Mailfilter
General information and links
- Microsoft Defender - Exchange Online Protection (EOP) - Start page
- Microsoft Defender - Review - Quarantine list needs review
- Exchange Online Protection overview (EOP) - Explanations and help from Microsoft
Things to know about "Exchange Online Protection"
The Microsoft cloud-based mail filter is quite aggressive, so you should regularly check your junk folder and quarantine page for incorrectly classified messages.
- Quarantine emails contain a direct link to the quarantine website.
- Personal Allow and Deny lists are managed in Outlook or Webmail (junk mail settings).
- Allow-List entries apply to emails that have been classified as "Spam", but not to emails that have been quarantined as "Spoof" or "Phishing".
- Not only incoming but also outgoing mail is filtered. Even internal mail traffic is subjected to some basic checks.
- Quarantined messages remain in quarantine for 30 days, after which they are deleted.
- Checking URLs in email messages protects against malicious links used in phishing and other attacks. (Safe links / time-of-click protection)
Safe Links Time-of-Click protection is only available for Microsoft mail clients connected to cloud-based mailboxes.
Report emails as spam/junk or phishing, or even as not junk (false positive) to Microsoft
Your reports help the AI learn how to classify emails.
Properties of the quarantine report messages from EOP
Sender address: quarantine@messaging.microsoft.com
Subject: Microsoft 365 security: You have messages in quarantine
Content example:
Note to the point >Request release<
Requests for the release of quarantined emails are manually checked by an ETH Zurich security administrator no more than once a day on working days and released at their own discretion.
Check emails from shared mailboxes that are in quarantine
Open https://security.microsoft.com/quarantine and log in with your authorized ETH user name.Click on the filter icon to the right of the search field.
Under Recipient address, enter the email of the shared mailbox and click Apply.
The emails now appear in the list and can be checked.
If there are additional alias email addresses, they must be re-entered individually.
Non-permitted attachments - ETH Zurich list
- Blocked attachments in Outlook - From Microsoft
- Unauthorized attachments will be rejected by the filter, so they must be distributed via a file sharing service.
For example https://polybox.ethz.ch or https://www.switch.ch/en/filesender
The following attachment types are not accepted.
The restriction applies to incoming, outgoing and also internal e-mail.
| File extension | Rule | Comment |
|---|---|---|
| ace | Default | Compressed archive |
| ani | Default | Animated mouse cursors |
| apk | Default | Android package |
| app | Default | Application |
| appx | Default | Windows application |
| arj | Default | Compressed files |
| bat | Default | Batch file |
| cab | Default | Cabinet (archive) |
| ceo | ETH | |
| chm | ETH | MS compiled HTML file |
| cmd | Default | Batch file |
| cnf | ETH | Configuration file |
| com | Default | Executable |
| cpl | ETH | Control panel file |
| deb | Default | Debian package |
| dex | Default | Dalvik EXecutable |
| dll | Default | Windows library |
| docm | Default | Word macro file |
| elf | Default | Executable and linkable file |
| exe | Default | Executable |
| hta | Default | HTML Application |
| img | Default | Disk image |
| inetloc | ETH | Apple Finder internet location format |
| ins | ETH | Windows dialup configuration |
| iso | Default | Disk image |
| jar | Default | Java executable |
| jnlp | Default | Java network launching protocol |
| job | ETH | Windows task scheduler instructions |
| jse | ETH | Visual studio |
| kext | Default | Kernel extension |
| lha | Default | Compressed archive |
| lib | Default | Library |
| library | Default | Library |
| lnk | Default | Link files |
| lzh | Default | Compressed archive |
| macho | Default | Mach-O object file |
| mad | ETH | Microsoft access |
| maf | ETH | Microsoft access |
| mag | ETH | Microsoft access |
| mam | ETH | Microsoft access macro |
| maq | ETH | Microsoft access |
| mar | ETH | Microsoft access |
| mas | ETH | Microsoft access |
| mav | ETH | Microsoft access |
| maw | ETH | Microsoft access |
| msc | Default | Microsoft management console |
| msi | Default | Microsoft software installer |
| msix | Default | Windows application package |
| msp | Default | Windows installer patch file |
| mst | Default | Windows installer setup transform |
| pif | Default | Program information files |
| ppa | Default | PowerPoint |
| ppam | Default | PowerPoint add-on |
| reg | Default | Windows registry file |
| rev | Default | Recovery volume |
| scf | Default | Windows shell command file |
| scr | Default | Windows screen saver file |
| sct | Default | Scriplet |
| shb | ETH | Windows shortcut |
| shs | ETH | Shell scrap object |
| svg | ETH | XML Scalable Vector Graphics |
| sys | Default | Windows system file |
| uif | Default | Compressed disc image |
| vb | Default | Visual basic |
| vbe | Default | VBScript |
| vbs | Default | Visual basic script |
| vxd | Default | Application helper |
| wsc | Default | Windows script component |
| wsf | Default | Windows script |
| wsh | Default | Windows script host control |
| xll | Default | Excel add-in |
| xlsb | ETH | Excel binary workbook |
| xnk | ETH | Microsoft Exchange shortcut |
| xz | Default | Compressed archive |
| z | Default | Compressed archive |
Zero-hour auto purge (ZAP)
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.
ZAP finds and takes automated action on messages that are already in a user's mailbox. ZAP's search is limited to the last 48 hours of delivered email. Users aren't notified if ZAP detects and deletes a message.
Detailed information on ZAP can be found here on the Microsoft website.