Cybersecurity Knowledge Base

SPF (Sender Policy Framework)

How it works: SPF allows domain owners to specify which mail servers are permitted to send email on behalf of their domain. Receiving mail servers verify the SPF record to check if the email comes from an authorized server.

Setup: Add a TXT record to your DNS with the SPF policy. Example:

v=spf1 include:_spf.example.com ~all

Mechanisms:

• include - Include another domain's SPF record
• ip4/ip6 - Specify allowed IP addresses
• a/mx - Allow domain's A or MX records
• ~all (soft fail) or -all (hard fail)

DKIM (DomainKeys Identified Mail)

How it works: DKIM adds a digital signature to email headers using public-key cryptography. The sending server signs the email with a private key, and receiving servers verify it using the public key published in DNS.

Setup:

1. Generate a public/private key pair
2. Publish the public key as a DNS TXT record
3. Configure your mail server to sign outgoing messages with the private key

Example DKIM record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

DMARC (Domain-based Message Authentication, Reporting & Conformance)

How it works: DMARC builds on SPF and DKIM, allowing domain owners to publish policies on how receivers should handle emails that fail authentication, and request reports about authentication results.

Setup: Add a DMARC TXT record to your DNS. Example:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; pct=100

Policy options:

• p=none - Monitor only, no action
• p=quarantine - Treat as suspicious
• p=reject - Reject the message

Core Protection Policies

Anti-Spam

Filters unsolicited bulk email using machine learning and reputation analysis.

Configuration: Set spam filtering policies in Security & Compliance Center → Threat management → Policy → Anti-spam

Actions: Move to Junk, Quarantine, Delete, etc.

Anti-Malware

Scans attachments and links for known malware using multiple engines.

Features:

• Common Attachment Types Filtering
• Zero-hour auto purge (ZAP)
• Dynamic Delivery for suspicious attachments

Anti-Phishing

Detects impersonation attempts and suspicious links.

Techniques:

• Spoof intelligence
• Impersonation protection (users, domains)
• Mailbox intelligence (unusual senders)

Safe Links & Attachments

Safe Links: Rewrites URLs to check them in real-time when clicked.

Safe Attachments: Opens attachments in a sandbox before delivery.

Advanced Features

Advanced Rules (Mail Flow Rules)

Create custom rules in Exchange Admin Center → Mail flow → Rules

Examples:

• Block executable attachments
• Flag external emails
• Bypass filtering for trusted senders

Allow/Block Lists

Manage in Security & Compliance Center → Threat management → Policy → Anti-spam

Types:

• Tenant Allow/Block List (URLs, files, senders)
• IP Allow List (Connection filter)

Phishing Training & Simulation

Available in Defender for Office 365 Plan 2

Features:

• Pre-built attack simulations
• Custom phishing campaigns
• Training assignments
• User reporting (Report Phishing add-in)

Investigation Workflow

1. Identification: Detect suspicious email via reports or alerts
2. Containment: Quarantine message, block sender/URLs
3. Analysis: Examine headers, content, attachments
4. Eradication: Remove threat from all mailboxes
5. Recovery: Restore any affected systems
6. Lessons Learned: Update policies and user training

Key Investigation Tools

Message Trace

Track email path through Exchange Online (Exchange Admin Center → Mail flow → Message trace)

Data: Sender/recipient, status, timestamp, message size

Threat Explorer

Real-time and historical threat detection (Microsoft 365 Defender → Email & collaboration → Explorer)

Capabilities:

• View malware/phishing emails
• Filter by threat type, sender, recipient
• Take actions (delete, quarantine)

Email Headers Analysis

Key headers to examine:

• Received: - Mail server path
• Authentication-Results: - SPF/DKIM/DMARC results
• X-MS-Exchange-Organization-* - Microsoft-specific data

Remediation Actions

Action	Tool	Description
Delete emails	Threat Explorer	Remove malicious emails from all mailboxes
Block sender/domain	Tenant Allow/Block List	Add to block list in Anti-spam policies
Block URLs	Tenant Allow/Block List	Block malicious links
Block attachments	Mail Flow Rules	Create rule to block file types

Mailflow Fundamentals

Components:

• Connectors (inbound/outbound)
• Accepted domains
• Transport rules
• Queues

Common Mailflow Issues

Issue	Possible Causes	Troubleshooting Steps
Emails not received	DNS issues, filtering, blacklisting	Check message trace, test connectivity
Delays in delivery	Queue backups, throttling	Check queues, review connector settings
Recipient not found	Invalid address, directory sync issues	Validate recipient, check directory sync

Domain Reputation Management

Key Factors:

• Spam complaint rates
• Bounce rates
• Engagement metrics (opens, clicks)
• Authentication (SPF/DKIM/DMARC)

Blacklisting

Common RBLs (Real-time Blackhole Lists):

• Spamhaus (SBL, XBL, PBL)
• Barracuda
• Proofpoint
• Microsoft SNDS (Smart Network Data Services)

Delisting Process:

1. Identify listing using tools like MXToolBox
2. Resolve underlying issue (spam source, open relay)
3. Submit delisting request with evidence
4. Monitor for relisting

Deliverability Best Practices

• Maintain clean mailing lists
• Implement double opt-in
• Monitor bounce rates
• Provide clear unsubscribe options
• Warm up new IPs gradually

Overview

Azure Information Protection (AIP) is a cloud-based solution that helps organizations classify and protect documents and emails by applying labels.

Key Components

• Labels: Classification metadata applied to content
• Protection: Encryption and rights management
• Scanner: Discovers and protects sensitive data on-premises
• Client: Software for users to apply labels

Implementation Steps

1. Activate AIP in Azure portal
2. Configure labels in Microsoft Purview compliance portal
3. Deploy AIP client or enable unified labeling
4. Train users on classification

Common Use Cases

• Protect sensitive emails with encryption
• Prevent unauthorized sharing of documents
• Automatically classify content based on sensitive info

Overview

DLP helps prevent sensitive information from being inappropriately shared by detecting, monitoring, and protecting data across Microsoft 365.

Key Capabilities

• Sensitive info types: 100+ built-in definitions (credit cards, SSNs, etc.)
• Custom policies: Create rules for your specific data
• Actions: Block, quarantine, or notify when sensitive data is detected
• Policy tips: Educate users in real-time

Policy Creation

1. Identify sensitive data to protect
2. Define conditions for detection
3. Set actions when detected
4. Choose locations to monitor (Exchange, SharePoint, Teams, etc.)
5. Test in audit mode before enforcement

Best Practices

• Start with audit mode to understand data flows
• Focus on high-risk data first
• Use policy tips to educate users
• Review DLP alerts and reports regularly

Data Lifecycle Management

Manage content through its lifecycle with retention policies and labels.

Retention Policies

• Retain content for compliance
• Delete content when no longer needed
• Both retain and delete based on age

Retention Labels

• Classify content for retention
• Can be auto-applied or manual
• Support records declaration

eDiscovery

Identify, preserve, and export electronic information for legal cases.

Content Searches

• Search across mailboxes, sites, Teams
• Keyword queries and conditions
• Preview and export results

eDiscovery Cases

• Organize investigations by case
• Assign permissions to case members
• Preserve content with holds
• Track all case activities

Advanced eDiscovery

Additional capabilities for complex investigations:

• Analytics to reduce data volume
• Machine learning for relevance
• Review sets and tagging