Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1523
Views
0
Helpful
4
Replies

SharePoint Online Email Content Filter Question

geobec15
Level 1
Level 1

‎05-17-2022 04:25 PM

I want to add a header to SharePoint Online emails that will allow it to bypass our FED quarantine content rule.  When an executive in our FED dictionary requests access to a SharePoint Online resource or leaves a comment in a document, the email winds up quarantined by FED because the SharePoint Online notifications use the display name of the O365 user as the display name of the email.

 

I have a content rule that checks if the sender is no-reply@sharepointonline.com, and checks to see if the ARC-Authentication-Results header contains dmarc=pass and header.d=sharepointonline.com and if all those conditions are true, then insert the header. 

 

What would be great would be a condition in the content filters if DMARC verification = pass however that doesn't exist yet and hence my kludgy work around.  It was working for a bit however now it has stopped.  Is anyone else using a content filter to check if a SharePoint Online email passed DMARC?  If so how are you doing that? 

Labels:
0 Helpful
4 Replies 4

UdupiKrishna
Cisco Employee
Cisco Employee

‎05-18-2022 06:00 PM

If the new messages which are now being caught by FED contain the correct authentication result headers (which includes DMARC results) the filter should still work.

 

Did you have a chance to look at the headers and see if something has changed. Logically the sharepoint filter should be processed prior to the FED filter for it work effectively, i am sure you know that already. Can you paste a copy of latest headers, filter configuration for reference?

0 Helpful

geobec15
Level 1
Level 1

‎05-20-2022 11:35 AM

The filter config is:

FED_SHAREPOINT_BYPASS: if (mail-from == "no-reply@sharepointonline.com") AND (header("ARC-Authentication-Results") == "dmarc=pass") AND (header("ARC-Authentication-Results") == "header.d=sharepointonline.com") { insert-header("header_name_redacted", "POSITIVE"); }

I attached the authentication headers and redacted some information (not sure I needed to but I did).  Specifically here is the ARC-Authentication-Results header that the content rule should be checking and it sure looks to me like it matches the condition.

ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=fail (sender ip is
ironport_IP_address) smtp.rcpttodomain=ourdomain.com
smtp.mailfrom=sharepointonline.com; dmarc=pass (p=reject sp=reject pct=100)
action=none header.from=sharepointonline.com; dkim=pass (signature was
verified) header.d=sponaeop.onmicrosoft.com; dkim=pass (signature was
verified) header.d=sharepointonline.com; arc=pass (0 oda=0 ltdi=1)

Yes you are correct I have it prior to the FED filter, the FED filter has a condition on it.  I searched the SMA to find one where the content filter worked in the past and now I am not sure if the content filter ever worked. It may have just been coincidence where there was a stretch where an executive in the FED dictionary didn't request access to a SharePoint Online file.

Preview file
5 KB
0 Helpful

UdupiKrishna
Cisco Employee
Cisco Employee
In response to geobec15

‎05-20-2022 08:57 PM - edited ‎05-20-2022 09:08 PM

The configuration looks good to me and headers are matching too. I ran a test by injecting the same ARC headers to an ESA with this filter and I see that the custom header was added successfully.

 

Fri May 20 20:48:39 2022 Info: 1128 Sent: 'MAIL FROM:<no-reply@sharepointonline.com> SIZE=993'
Fri May 20 20:48:39 2022 Info: 1128 Rcvd: '250 sender <no-reply@sharepointonline.com> ok'
Fri May 20 20:48:39 2022 Info: 1128 Sent: 'RCPT TO:<udukrish@abc.com>'
Fri May 20 20:48:39 2022 Info: 1128 Rcvd: '250 recipient <udukrish@abc.com> ok'
Fri May 20 20:48:39 2022 Info: 1128 Sent: 'DATA'
Fri May 20 20:48:40 2022 Info: 1128 Rcvd: '354 go ahead'
Fri May 20 20:48:40 2022 Info: 1128 Sent: 'IronPort-SDR: 

...output omitted...
...
Fri May 20 20:48:40 2022 Info: 1128 Sent: 'X-IronPort-SenderGroup: MY_TRUSTED_SPOOF_HOSTS\r\n'
Fri May 20 20:48:40 2022 Info: 1128 Sent: 'X-IronPort-MailFlowPolicy: $ACCEPTED\r\n'
Fri May 20 20:48:40 2022 Info: 1128 Sent: 'header_name_redacted: POSITIVE\r\n'

 

I have attached partial headers from the recipient for your reference. It contains the same ARC headers along with the header added by the message filter.

To confirm if the filter is working, gather a sample email and look for these headers or try using the message tracking and filter based on the filter's name

 

Edit: Upload of headers isnt working. Here's the headers from the actual email.

 

X-IronPort-RemoteIP: 12.163.23.18
X-IronPort-MID: 824
X-IronPort-Reputation: -10.0
X-IronPort-Listener: MailFlow
X-IronPort-SenderGroup: MY_TRUSTED_SPOOF_HOSTS
X-IronPort-MailFlowPolicy: $ACCEPTED
header_name_redacted: POSITIVE
X-IronPort-AV: E=Sophos;i="5.91,240,1647327600";
d="scan'208";a="824"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from unknown (HELO [X.X.X.X]) ([X.X.X.X])
by esa1.hc905-75.ap.iphmx.com with ESMTP; 20 May 2022 20:48:36 -0700
Message-ID: <2046961b-7d4a-3874-b4b2-17b410cd4216@gmail.com>
Date: Sat, 21 May 2022 09:18:35 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.0
Arc-Authentication-Results: i=2; mx.microsoft.com 1; spf=fail (sender ip is,
ironport_IP_address) smtp.rcpttodomain=ourdomain.com,
smtp.mailfrom=sharepointonline.com; dmarc=pass (p=reject sp=reject pct=100),
action=none header.from=sharepointonline.com; dkim=pass (signature was,
verified) header.d=sponaeop.onmicrosoft.com; dkim=pass (signature was,
verified) header.d=sharepointonline.com; arc=pass (0 oda=0 ltdi=1)
To: <udukrish@abc.com>
From: <no-reply@sharepointonline.com>
Subject: Testing email

0 Helpful

geobec15
Level 1
Level 1
In response to UdupiKrishna

‎06-01-2022 02:36 PM

Apparently something did change because on one that was quarantined last Friday, the ARC-Authentication-Results header contains dmarc=none.  I am going to change the content filter to examine the Authentication-Results header instead and hope for better results.  Originally I chose ARC-Authentication-Results because it appeared to be more consistent, either something changed or I did not have a large enough sample size.  Thank you for looking at this with me!!

 

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none
action=none header.from=sharepointonline.com; dkim=none (message not signed);
arc=none

 

Authentication-Results: esa2; spf=Pass smtp.mailfrom=no-reply@sharepointonline.com; spf=Pass smtp.helo=postmaster@NAM04-BN8-obe.outbound.protection.outlook.com; dkim=pass (signature verified) header.i=@sponaeop.onmicrosoft.com; dkim=pass (signature verified) header.i=@sharepointonline.com; dmarc=pass (p=reject dis=none) d=sharepointonline.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents