The Terry Zink Security Talk blog comes to an end

Please note: The Terry Zink Security Talk blog is being deprecated in March 2019 in order to focus our attention (and yours) to the vast amounts of information we already have on the support.office.com and the docs.microsoft.com sites. Some of you may have noticed that the amount that I post on this blog has lessened…

1

The unauthenticated sender ‘?’ comes to Outlook

Update: This blog post is being deprecated and information is being moved to support.office.com: Identify suspicious messages in Outlook.com and Outlook on the web   About a year ago, in Office 365, we released the feature that – similar to Gmail – Outlook Web Access stamps a ‘?’ in the sender photo when the message…


Chasing the (very) long tail of unauthenticated domains

One of the requests that frequently crosses my desk (computer screen) is a vulnerability claim that a certain domain that is owned by Microsoft is prone to spoofing because it does not have email authentication records – neither SPF, DKIM, nor DMARC. Because this can be used to spoof, it is a vulnerability. Microsoft Corporation owns…


A way to (sort of) approximate DMARC aggregate reports in Office 365

One of the most common questions people ask me is “How do you get Office 365 to send out DMARC aggregate and forensic reports?” This is followed by “When is Office 365 going to send out DMARC aggregate and forensic reports?” Office 365 doesn’t send out DMARC reports, nor is it on our public roadmap….


How to get images to load in Outlook.com, Office 365, and Outlook email clients

People sometimes ask me “How do I, as a sender into Office 365, get images to load by default? Every time I send, the images are blocked.” I’ve decided to finally answer that question so I don’t need to keep typing my response.   1. Images in Outlook.com load by default if you’re a good…


If you use Office 365 but your MX record doesn’t point to Office, you may want to close down your security settings

Even though it’s not a recommend configuration for our customers (in terms of spam filtering), some customers of Office 365 route their email through a competing spam filtering service in the cloud, or through an on-prem server. That is, the mail flow looks like this: I’ve written previously about the problems this can cause, see…


When creating support tickets about spam, be sure to include message headers

When users get spam and phishing messages in the inbox, we ask users to submit them back to us, using the instructions here: Submit spam, non-spam, and phishing scam messages to Microsoft for analysis. I explain why this is important in Why does spam and phishing get through Office 365? And what can be done…


How to securely add a sender to an allow list in Office 365

Background We sometimes see users creating allow rules, either through Exchange Transport Rules (ETRs), or Domain Allows, or Safe Senders, when they want to receive email from senders. However, they frequently do this insecurely; spammers then spoof the sending domain (or even the full email address) which skips all spam filtering and the message lands…


A short intro to how the Phishing Confidence Level (PCL) works

This is a rough description of how the Phishing Confidence Level (PCL) works in Office 365. Way back in the olden days – 2007 or so – Exchange server used to have its own spam filter, Smartscreen. This was more-or-less the same spam filter running in Outlook.com. But whereas Smartscreen in Outlook.com (then known as…

1

Does SPF need an update to handle non-existent includes? I say yes.

Over the past month, my team and I have been going over logs in our system, looking for SPF PermErrors and trying to figure out how many we had, and the root cause of them. As it turns out, there are lots of things that cause a permanent SPF failure. The most common examples are…

3

A second update to the problem of email forwarding in Office 365

18 months ago, I wrote the following blog post: Why does my email from Facebook, that I forward from my outlook.com account, get rejected. 6 (ish) months ago, I provided an update at An update on the forwarding email problem in Office 365 where I said that we made a change such that Exchange Transport Rules…

4

How we got to enforce DMARC for sub-domains of Microsoft’s largest consumer email brands

I couldn’t believe it. I had been blind for ages. Why had I not seen it before? The month was August 2017, and none of Microsoft’s largest consumer email brands – msn.com, live.com, hotmail.com, and outlook.com – had DMARC reject records in place. Not one. As a result, we were still seeing lots and lots…

5

Blocking invalid From: addresses in Office 365

A couple of weeks ago, we made an announcement in Office 365 that we would be implementing stricter checks of the From: address, starting Nov 9, 2017. You can find that at How Office 365 validates the From: address to prevent phishing. I won’t repeat everything in that article as you can click and read…

1

Showing a question mark ‘?’ in the sender photo when a message is not authenticated

In order to help stop phishing messages, Office 365 and Outlook.com already filter messages using authentication methods including SPF, DKIM, DMARC, and antispoofing. These techniques verify that the sender is who they say they are, and they are used to mark the message either as Junk Email, or deliver it to your Inbox. They sometimes…

7