (On-Prem) is delivered as INTERNAL
  • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and X-MS-Exchange-CrossPremises
• DEMO: Office 365 to On-Prem (36:55)
  • Nulling out the TLSDomainCapabilities on the on-prem receive connector
  • Switches X-MS-Exchange-Organization-AuthAs headers are missing (not copied from X-MS-Exchange-CrossPremises)
• DEMO: Office 365 to On-Prem (39:36)
  • Changing the CloudServiceMailEnabled = $false on the Exchange Online outbound connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• Securing the gaps (44:20)
  • When MX is pointed on-prem
    • SCENARIO 1: Other tenants (or on-prem servers with hybrid) can send mail directly to your tenant
    • SCENARIO 2: Other tenants can send mail directly to your hybrid smart host (e.g., hybrid.domain.com)
  • When MX is pointed to EXO
    • SCENARIO 3: Other tenants can send mail directly to your hybrid smart host (e.g., hybrid.domain.com)
  • If another tenant sends directly to your hybrid smart host (on-prem), the mail is considered EXTERNAL because the X-MS-Exchange-CrossPremises (XOORG) will be missing.
• SCENARIO 1: Prevent EXO Direct Delivery when MX is pointed on-prem (48:50)
  • Create a new inbound partner connector
  • Specify all sender domains (*)
  • RequireTLS = $true
  • RestrictDomainsToCertificate = $true
  • TlsSenderCertificateName = Can be whatever you want it to be (e.g., blocknonmx.domain.com)
  • New-InboundConnector -Name “Block Non MX Record Delivery” -ConnectType Partner -SenderDomains * RequireTls:$true -RestrictDomainsToCertificate:$true -TlsSenderCertificateName blocknonmx.domain.com
• SCENARIO 2: Prevent On-Prem Direct Delivery when MX is pointed to EXO (49:20)
  • Create a transport rule
  • Sender is located Outside the organization
  • Reject the message with explanation “You are not allowed to send directly. Use MX.”
  • Except if message header includes “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
• SCENARIO 3: Prevent On-Prem Direct Delivery when MX is pointed on-prem (50:39)
  • Create a transport rule
  • Sender is located Outside the organization
  • Reject the message with explanation “You are not allowed to send directly. Use MX.”
  • Except if message includes:
    • Header “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
    • Sender IP address is “<1.1.1.1>”
    • Header “Received” matches “<1.1.1.1>”