Proofpoint Essentials: Methods to prevent Exchange Online Protection Direct Delivery

About 

The steps to prevent Exchange Online Protection (EOP) direct delivery require an EOP transport rule to audit messages received from outside the organization that did not originate from Proofpoint Essentials. This auditing process identifies any authorized mail system (such as an on-prem Exchange server or email sent to domains that have not been setup within Proofpoint Essentials) so that it may bypass the Block Direct Delivery Transport Connector.

Inbound delivery to your Microsoft 365 onmicrosoft.com domain will be rejected if you prevent direct delivery using the method identified in step 6. Before proceeding, please confirm your mailboxes do not use the onmicrosoft.com domain as the primary SMTP address.

 

Steps 

Step 1: Create Direct Delivery Audit Transport Rule 

1. Sign In to the Microsoft 365 Admin center.
2. Click Mail flow, then Rules.
3. Click Add a rule and, from the menu, select Create a new rule.
4. Enter a name for the rule (e.g. "Audit Direct Delivery").
5. In the "Apply this rule if" menu, select The sender, then is external/internal, followed by Outside the organization.
6. Click Save.
7. Click + (add condition) then, in the "And" menu, select The recipient, then is external/internal, followed by Inside the organization.
8. Click Save.
9. In the "Do the following" menu, select Modify the message properties, then set a message header.
10. Click Enter text next to "set a message header" and set the value to X-EOP-Direct-Delivery, then click Save.
11. Click Enter text next to "to the value" and set the value to True, then click Save.
12. In the "Except If" menu, select The sender, then IP address in any of these ranges or exactly matches, then click Enter IPv4 or IPv6 addresses, and enter all IP addresses authorized to deliver directly to EOP such as Proofpoint Essentials and any authorized mail systems such as on-prem Exchange. Click Add after each entry.

Proofpoint Essentials IP addresses can be found in the IP address column of the   Connection Details page. 

1. Click Save.
2. Click + (add exception) then in the "Or" menu, select The message properties, then includes the message type and select Calendaring, followed by Save.

If your organization allows forwarding messages externally, you'll also need to perform the following steps. If your organization does not forward messages externally, proceed to step 18.

1. Click + (add exception) "Except if" menu, then in the "Or" menu, select, The message headers..., then includes any of these words.
2. Click Enter text and and set the message header to X-MS-Exchange-Generated-Message-Source, then click Save.
3. Click Enter words next to "includes" and set the value to Mailbox Rules Agent, then click Add, followed by Save.
4. Click Next.
5. Leave the rule mode "Enforce" selected.
6. Adjust the severity value and activation dates as desired.
7. Adjust all remaining settings to your preferences, then click Next.
8. Review all the settings and click Back to make corrections or click Finish, followed by Done.

 

Step 2: Run PowerShell Command to View Message Details 

Run the PowerShell command Get-MailDetailTransportRuleReport to view the messages delivered directly to EOP.

It may take several hours before the Get-MailDetailTransportRuleReport finds any messages that triggered the transport rule.

 

Step 3: Identify Source IP Addresses 

Review the Audit Direct Delivery.csv report and identify any systems that should be authorized for direct delivery to EOP. An EOP Message Trace can then be used to determine the source IP addresses.

 

Step 4: Add IP Address to Exception List 

Modify the "Audit Direct Delivery" Transport Rule (created in Step 1) and add any other authorized systems identified to the Except if.. Sender's IP address is in the range list (sub-step 12).

 

Step 5: Repeat steps 2 through 4 

Repeat steps 2 through 4 until all authorized mail systems are identified and added to the exception list. The IP addresses in the Audit Direct Delivery Transport Rule exception list will be used in the following step.

 

Step 6: Enable Actions to Prevent Direct Delivery 

Once all exceptions (authorized mail systems) have been identified, the Inbound from Proofpoint Transport Connector can be updated to prevent other mail systems from bypassing the Proofpoint Essentials and delivering directly to Microsoft 365.

This step should only be completed once you have finished your inbound migration and once you are satisfied that all inbound email traffic to your Microsoft tenant routes via the Proofpoint systems

1. Sign In to the Microsoft 365 Admin center.
2. Click Mail flow, then Connectors.
3. Click on the Proofpoint Essentials Inbound Connector.
   • This connector was created previously when initially configuring Microsoft 365.
4. Under the How to identify your partner organization heading, click Edit sent email identity and select By verifying that the sender domain matches one of the following domains.
5. Ensure * is listed as the entry. If is is not, type * and click + (add).
6. Click Save.
7. Click (back).
8. Under the Security Restrictions heading, click Edit restrictions.
9. Verify Reject email messages if they aren't sent over TLS is selected.
10. Click on the "Reject email messages if they aren't sent from within this IP address range".
11. Click the + button, then add all IP addresses authorized to send an email directly to EOP, which should include the IP addresses of the Proofpoint Essentials and any authorized mail systems, then click "Save."

Make sure to identify the full range of IP addresses for your Proofpoint Essentials or any other third-party email service authorized to send email from your domains. If authorized mail systems are not accounted for in the connector, messages from those sources will be rejected.