MS-102 GĐ6 Module 41

Exchange Online Protection (EOP)

Anti-spam, anti-malware, connection filtering, mail flow rules, quarantine management và cấu hình SPF/DKIM/DMARC để bảo vệ email doanh nghiệp.

Tình huống – VinaCorp

Mỗi ngày VinaCorp nhận ~500 spam/phishing email. IT cần: tăng strictness anti-spam policy, chặn email giả mạo domain vinacorp.vn từ bên ngoài bằng DMARC, tự động quarantine attachment nguy hiểm và cho phép HR manager tự giải phóng email từ quarantine.

EOP – Kiến trúc lọc email

EOP là lớp bảo vệ email đầu tiên, tích hợp sẵn trong tất cả M365 plans (kể cả Exchange Online Plan 1). Defender for Office 365 là lớp bổ sung (P1/P2).

Lớp lọc	Mô tả	Cấu hình tại
1. Connection filter	Block/allow IP theo IP Allow/Block list	Anti-spam → Connection filter policy
2. Anti-malware	Scan attachment, block common attachment types	Anti-malware policy
3. Mail flow rules	Transport rules — conditions/actions linh hoạt	Exchange Admin Center → Mail flow
4. Anti-spam	SCL scoring, bulk mail threshold (BCL)	Anti-spam inbound policy
5. Anti-phishing	Spoof intelligence, impersonation detection	Anti-phishing policy
6. Outbound spam	Giới hạn và alert khi user gửi spam	Anti-spam outbound policy

Lab A – Strict Anti-spam Policy (PowerShell)

Chạy với Exchange Online PowerShell: Connect-ExchangeOnline -UserPrincipalName [email protected]

Tạo Anti-spam Inbound Policy (Strict)

Connect-ExchangeOnline -UserPrincipalName [email protected] # Tạo spam filter policy mức Strict New-HostedContentFilterPolicy -Name "VinaCorp-StrictSpam" ` -SpamAction Quarantine ` -HighConfidenceSpamAction Quarantine ` -PhishSpamAction Quarantine ` -HighConfidencePhishAction Quarantine ` -BulkThreshold 5 ` -BulkSpamAction MoveToJmf ` -QuarantineRetentionPeriod 30 ` -EnableLanguageBlockList $true ` -LanguageBlockList @("ar","zh","ru") ` -EnableRegionBlockList $false # Gắn policy vào rule (áp dụng cho all users) New-HostedContentFilterRule -Name "VinaCorp-StrictSpam-Rule" ` -HostedContentFilterPolicy "VinaCorp-StrictSpam" ` -RecipientDomainIs "vinacorp.vn" ` -Priority 0 Write-Host "Strict anti-spam policy created and applied"

Strict anti-spam policy created and applied

Anti-malware Policy – Block nguy hiểm file types

# Tạo anti-malware policy chặn common attack attachments New-MalwareFilterPolicy -Name "VinaCorp-Malware" ` -EnableFileFilter $true ` -FileTypes @("ace","ani","apk","arj","bat","cab","cmd","com","cpl","dll", "exe","hta","jar","js","jse","msi","msp","pif","ps1","reg", "scr","vbe","vbs","wsf","wsh") ` -FileTypeAction Reject ` -Action DeleteMessage ` -EnableInternalSenderAdminNotifications $true ` -InternalSenderAdminAddress "[email protected]" New-MalwareFilterRule -Name "VinaCorp-Malware-Rule" ` -MalwareFilterPolicy "VinaCorp-Malware" ` -RecipientDomainIs "vinacorp.vn"

MalwareFilterPolicy VinaCorp-Malware created. MalwareFilterRule applied to vinacorp.vn.

SPF / DKIM / DMARC

Cơ chế	Chức năng	DNS Record
SPF	Liệt kê IP server được phép gửi email thay mặt domain	TXT @ "v=spf1 include:spf.protection.outlook.com -all"
DKIM	Ký số email bằng private key, người nhận verify bằng public key từ DNS	CNAME selector1._domainkey → selector1-vinacorp-vn._domainkey.vinacorp.onmicrosoft.com
DMARC	Policy xử lý khi SPF/DKIM fail: none/quarantine/reject + báo cáo	TXT _dmarc "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

Bật DKIM cho domain (PowerShell)

# Lấy CNAME records cần tạo trên DNS
Get-DkimSigningConfig -Identity vinacorp.vn |
    Select-Object Domain, Selector1CNAME, Selector2CNAME

# Sau khi tạo CNAME trên DNS provider, bật DKIM:
Set-DkimSigningConfig -Identity vinacorp.vn -Enabled $true
Write-Host "DKIM enabled for vinacorp.vn"

# Kiểm tra trạng thái
Get-DkimSigningConfig -Identity vinacorp.vn |
    Select-Object Domain, Enabled, Status

Domain Selector1CNAME ------ -------------- vinacorp.vn selector1-vinacorp-vn._domainkey.vinacorp.onmicrosoft.com DKIM enabled for vinacorp.vn Domain Enabled Status ------ ------- ------ vinacorp.vn True Valid

Kiểm tra DMARC report

# Verify DNS records (chạy từ terminal hoặc PowerShell)
Resolve-DnsName -Name "_dmarc.vinacorp.vn" -Type TXT | Select-Object Strings
Resolve-DnsName -Name "vinacorp.vn" -Type TXT | Where-Object {$_.Strings -like "v=spf1*"} | Select-Object Strings

_dmarc.vinacorp.vn: v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100 vinacorp.vn TXT: v=spf1 include:spf.protection.outlook.com -all

Lab B – Quarantine Management

Tạo Quarantine Policy cho HR Manager

# Tạo quarantine policy cho phép user tự xem và release
New-QuarantinePolicy -Name "HR_SelfRelease" `
    -EndUserQuarantinePermissionsValue 23 `
    -ESNEnabled $true

# EndUserQuarantinePermissionsValue 23 = Allow: view + release + delete + block sender
# ESNEnabled: gửi end-user spam notification email

# Gán policy vào anti-spam policy
Set-HostedContentFilterPolicy -Identity "VinaCorp-StrictSpam" `
    -SpamQuarantineTag "HR_SelfRelease" `
    -HighConfidenceSpamQuarantineTag "AdminOnlyAccessPolicy"

Write-Host "Quarantine policy HR_SelfRelease configured"

Quarantine policy HR_SelfRelease configured

Xem và Release email từ Quarantine

# Xem email bị quarantine của HR dept (24h) Get-QuarantineMessage -RecipientAddress "[email protected]" | Where-Object {$_.ReceivedTime -gt (Get-Date).AddHours(-24)} | Select-Object Subject, SenderAddress, ReceivedTime, QuarantineTypes | Format-Table -AutoSize # Release email cụ thể $msgId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" Release-QuarantineMessage -Identity $msgId -ReleaseToAll Write-Host "Email released from quarantine"

Subject SenderAddress QuarantineTypes ------- ------------- --------------- [External] Invoice Q1 [email protected] Spam Re: Contract VinaCorp [email protected] Bulk Email released from quarantine

Mail Flow Rules (Transport Rules)

Ví dụ: Block forward ra bên ngoài domain

# Chặn auto-forward email ra ngoài (data exfiltration prevention)
New-TransportRule -Name "Block External Auto-Forward" `
    -MessageTypeMatches AutoForward `
    -SentToScope NotInOrganization `
    -RejectMessageReasonText "Auto-forwarding to external recipients is not allowed." `
    -RejectMessageEnhancedStatusCode "5.7.1"

# Thêm [EXTERNAL] tag cho email từ bên ngoài
New-TransportRule -Name "Tag External Email" `
    -FromScope NotInOrganization `
    -SetHeaderName "X-MS-Exchange-Organization-ExternalOriginator" `
    -SetHeaderValue "1" `
    -PrependSubject "[EXTERNAL] "

Write-Host "Mail flow rules created"

Block External Auto-Forward: Created Tag External Email: Created

Mail flow rules có priority order — rule với priority thấp hơn (số nhỏ hơn) chạy trước. Dùng Set-TransportRule -Name "xxx" -Priority 0 để đưa lên đầu.

Tổng kết M41

Kiến thức cốt lõi

✅ EOP gồm 6 lớp lọc: connection → malware → mail flow → spam → phishing → outbound
✅ BCL threshold 5 = lọc bulk mail mức vừa (1=strict, 9=loose)
✅ SPF+DKIM+DMARC bộ ba bảo vệ chống spoofing hoàn chỉnh
✅ DMARC p=reject ngăn hoàn toàn email giả mạo domain
✅ Quarantine Policy cho phép user tự release spam của mình

Lab đã thực hành

🔬 Lab A: Strict anti-spam + anti-malware policy PowerShell
🔬 DKIM enable + DMARC verify via DNS
🔬 Lab B: Quarantine policy HR_SelfRelease + release email
🔬 Mail flow rules: block auto-forward + tag external email

M40 M42: Defender O365