SuperTekBoy

Practical Help for Exchange & Office 365

Office 365 Tutorials

Enable explicit DKIM signing in Office 365

By 19 Comments

178 Shares
Share
Tweet
Share
Reddit
Print

In this article, we will take a look at how to enable explicit DKIM signing in Office 365.

What exactly is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication mechanism designed to prevent email spoofing. DKIM utilizes a cryptographic key pair and DNS records to provide sender validation and message integrity. It does this in the following way.

DKIM

The sender encrypts selected parts of the message header with its private key. This is defined by the “h” field in the diagram above. In our example, we are encrypting the From, To, and Subject fields to name a few. Portions or all of the message body may also be hashed. The DKIM header itself is not encrypted. In the DKIM header, the “d” value identifies the sender domain. The “s” value identifies a unique selector defined by the sender.

The recipient combines the selector and domain values to form a DNS query. Using our diagram above the domain field is marked as supertekboy.com and the selector field is marked as selector1. Using these values the recipient forms the following DNS query.

selector1._domainkey.supertekboy.com

The _domainkey portion of the query is a fixed part of the protocol.

The name servers for the sender respond with a TXT record containing the public key. The recipient can then use this public key to decrypt the header (and any parts of the body).

Successful decryption validates the sender. A DKIM=Pass is attached to the message header which increases the confidence level of the message.

One of the drawbacks of DKIM is that it doesn’t prevent close misspellings of a domain. For example, I could register supertecboy.com and configure DKIM signing. DKIM will pass because the messages are coming from supertecboy.com. But to an untrained eye, supertekboy.com and supertecboy.com might be considered the same entity. When in fact the latter is a spoofer.

[Read more…] about Enable explicit DKIM signing in Office 365

Add a legal disclaimer to all outbound email (Exchange/O365)

By 7 Comments

86 Shares
Share
Tweet
Share
Reddit
Print

Adding a legal disclaimer to all outbound email is an important task. Thankfully, this is a simple process in Exchange on-premises and Office 365. In fact, the instructions are identical for Exchange 2013, Exchange 2016 and Office 365.

For this article, our example company, Time Travel Research, wishes that all email leaving the organization have a legal disclaimer. Time Travel Research is not concerned about applying a disclaimer if the message remains inside the organization. For example, a disclaimer between two employees is not necessary. However, they would like all external messages, whether it be to a customer or a vendor, to have this disclaimer.

Let’s get started!

Add a legal disclaimer to all outbound email

Log in to the Exchange Admin Center. Once logged in, navigate to Mail Flow >> Rules. Click the New (Excchange 2016 New) button.

From the drop-down menu, you will notice several choices. These choices are rule templates. We could just select Create a new rule. That would start us with a blank rule with no conditions. However, to give us a head start lets pick the Apply disclaimers template. This will configure a couple of items for us.

Add a legal disclaimer to all outbound email Exchange Office 365
[Read more…] about Add a legal disclaimer to all outbound email (Exchange/O365)

Don’t feed the Phish

By Leave a Comment

36 Shares
Share
Tweet
Share
Reddit
Print

This morning I woke up to a very interesting phishing email. I never blog about phishing attacks but I found this one particularly interesting as it was spoofing Microsoft account services.

Identify the Phish

Phishing emails are always getting more creative. Sometimes it is hard to spot a fake from a legitimate email. But there are always a couple of tells on a fake email. The one I received this morning had a few.

Outlook.com Microsoft Team Phishing Attack

The first was the email address. Despite it displaying outlook.com the part to the left of the at symbol read “outlooo.teeam”. This was the first red flag.

The second red flag is the sketchy use of the English language throughout the body of the message itself. It just doesn’t read well.

Then comes the Verify Your Account button. This was the ultimate red flag. Without clicking I hovered my mouse pointer over the button. It revealed where it was going to take me. Even if the email address had been formatted better and the body of the message was grammatically correct the link was the surefire tell. In the screenshot above I superimposed the link so you can see where it was taking me. Clearly not a Microsoft site. But some site in India.

The final red flag was the trademark symbol at the end of the message. I have no idea why the word “team” (or perhaps the entire phrase) is a trademark.

Now that we have identified a phishing email what’s next? I recommend reporting it to your anti-spam provider. Below are the steps for reporting it to Microsoft. If you have a 3rd party vendor for spam, check with your system admin on how to submit messages to them for analysis.

[Read more…] about Don’t feed the Phish

Easily Connect to Exchange Online with PowerShell

By 8 Comments

62 Shares
Share
Tweet
Share
Reddit
Print
Exchange Online with PowerShell

In a previous article, I explained how to connect to Office 365 with PowerShell. In this article, we explore how to use PowerShell to connect to Exchange Online. This can vary based on what authentication method you have configured for your admin account. The sections below cover each authentication method.

  1. If your admin account has MFA enabled
  2. If your admin account has MFA disabled
  3. If you are using ADFS (SSO)
  4. Prereqs for older operating systems
  5. Let’s script this instead

Let’s get started!

If your admin account has MFA enabled

If your administrator account has multi-factor authentication enabled you won’t be able to use the built-in PowerShell. Instead, you will need to download the Exchange Online PowerShell Module.

To do this, log into the Office 365 Admin Center, navigate to the Exchange Admin Center, and click the Hybrid tab.

From the hybrid tab, click the second Configure button (under the text that states The Exchange Online PowerShell Module supports multi-factor authentication).

Exchange Online PowerShell Module - Multi-factor Authentication

Note: You can only download this with Internet Explorer. This module will error out if you use Chrome or Firefox.

This will create a new icon on your desktop named Microsoft Exchange Online Powershell Module. Double-click Microsoft Exchange Online Powershell Module.

Exchange Online PowerShell Module - Multi-factor Authentication A

This will launch PowerShell with the Exchange Online Module preloaded. To connect we will use the Connect-EXOPSSession cmdlet. In this cmdlet swap the -UserPrincipleName parameter for your administrator’s login name.

 C:\> Connect-EXOPSSession -UserPrincipalName globaladmin@contoso.com

This command should launch a web pop-up. Enter your Password and click Sign in.

Exchange Online PowerShell Module - Multi-factor Authentication C
[Read more…] about Easily Connect to Exchange Online with PowerShell

Office 365: Set Passwords To Never Expire

By 1 Comment

2 Shares
Share
Tweet
Share
Reddit
Print

If you have ever tried to tweak the password policy in Office365 then you have likely encountered this warning.

Office365 Admin Center Password Expiration

Unfortunately, this restricts us to a password that can never be used for more than 730 days (2 years). Anything outside that range and you receive an error like the one above.

Does this mean that a password must expire?

Well, no, it does not have to.

Now password expiration is a best practice but, you may have a situation that necessitates having a more permanent password. One such example could be a service account for a network copier. The copier would use this account to perform scan-to-email functions. A user would scan a hardcopy of a document into the scanner and send it to email leveraging Office 365.

Most likely, you are never going to log with the scanner account. This means you will never see the expiration notice. You could set up a calendar reminder for yourself. You could also plaster your monitor with sticky notes. But, more than likely, your scan-to-email will break one day and leave you scratching your head as to why.

So, how do you set a password to never expire? The Admin Center gives you an error. So, what is left?

[Read more…] about Office 365: Set Passwords To Never Expire

Easily Connect to Office 365 with PowerShell

By 2 Comments

24 Shares
Share
Tweet
Share
Reddit
Print

Office 365 is great, but the Admin Center does not bode well for bulk tasks. What might take an insanely massive amount of time in the graphical user interface may only take seconds in PowerShell.

In the first part of this article, we discuss all the prerequisites required to make the connection. The second part discusses how to make the connection.

Prerequisites

Before we can connect we need to download the Microsoft Online Services Sign-In Assistant. You can get that here: https://www.microsoft.com/en-us/download/details.aspx?id=41950

Once downloaded, run the executable. On the first screen click the Next button.

Online Services Sign-in Assistant Setup-1

Check the box to accept the license agreement and click the Install button.

Online Services Sign-in Assistant Setup-2

Click Finish.

Online Services Sign-in Assistant Setup-3
[Read more…] about Easily Connect to Office 365 with PowerShell