Threat Prevention Service Documentation
ITS is updating spam and malware/virus prevention for university email systems, Office 365 and G Suite. The threat prevention service will be comprised of two filtering services, Exchange Online Protection (EOP) and Advanced Threat Protection (ATP). Below is a description of the changes and functionality.
Email Routing to Exchange Online Protection
On June 25th, ITS will move the mail exchanger (MX) record for the domain uconn.edu from the current spam filtering appliance, Barracuda, to Microsoft Exchange Online Protection (EOP). EOP is a cloud-hosted email filtering service built to protect customers from spam and malware.
Diagram 1. Email routing with EOP
After this change, emails to uconn.edu will be analyzed and scored by EOP, and then the necessary action will be taken based on the criteria provided below:
Table 1. EOP rating and actions | ||
SCL Rating | Spam Confidence Interpretation | Action |
0, 1 | Non-spam because the message was scanned and determined to be clean | Deliver the message to the recipient’s Inbox. |
5, 6 | Spam | Prepend subject line with {SPAM?} tag and deliver to the recipient’s Junk email folder. |
7, 8, 9 | High confidence spam | Sends the message to quarantine; recipients get a spam-quarantine digest message and can choose to release individual messages to their Inbox or report them as non-Junk to Microsoft. |
The previous filtering appliance would block the delivery of the majority of spam message to mailboxes. With this change to EOP, recipients will receive the spam messages in various ways determined by the message’s SCL rating.
Advanced Threat Protection
Advanced Threat Protection (ATP) is an email filtering service that helps protect against unknown malware and viruses by providing robust zero-day protection. It also includes features to protect users from clicking harmful links in real time. It offers protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, Exchange Online and OneDrive for Business.
Diagram 2. ATP process. Source: https://products.office.com/en-us/exchange/online-email-threat-protection
ATP Features
Safe links: This feature proactively protects users from malicious hyperlinks by rewriting them once scanned. This protection remains every time the user clicks the link. Malicious links are dynamically blocked. When the link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. Reporting is available so administrators can track which users clicked a link and when they clicked it.
Safe Attachments: This feature protects against unknown malware and viruses and provides real time protection. All messages and attachments that do not have a known virus or malware signature are routed to a special environment where ATP analyzes it to detect malicious content.
Spoof Intelligence: This feature detects when a sender appears to be sending mail on behalf of one or more accounts within the organization domains.