Table of contents: |
General information and links
- Microsoft Defender - Exchange Online Protection (EOP) - Start page
- Microsoft Defender - Review - Quarantine list needs review
- Exchange Online Protection overview (EOP) - Explanations and help from Microsoft
Things to know about "Exchange Online Protection"
The Microsoft cloud-based mail filter is very aggressive, so please check your Junk folder and your quarantine page regularly for misclassified messages.
During the transition period in which emails to some of your addresses are filtered by Microsoft, but others are still filtered by MailCleaner, it is possible that your MailCleaner quarantine report will be blocked in the Microsoft quarantine.
- As before, quarantine emails contain a direct link to the quarantine website.
- Quarantined messages in your MailCleaner quarantine will be available for up to 30 days after filtering for your domain has moved to EOP.
- ATTENTION: Your settings in MailCleaner will not be migrated to EOP.
- Personal Allow and Deny lists are managed in Outlook or Webmail (junk mail settings).
Allow-List entries apply to emails that have been classified as "Spam", but not to emails that have been quarantined as "Spoof" or "Phishing". - In contrast to MailCleaner, not only incoming but also outgoing mail is filtered. Even internal mail traffic is subjected to some basic checks.
- Quarantined messages remain in quarantine for 30 days, after which they are deleted.
- Checking URLs in email messages protects against malicious links used in phishing and other attacks. (Safe links / time-of-click protection)
Safe Links Time-of-Click protection is only available for Microsoft mail clients connected to cloud-based mailboxes.
Questions and answers
Question | How do I report the receipt of a spam or phishing e-mail that has not yet been recognized as such? |
| Answer | In Outlook or Outlook on the web via the menu >Report< as described under Outlook-App >Report Message< |
| Question | Are e-mail addresses to which I send an e-mail automatically entered as trusted senders? |
| Answer | No. Automatic addition to the Safe senders list is not available. |
| Question | How do I add trusted senders to my safe senders list and how do I block unwanted senders? |
| Answer | In webmail https://outlook.office.com go to Menu Settings - E-Mail - Junk-E-Mail. Or go directly to https://outlook.office.com/mail/options/mail/junkEmail. There you can also activate >My contacts are trusted senders<. |
Question | How do I add safe senders to my permission list and how do I block unwanted senders in ETH Webmail? |
| Answer | In Outlook on the web https://mail.ethz.ch/ in the menu Options - Email - Accounts. Here you can enter the senders you want to secure or block. |
| Question | I have reported mails from a particular sender to Microsoft several times as false positives, but mail from that sender still lands in quarantine. |
| Answer | This is usually due to a problem with the sender, e.g. a missing SPF, DKIM or DMARC entry. |
| Question | I have entered a sender address/domain in my safe senders list, but mail from that sender still lands in quarantine. |
| Answer | The safe senders list applies only to the junk folder. |
| Question | How do I report a message as junk or phishing if I don't have >Report message< in the Outlook menu? |
| Answer | Open >Outlook on the Web<, right-click on the relevant message and select >Report - Junk e-mail or phishing< |
| Question | An e-mail that I have released from quarantine is now in the inbox on >Outlook on the Web<. I would now like to report it as “Not a junk e-mail”. However, I do not have this selection by right-clicking. How do I do this now? |
| Answer | Move the e-mail temporarily to the junk e-mail folder, here you can right-click and select >Report - No junk e-mail<. |
| Question | I clicked on >Request release< in a quarantine email >Microsoft 365 Security: You have messages in quarantine< from quarantine@messaging.microsoft.com. What happens now? |
| Answer | Requests for the release of quarantined emails are manually checked by an ETH Zurich security administrator no more than once a day on working days and released at their own discretion. |
| Question | What type of legitimate messages are likely to land in your Junk folder? |
| Answer |
|
| Question | What type of legitimate messages are likely to land in the quarantine? |
| Answer |
|
| Question | What type of quarantined messages can only be released by a filter administrator? |
| Answer |
|
| Question | Will the filter ever "learn" that mail from a "spoofed" sender address is not Junk? |
| Answer | No. |
| Question | |
| Answer |
Non-permitted attachments - ETH Zurich list
- Blocked attachments in Outlook - From Microsoft
- Unauthorized attachments will be rejected by the filter, so they must be distributed via a file sharing service.
For example https://polybox.ethz.ch or https://www.switch.ch/en/filesender
The following attachment types are not accepted.
The restriction applies to incoming, outgoing and also internal e-mail.
| File extension | Regel | Kommentar |
|---|---|---|
| ace | Default | Compressed archive |
| apk | Default | Android package |
| app | Default | Application |
| appx | Default | Windows application |
| ani | Default | Animated mouse cursors |
| arj | Default | Compressed files |
| bat | Default | Batch file |
| cab | Default | Cabinet (archive) |
| ceo | ETH | |
| chm | ETH | MS compiled HTML file |
| cmd | Default | Batch file |
| cnf | ETH | Configuration file |
| com | Default | Executable |
| cpl | ETH | Control panel file |
| deb | Default | Debian package |
| dex | Default | Dalvik EXecutable |
| dll | Default | Windows library |
| docm | Default | Word macro file |
| elf | Default | Executable and linkable file |
| exe | Default | Executable |
| hta | Default | HTML Application |
| img | Default | Disk image |
| inetloc | ETH | Apple Finder internet location format |
| ins | ETH | Windows dialup configuration |
| iso | Default | Disk image |
| jar | Default | Java executable |
| jnlp | Default | Java network launching protocol |
| job | ETH | Windows task scheduler instructions |
| jse | ETH | Visual studio |
| kext | Default | Kernel extension |
| lha | Default | Compressed archive |
| lib | Default | Library |
| library | Default | Library |
| lnk | Default | Link files |
| lzh | Default | Compressed archive |
| macho | Default | Mach-O object file |
| mad | ETH | Microsoft access |
| maf | ETH | Microsoft access |
| mag | ETH | Microsoft access |
| mam | ETH | Microsoft access macro |
| maq | ETH | Microsoft access |
| mar | ETH | Microsoft access |
| mas | ETH | Microsoft access |
| mav | ETH | Microsoft access |
| maw | ETH | Microsoft access |
| msc | Default | Microsoft management console |
| msi | Default | Microsoft software installer |
| msix | Default | Windows application package |
| msp | Default | Windows installer patch file |
| mst | Default | Windows installer setup transform |
| pif | Default | Program information files |
| ppa | Default | PowerPoint |
| ppam | Default | PowerPoint add-on |
| reg | Default | Windows registry file |
| rev | Default | Recovery volume |
| scf | Default | Windows shell command file |
| scr | Default | Windows screen saver file |
| sct | Default | Scriplet |
| shb | ETH | Windows shortcut |
| shs | ETH | Shell scrap object |
| sys | Default | Windows system file |
| uif | Default | Compressed disc image |
| vb | Default | Visual basic |
| vbe | Default | VBScript |
| vbs | Default | Visual basic script |
| vxd | Default | Application helper |
| wsc | Default | Windows script component |
| wsf | Default | Windows script |
| wsh | Default | Windows script host control |
| xll | Default | Excel add-in |
| xlsb | ETH | Excel binary workbook |
| xnk | ETH | Microsoft Exchange shortcut |
| xz | Default | Compressed archive |
| z | Default | Compressed archive |
Properties of the quarantine report messages from EOP
| Sender address: | quarantine@messaging.microsoft.com |
| Subject: | Microsoft 365 security: You have messages in quarantine |
| Content example: |
|
Check emails from migrated shared mailboxes that are in quarantine
Open https://security.microsoft.com and log in with the authorized ETH user name.
Expand >Email & Collaboration< and select Review.
In the square, click on the text >Review quarantined messages and...<.
Click on the filter icon to the right of the search field.
Under Recipient address, enter the email of the shared mailbox and click Apply.
The emails now appear in the list and can be checked.
Zero-hour auto purge (ZAP)
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.
ZAP finds and takes automated action on messages that are already in a user's mailbox. ZAP's search is limited to the last 48 hours of delivered email. Users aren't notified if ZAP detects and deletes a message.
Detailed information on ZAP can be found here on the Microsoft website.