While antispam solutions have their various whitelist and blacklist options for specific senders and domains, Office 365 is no different. Most of these antispam solutions have options for the entire organization as well as providing customizable lists to the users. The one area that can cause confusion is the way that Microsoft has integrated the Safe Senders and Block Senders of a user’s mailbox to the Exchange Online Protection solution.
When a user adds entries to these Senders lists through Outlook or Outlook on the Web (formerly Outlook Web App or OWA) small mistakes can have serious ramifications. If a user adds a sender or domain to the Safe Senders list it will override the organization’s Office 365 EOP AntiSpam filtering settings. This information can be verified within the message headers. The X-Forefront-Antispam-Report will have an indicator of SFV:SFE which translates to “Filtering was skipped and the message was let through because it was sent from an address on an individual's safe sender list.” Additionally, the same header will display an SCL:-1 which indicates ”Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner).”
The result of this configuration in the individual’s Safe Senders list is that messages which should have been flagged as spam will now be delivered to the user’s inbox. This includes messages that fail DMARC tests and are potential phishing attempts.
Additionally, the reverse effect can occur when users are modifying their Blocked Senders lists. The same X-Forefront-Antispam-Report header will be stamped with SFV:BLK if the sender is entered in the user’s Block Senders list.
What can be done?
As a general guidance, to your user community, it is recommended to avoid using domain names in the Safe or Blocked Senders/Domains lists whenever possible. Whitelisting or blacklisting entire domains will almost always produce unexpected results. If an entire domain needs an action the application of this change should typically be handled by the IT Administrator, not the end user. Also, they should not whitelist anyone from your company as this is not necessary and can potentially create a vulnerability to phishing.
As an administrator, you can make modifications to the user’s Safe or Blocked Senders lists using Exchange Online PowerShell. Once you are connected, you can use the Get-MailboxJunkEmailConfiguration and Set-MailboxJunkEmailConfiguration commands to adjust the user settings. The items that we recommend the most are:
The ContactsTrusted setting should always be set to False or it will whitelist any contact added by the user to their Outlook profile.
Since it is common to add your coworkers to your contacts list, this setting will result in also whitelisting anyone using those Display Names for phishing attacks and spamming.
For TrustedSenderAndDomain, here are a couple of rules.
Do not add email addresses for your own domain or the domain itself
These types of additions will allow those email addresses and display names to be used by phishers to bypass antispam scanning
Avoid whitelisting entire domains whenever possible
This allows too wide of an exposure for potential phishing and spamming.
In the end, it is your own policies that you configure but it is important to understand these other configuration layers that can undo the security solutions you have implemented.