Introduction
Email is still the heart of business communication, and it’s also the easiest door for attackers to exploit.
This is my real-world approach to securing Exchange Online: how I protect messages, enforce policies, retain critical data, and keep unwanted activity out of the environment.
These are the tools I use every day — quiet, behind-the-scenes work that keeps an entire organization safe.
Messaging Policies and Mail Protection
What
Mail flow rules control how messages enter, exit, and move inside the company.
They prevent risky behavior, secure sensitive data, and keep communication structured.
Why
Without strict policies, users can accidentally leak information, forward confidential data, or bypass compliance rules.
How
Mail Flow Rules I Maintain
• Prevent auto-forwarding outside the company
• Block forwarding to personal Gmail/Yahoo
• Restrict sensitive keywords (finance, HR, payroll)
• Add disclaimers for external recipients
• Enforce rules for shared mailboxes
PowerShell Example: Show All Transport Rules
Get-TransportRule | Select Name,State,Mode,Priority
Email Aliases and Address Management
What
Aliases provide alternative addresses for departments, teams, or special functions.
Why
They simplify communication, eliminate confusion, and keep primary mailboxes private.
How
Add an Alias
Set-Mailbox [email protected] -EmailAddresses @{add="[email protected]"}
Litigation Hold and Retention
What
• Litigation Hold preserves every message
• Retention Policies define how long data must be kept
Why
Legal protection.
Compliance protection.
And proof that no one destroyed company data intentionally.
How
Enable Litigation Hold
Set-Mailbox [email protected] -LitigationHoldEnabled $true
Check Hold Status
Get-Mailbox [email protected] | Select LitigationHoldEnabled, LitigationHoldDate
Retention Policies and Labels
What
Rules that manage email lifecycle:
• Keep 7 years (HR, finance)
• Keep indefinitely (executives)
• Auto-archive after X years
• Delete only when compliance approves
Why
Retention prevents chaos — too long, too short, or inconsistent retention creates legal risk.
How
View Retention Policies
Get-RetentionPolicy | Select Name,RetentionId,IsDefault
Message Tracing and Investigation
What
Tracking the path of an email from sender → filters → inbox.
Why
It solves:
• Missing email
• Routing delays
• Spam filtering
• Proof of delivery
• Auto-forwarding issues
How
Short Trace (Last 2 Hours)
Get-MessageTrace -RecipientAddress [email protected] -StartDate (Get-Date).AddHours(-2)
Deep Trace
Get-MessageTraceDetail -MessageTraceId <ID> -RecipientAddress [email protected]
Anti-Phishing, Anti-Spam, and Safe Attachments
What
Policies that stop impersonation, malware, spoofing, and fraudulent links.
Why
Threat actors evolve daily.
These policies must evolve with them.
How
What I Review
• Spoof intelligence
• Impersonation protection
• Junk thresholds
• Block/allow lists
• Safe Links
• Safe Attachments
PowerShell Example
Get-HostedContentFilterPolicy | Select Name,SpamAction,HighConfidenceSpamAction
Hybrid Filtering (Proofpoint + M365)
What
When an organization uses Proofpoint externally and M365 internally.
Why
Most mail incidents happen between systems — misconfigured connectors are the #1 cause of undelivered mail.
How
I Manage
• Routing tables
• Inbound connectors
• Outbound smart hosts
• Quarantine overrides
• Digest troubleshooting
Shared Mailboxes: Tracking Activity
What
Audit visibility for shared mailboxes (support, sales, finance).
Why
Shared mailboxes often handle sensitive workflows — tracking who sent what is critical.
How
Who Sent Mail from Shared Mailbox
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -Operations SendOnBehalf -UserIds [email protected]
Auditing & Monitoring
What
My daily and weekly checks for unusual activity.
Why
Small changes snowball into major breaches.
How
Recent Permission Changes
Search-UnifiedAuditLog -StartDate (Get-Date).AddHours(-12) -Operations Add-MailboxPermission
Mailbox Size Issues & Quota Management
What
Mailbox storage thresholds.
Why
When users hit quota, they immediately lose the ability to send.
How
Check Size
Get-ExoMailboxStatistics [email protected] | Select TotalItemSize,ItemCount
Raise Quota
Set-Mailbox [email protected] -ProhibitSendQuota 95GB
Mailbox Delegation & Access Reviews
What
Review who has access to sensitive mailboxes.
Why
Too much access = high security risk.
How
Check Permissions
Get-ExoMailboxPermission [email protected] | Where-Object { $_.User -notlike "NT AUTHORITY\SELF" }
Data Loss Prevention (DLP)
What
Policies that prevent sensitive data (PII, financial info, SSNs, HR documents) from leaving the organization.
Why
Most leaks are accidental, not malicious.
DLP prevents mistakes from becoming legal disasters.
How
View DLP Policies
Get-DlpCompliancePolicy | Select Name,Mode,State
Typical Rules I Maintain
• Block sending payroll files
• Detect credit card patterns
• Restrict SSN transmission
• Alert IT on violations
Email Routing Security
What
Routing = the path an email takes from external → internal → outbound.
Why
Bad routing = lost email, spoofing risks, failed DKIM/SPF/DMARC, compromised forwarders.
Attackers LOVE manipulating routing.
How
Key Areas I Maintain
• MX records
• SPF allow lists
• Smart host routing
• TLS enforcement
• Inbound/outbound connectors
• No open relay
• Block unauthorized forwarding
PowerShell: View Connectors
Get-InboundConnector | Select Name,Enabled,SenderDomains
Get-OutboundConnector | Select Name,Enabled,SmartHosts
Conclusion
This is my Exchange Online security toolkit — the messaging controls, retention systems, compliance protections, and routing safeguards I use every day.
These tools protect users, leadership, legal teams, and the entire organization from silent risks that hide inside email traffic.
Real security isn’t loud.
It’s consistent, careful, and invisible — until the moment it saves the business.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
Leave a Reply