Anti-Spam & Sicherheit Anti-Spam & Security
EOP, Defender for Office 365, SPF, DKIM, DMARC, QuarantÀne und sichere Zustellung. EOP, Defender for Office 365, SPF, DKIM, DMARC, quarantine, and secure delivery.
Architektur, DNS, Limits, Migration und Kern-Cmdlets. Architecture, DNS, limits, migration, and core cmdlets.
Benutzer-, Shared-, Raum- und ArchivpostfÀcher verwalten. Manage user, shared, room, and archive mailboxes.
Mail Flow Rules, PrioritÀten, DLP und Nachrichtennachverfolgung. Mail flow rules, priorities, DLP, and message tracing.
Exchange Online Protection bildet die Basisschicht fĂŒr eingehende und ausgehende E-Mail-Sicherheit. Defender for Office 365 erweitert diese Basis um Safe Links, Safe Attachments, erweiterte Phishing-Abwehr, QuarantĂ€neoptionen und Attack Simulation. Exchange Online Protection forms the base layer for inbound and outbound email security. Defender for Office 365 extends that base with Safe Links, Safe Attachments, advanced phishing protection, quarantine options, and attack simulation.
EOP Ăberblick EOP overview
Exchange Online Protection prĂŒft SMTP-Verbindungen, Reputation, Header, Inhalt, URL-Muster, AnhĂ€nge und Richtlinien. FĂŒr Administratoren ist wichtig zu verstehen, dass viele Einstellungen in der Defender-OberflĂ€che verwaltet werden, die zugrunde liegenden Policies aber per PowerShell inventarisiert und teilweise vollstĂ€ndig konfiguriert werden können. Exchange Online Protection evaluates SMTP connections, reputation, headers, content, URL patterns, attachments, and policies. Administrators should understand that many settings are managed in the Defender experience, while the underlying policies can still be inventoried and, in many cases, fully configured with PowerShell.
SCL/BCL, Malware Scan, Spoof Intelligence, DKIM/DMARC/SPF und QuarantÀne. SCL/BCL, malware scan, spoof intelligence, DKIM/DMARC/SPF, and quarantine.
Begrenzt kompromittierte Konten, Spam-Bursts und unzulÀssiges Forwarding. Limits compromised accounts, spam bursts, and unauthorized forwarding.
Safe Links, Safe Attachments, Attack Simulation und User Submissions. Safe Links, Safe Attachments, attack simulation, and user submissions.
SPF, DKIM und DMARC verbessern Zustellung und Missbrauchsschutz. SPF, DKIM, and DMARC improve deliverability and anti-abuse posture.
Inbound Anti-Spam Inbound anti-spam
Inbound Anti-Spam Policies definieren, wie Exchange Online verdÀchtige Nachrichten bewertet und behandelt. Besonders wichtig sind Spam Confidence Level, Bulk Complaint Level, Aktionen pro Wertbereich und QuarantÀneoptionen. Inbound anti-spam policies define how Exchange Online evaluates and handles suspicious messages. Spam confidence level, bulk complaint level, per-range actions, and quarantine options are especially important.
| SCL SCL | Deutung Meaning | Beschreibung Description | Wirkung Effect |
|---|---|---|---|
| -1 -1 | Bypass / vertrauenswĂŒrdig Bypass / vertrauenswĂŒrdig | Bypass / trusted Bypass / trusted | System- oder Allow-Fall, normalerweise keine Spam-Aktion. System- oder Allow-Fall, normalerweise keine Spam-Aktion. |
| 0-1 0-1 | Kein Spam Kein Spam | Not spam Not spam | Normale Zustellung in den Posteingang. Normale Zustellung in den Posteingang. |
| 5-6 5-6 | Spam Spam | Spam Spam | Typisch Junk oder QuarantÀne gemÀà Policy. Typisch Junk oder QuarantÀne gemÀà Policy. |
| 7-8 7-8 | High confidence spam High confidence spam | High confidence spam High confidence spam | Oft QuarantÀne. Oft QuarantÀne. |
| 9 9 | High confidence phishing / blockÀhnlich High confidence phishing / blockÀhnlich | High confidence phishing / near-block High confidence phishing / near-block | Aggressivste Policy-Behandlung. Aggressivste Policy-Behandlung. |
- Setzen Sie Bulk Threshold bewusst; Marketing-Newsletter und legitime Massenmails werden sonst unnötig betroffen. Set the bulk threshold deliberately; legitimate marketing newsletters and bulk mail can otherwise be impacted.
- QuarantÀne ist meist sicherer als direktes Löschen, weil False Positives untersucht werden können. Quarantine is usually safer than direct deletion because false positives can be investigated.
- Verwenden Sie Tenant Allow/Block Listen nur fĂŒr gezielte Ausnahmen, nicht als Ersatz fĂŒr saubere Policies. Use tenant allow/block lists only for targeted exceptions, not as a substitute for clean policies.
Get-HostedContentFilterPolicy | Select-Object Name,SpamAction,HighConfidenceSpamAction,PhishSpamAction,BulkThreshold,InlineSafetyTipsEnabled
Set-HostedContentFilterPolicy -Identity "Default" -SpamAction MoveToJmf -HighConfidenceSpamAction Quarantine -PhishSpamAction Quarantine -BulkThreshold 6 -InlineSafetyTipsEnabled $true
Get-HostedContentFilterPolicy | Select-Object Name,SpamAction,HighConfidenceSpamAction,PhishSpamAction,BulkThreshold,InlineSafetyTipsEnabled
Set-HostedContentFilterPolicy -Identity "Default" -SpamAction MoveToJmf -HighConfidenceSpamAction Quarantine -PhishSpamAction Quarantine -BulkThreshold 6 -InlineSafetyTipsEnabled $true
Get-HostedContentFilterRule | Select-Object Name,Priority,State,HostedContentFilterPolicy
Get-HostedContentFilterPolicy -Identity "Default" | Format-List *Action*,BulkThreshold,*SafetyTips*
Get-HostedContentFilterRule | Select-Object Name,Priority,State,HostedContentFilterPolicy
Get-HostedContentFilterPolicy -Identity "Default" | Format-List *Action*,BulkThreshold,*SafetyTips*
Outbound Anti-Spam Outbound anti-spam
Outbound Policies sollen kompromittierte Konten, Spam-AusbrĂŒche und riskante automatische Weiterleitungen begrenzen. Besonders relevant sind EmpfĂ€ngerlimits, Account Restrictions und automatische Benachrichtigungen an Security oder Helpdesk. Outbound policies are meant to contain compromised accounts, spam bursts, and risky automatic forwarding. Recipient limits, account restrictions, and automated notifications to security or helpdesk are especially relevant.
Get-HostedOutboundSpamFilterPolicy | Select-Object Name,RecipientLimitExternalPerHour,RecipientLimitInternalPerHour,AutoForwardingMode,NotifyOutboundSpam
Set-HostedOutboundSpamFilterPolicy -Identity "Default" -AutoForwardingMode Off -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients soc@contoso.com
Get-HostedOutboundSpamFilterPolicy | Select-Object Name,RecipientLimitExternalPerHour,RecipientLimitInternalPerHour,AutoForwardingMode,NotifyOutboundSpam
Set-HostedOutboundSpamFilterPolicy -Identity "Default" -AutoForwardingMode Off -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients soc@contoso.com
| Einstellung Setting | Empfehlung Recommendation | Nutzen Benefit | Beschreibung Description |
|---|---|---|---|
| AutoForwardingMode AutoForwardingMode | Off Off | Blockiert automatische externe Weiterleitung. Blockiert automatische externe Weiterleitung. | Blocks automatic external forwarding. Blocks automatic external forwarding. |
| RecipientLimitExternalPerHour RecipientLimitExternalPerHour | PolicyabhÀngig PolicyabhÀngig | Begrenzt Burst-Versand nach extern. Begrenzt Burst-Versand nach extern. | Limits external burst sending. Limits external burst sending. |
| RecipientLimitInternalPerHour RecipientLimitInternalPerHour | PolicyabhÀngig PolicyabhÀngig | Begrenzt Missbrauch auch intern. Begrenzt Missbrauch auch intern. | Limits abuse internally as well. Limits abuse internally as well. |
| NotifyOutboundSpam NotifyOutboundSpam | $true $true | Sendet Benachrichtigung bei auffÀlligem Konto. Sendet Benachrichtigung bei auffÀlligem Konto. | Sends notification when an account is suspicious. Sends notification when an account is suspicious. |
| Restricted Users Restricted Users | Defender Portal Defender Portal | Betroffene Konten mĂŒssen geprĂŒft und bereinigt werden. Betroffene Konten mĂŒssen geprĂŒft und bereinigt werden. | Affected accounts must be reviewed and remediated. Affected accounts must be reviewed and remediated. |
Connection Filter Connection filter
Connection Filtering arbeitet am SMTP-Eingang und kann definierte Quell-IP-Adressen explizit zulassen oder blockieren. In modernen Tenants sollte dies sparsam und nur fĂŒr klar dokumentierte Partner oder Gateways genutzt werden. Connection filtering acts at SMTP ingress and can explicitly allow or block source IP addresses. In modern tenants it should be used sparingly and only for clearly documented partners or gateways.
Get-HostedConnectionFilterPolicy | Select-Object Name,EnableSafeList,IPAllowList,IPBlockList
Set-HostedConnectionFilterPolicy -Identity "Default" -IPAllowList 198.51.100.10,198.51.100.11 -IPBlockList 203.0.113.50
Get-HostedConnectionFilterPolicy | Select-Object Name,EnableSafeList,IPAllowList,IPBlockList
Set-HostedConnectionFilterPolicy -Identity "Default" -IPAllowList 198.51.100.10,198.51.100.11 -IPBlockList 203.0.113.50
Anti-Malware Anti-malware
Anti-Malware Policies scannen AnhÀnge, blockieren bekannte gefÀhrliche Dateitypen und arbeiten mit Zero-hour Auto Purge (ZAP), um spÀter als bösartig erkannte Inhalte aus PostfÀchern zu entfernen. Anti-malware policies scan attachments, block known dangerous file types, and work with Zero-hour Auto Purge (ZAP) to remove content later identified as malicious from mailboxes.
| Funktion Feature | Komponente Component | Zweck Purpose | Beschreibung Description |
|---|---|---|---|
| Dateitypen filtern Dateitypen filtern | File type filtering File type filtering |
Blockiert z. B. .exe, .js, .vbs.
Blockiert z. B. .exe, .js, .vbs.
|
Blocks file types such as .exe, .js, and .vbs.
Blocks file types such as .exe, .js, and .vbs.
|
| ZAP ZAP | Zero-hour Auto Purge Zero-hour Auto Purge | Entfernt nachtrÀglich erkannte Malware oder Phishing-Mails. Entfernt nachtrÀglich erkannte Malware oder Phishing-Mails. | Removes messages later identified as malware or phishing. Removes messages later identified as malware or phishing. |
| Benachrichtigungen Benachrichtigungen | Notifications Notifications | Admins oder Absender können ĂŒber Malware-Befunde informiert werden. Admins oder Absender können ĂŒber Malware-Befunde informiert werden. | Admins or senders can be informed about malware detections. Admins or senders can be informed about malware detections. |
| Common Attachments Filter Common Attachments Filter | Common attachments filter Common attachments filter | PrĂŒft Dateiendungen und bekannte Risikotypen. PrĂŒft Dateiendungen und bekannte Risikotypen. | Inspects extensions and known risky types. Inspects extensions and known risky types. |
Get-MalwareFilterPolicy | Select-Object Name,Action,EnableFileFilter,FileTypes,EnableInternalSenderAdminNotifications,ZapEnabled
Set-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes exe,js,vbs,iso -ZapEnabled $true -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress secops@contoso.com
Get-MalwareFilterPolicy | Select-Object Name,Action,EnableFileFilter,FileTypes,EnableInternalSenderAdminNotifications,ZapEnabled
Set-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes exe,js,vbs,iso -ZapEnabled $true -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress secops@contoso.com
Anti-Phishing Anti-phishing
Anti-Phishing Policies schĂŒtzen vor Spoofing, Impersonation und Business Email Compromise. Moderne Schutzmechanismen kombinieren DomĂ€nenintelligenz, Mailbox Intelligence, Benutzer-/DomĂ€nenschutz sowie Spoof Intelligence. Anti-phishing policies protect against spoofing, impersonation, and business email compromise. Modern protections combine domain intelligence, mailbox intelligence, user/domain protection, and spoof intelligence.
| Feature Feature | Deutsch German | English English |
|---|---|---|
| Impersonation protection Impersonation protection | SchĂŒtzt definierte Benutzer und DomĂ€nen. SchĂŒtzt definierte Benutzer und DomĂ€nen. | Protects defined users and domains. Protects defined users and domains. |
| Mailbox intelligence Mailbox intelligence | Lernt typische Kommunikationspartner eines Benutzers. Lernt typische Kommunikationspartner eines Benutzers. | Learns a userâs typical communication partners. Learns a userâs typical communication partners. |
| Mailbox intelligence protection Mailbox intelligence protection | Setzt Regeln aus Mailbox Intelligence aktiv um. Setzt Regeln aus Mailbox Intelligence aktiv um. | Actively enforces rules from mailbox intelligence. Actively enforces rules from mailbox intelligence. |
| Spoof intelligence Spoof intelligence | Erkennt Domain-Spoofing und verwaltet Allow/Block Entscheidungen. Erkennt Domain-Spoofing und verwaltet Allow/Block Entscheidungen. | Detects domain spoofing and manages allow/block decisions. Detects domain spoofing and manages allow/block decisions. |
| Safety tips Safety tips | Zeigt Benutzerwarnungen im Client an. Zeigt Benutzerwarnungen im Client an. | Shows user warnings in the client. Shows user warnings in the client. |
Get-AntiPhishPolicy | Select-Object Name,EnableOrganizationDomainsProtection,EnableMailboxIntelligence,EnableMailboxIntelligenceProtection,EnableSpoofIntelligence,SafetyTipsEnabled
Set-AntiPhishPolicy -Identity "Default" -EnableOrganizationDomainsProtection $true -EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -EnableSpoofIntelligence $true -EnableTargetedUserProtection $true -TargetedUsersToProtect ceo@contoso.com,cfo@contoso.com -SafetyTipsEnabled $true
Get-AntiPhishPolicy | Select-Object Name,EnableOrganizationDomainsProtection,EnableMailboxIntelligence,EnableMailboxIntelligenceProtection,EnableSpoofIntelligence,SafetyTipsEnabled
Set-AntiPhishPolicy -Identity "Default" -EnableOrganizationDomainsProtection $true -EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -EnableSpoofIntelligence $true -EnableTargetedUserProtection $true -TargetedUsersToProtect ceo@contoso.com,cfo@contoso.com -SafetyTipsEnabled $true
Safe Links Safe Links
Safe Links ĂŒberschreibt URLs zur Laufzeit, prĂŒft sie beim Klick und blockiert bekannte oder neu erkannte bösartige Ziele. Diese Funktion ist in Defender for Office 365 Plan 1 enthalten. Safe Links rewrites URLs at runtime, inspects them at click time, and blocks known or newly identified malicious destinations. This feature is included with Defender for Office 365 Plan 1.
| Eigenschaft Property | Beschreibung DE Description DE | Beschreibung EN Description EN |
|---|---|---|
| URL-Rewriting URL-Rewriting | Jede URL wird ĂŒber Microsoft Schutzlinks umgeschrieben. Jede URL wird ĂŒber Microsoft Schutzlinks umgeschrieben. | Each URL is rewritten through Microsoft safe links. Each URL is rewritten through Microsoft safe links. |
| Click-time analysis Click-time analysis | PrĂŒfung erfolgt beim Benutzerklick. PrĂŒfung erfolgt beim Benutzerklick. | Inspection occurs when the user clicks. Inspection occurs when the user clicks. |
| Policy scoping Policy scoping | Kann auf Benutzer, Gruppen und DomÀnen angewendet werden. Kann auf Benutzer, Gruppen und DomÀnen angewendet werden. | Can be scoped to users, groups, and domains. Can be scoped to users, groups, and domains. |
| Do not rewrite lists Do not rewrite lists | Ausnahmen fĂŒr interne oder vertrauenswĂŒrdige URLs möglich. Ausnahmen fĂŒr interne oder vertrauenswĂŒrdige URLs möglich. | Exceptions for internal or trusted URLs are possible. Exceptions for internal or trusted URLs are possible. |
Get-SafeLinksPolicy | Select-Object Name,EnableSafeLinksForEmail,TrackClicks,AllowClickThrough,DoNotRewriteUrls
Set-SafeLinksPolicy -Identity "Default" -EnableSafeLinksForEmail $true -TrackClicks $true -AllowClickThrough $false -ScanUrls $true -DoNotRewriteUrls "https://intranet.contoso.com/*"
Get-SafeLinksPolicy | Select-Object Name,EnableSafeLinksForEmail,TrackClicks,AllowClickThrough,DoNotRewriteUrls
Set-SafeLinksPolicy -Identity "Default" -EnableSafeLinksForEmail $true -TrackClicks $true -AllowClickThrough $false -ScanUrls $true -DoNotRewriteUrls "https://intranet.contoso.com/*"
Safe Attachments Safe Attachments
Safe Attachments öffnet Dateien in einer isolierten Umgebung und entscheidet danach, ob eine Zustellung sicher ist. Dynamic Delivery ermöglicht dem Benutzer zunÀchst die Nachricht ohne Anlage, bis die Analyse abgeschlossen ist. Safe Attachments opens files in an isolated environment and decides whether delivery is safe. Dynamic Delivery allows the user to receive the message without the attachment while analysis completes.
| Option Option | Beschreibung DE Description DE | Beschreibung EN Description EN |
|---|---|---|
| Dynamic Delivery Dynamic Delivery | Mail wird sofort zugestellt, Anlage nach Freigabe nachgereicht. Mail wird sofort zugestellt, Anlage nach Freigabe nachgereicht. | Message is delivered immediately and the attachment follows after clearance. Message is delivered immediately and the attachment follows after clearance. |
| Block Block | Nachricht oder Anlage wird blockiert. Nachricht oder Anlage wird blockiert. | Message or attachment is blocked. Message or attachment is blocked. |
| Replace Replace | Bösartige Anlage wird durch Platzhalter ersetzt. Bösartige Anlage wird durch Platzhalter ersetzt. | Malicious attachment is replaced by a placeholder. Malicious attachment is replaced by a placeholder. |
| Redirect Redirect | Administratoren erhalten Kopie zur Analyse. Administratoren erhalten Kopie zur Analyse. | Administrators receive a copy for analysis. Administrators receive a copy for analysis. |
Get-SafeAttachmentPolicy | Select-Object Name,Action,Enable,Redirect,RedirectAddress
Set-SafeAttachmentPolicy -Identity "Default" -Enable $true -Action DynamicDelivery -Redirect $true -RedirectAddress malware-review@contoso.com
Get-SafeAttachmentPolicy | Select-Object Name,Action,Enable,Redirect,RedirectAddress
Set-SafeAttachmentPolicy -Identity "Default" -Enable $true -Action DynamicDelivery -Redirect $true -RedirectAddress malware-review@contoso.com
QuarantÀneverwaltung Quarantine management
QuarantĂ€ne ist die bevorzugte Aktion fĂŒr unsichere Inhalte, wenn eine spĂ€tere Freigabe oder Analyse möglich sein soll. Richtlinien definieren, ob Endbenutzer Benachrichtigungen, Freigabeoptionen oder Self-Service erhalten. Quarantine is the preferred action for suspicious content when later release or analysis should remain possible. Policies define whether end users receive notifications, release options, or self-service capabilities.
Get-QuarantinePolicy | Select-Object Name,EndUserSpamNotificationFrequency,ESNEnabled,MultiLanguageSenderName,MultiLanguageSetting
Get-QuarantineMessage -PageSize 25 | Select-Object ReceivedTime,SenderAddress,RecipientAddress,Subject,Type,ReleaseStatus
Get-QuarantinePolicy | Select-Object Name,EndUserSpamNotificationFrequency,ESNEnabled,MultiLanguageSenderName,MultiLanguageSetting
Get-QuarantineMessage -PageSize 25 | Select-Object ReceivedTime,SenderAddress,RecipientAddress,Subject,Type,ReleaseStatus
| Thema Topic | Deutsch German | English English |
|---|---|---|
| End User Notifications End User Notifications | Benutzer ĂŒber QuarantĂ€ne informieren. Benutzer ĂŒber QuarantĂ€ne informieren. | Inform users about quarantine items. Inform users about quarantine items. |
| Release Permissions Release Permissions | Self-Service oder Admin-Only Freigabe. Self-Service oder Admin-Only Freigabe. | Self-service or admin-only release. Self-service or admin-only release. |
| Policy per verdict Policy per verdict | Spam, High Confidence Phish und Malware unterschiedlich behandeln. Spam, High Confidence Phish und Malware unterschiedlich behandeln. | Treat spam, high confidence phish, and malware differently. Treat spam, high confidence phish, and malware differently. |
| Review workflow Review workflow | SOC oder Helpdesk prĂŒft False Positives. SOC oder Helpdesk prĂŒft False Positives. | SOC or helpdesk reviews false positives. SOC or helpdesk reviews false positives. |
SPF SPF
SPF legt fest, welche Systeme Mails fĂŒr Ihre DomĂ€ne senden dĂŒrfen. FĂŒr reine Microsoft 365 Senderszenarien genĂŒgt hĂ€ufig v=spf1 include:spf.protection.outlook.com -all. ZusĂ€tzliche Gateways oder SaaS-Dienste mĂŒssen explizit ergĂ€nzt werden.
SPF specifies which systems may send mail for your domain. For Microsoft 365-only sending, v=spf1 include:spf.protection.outlook.com -all is often sufficient. Additional gateways or SaaS services must be added explicitly.
# Beispiel-DNS-TXT
v=spf1 include:spf.protection.outlook.com -all
# Beispiel-DNS-TXT
v=spf1 include:spf.protection.outlook.com -all
DKIM DKIM
DKIM signiert ausgehende Nachrichten kryptografisch und erhöht die VertrauenswĂŒrdigkeit von AbsenderdomĂ€nen. Vor der Aktivierung mĂŒssen die von Microsoft bereitgestellten CNAME-Records fĂŒr beide Selector-EintrĂ€ge publiziert werden. DKIM cryptographically signs outbound messages and improves trust in sender domains. Before enabling it, publish the Microsoft-provided CNAME records for both selector entries.
| Eintrag Record | Beispiel Example | Zweck Purpose |
|---|---|---|
| selector1._domainkey selector1._domainkey | selector1-contoso-com._domainkey.tenant.onmicrosoft.com selector1-contoso-com._domainkey.tenant.onmicrosoft.com | Erster DKIM-Selector. Erster DKIM-Selector. |
| selector2._domainkey selector2._domainkey | selector2-contoso-com._domainkey.tenant.onmicrosoft.com selector2-contoso-com._domainkey.tenant.onmicrosoft.com | Zweiter DKIM-Selector. Zweiter DKIM-Selector. |
Get-DkimSigningConfig | Select-Object Domain,Enabled,Selector1CNAME,Selector2CNAME
Enable-DkimSigningConfig -Identity contoso.com
Get-DkimSigningConfig | Select-Object Domain,Enabled,Selector1CNAME,Selector2CNAME
Enable-DkimSigningConfig -Identity contoso.com
DMARC DMARC
DMARC baut auf SPF und DKIM auf und legt fest, wie EmpfĂ€nger mit nicht ausgerichteten Nachrichten umgehen sollen. FĂŒhren Sie DMARC idealerweise gestuft von p=none zu quarantine und schlieĂlich reject ein.
DMARC builds on SPF and DKIM and tells receivers how to handle unauthenticated messages. Ideally phase DMARC from p=none to quarantine and ultimately reject.
# Beispiel-DNS-TXT
v=DMARC1; p=reject; rua=mailto:dmarc@contoso.com; ruf=mailto:dmarc-forensics@contoso.com; fo=1; adkim=s; aspf=s
# Beispiel-DNS-TXT
v=DMARC1; p=reject; rua=mailto:dmarc@contoso.com; ruf=mailto:dmarc-forensics@contoso.com; fo=1; adkim=s; aspf=s
Tenant Allow/Block List Tenant allow/block list
Die Tenant Allow/Block List ist fĂŒr gezielte Ausnahmen gedacht: vertrauenswĂŒrdige URLs, Dateihashes oder Absender können zugelassen beziehungsweise blockiert werden. Sie ersetzt jedoch keine saubere Policy-Architektur. The tenant allow/block list is meant for targeted exceptions: trusted URLs, file hashes, or senders can be allowed or blocked. It does not replace clean policy architecture.
New-TenantAllowBlockListItems -ListType Url -Block -Entries "http://malicious.example"
New-TenantAllowBlockListItems -ListType Sender -Allow -Entries "trusted.sender@partner.example"
Get-TenantAllowBlockListItems | Select-Object Value,ListType,Action,SubmissionTime
New-TenantAllowBlockListItems -ListType Url -Block -Entries "http://malicious.example"
New-TenantAllowBlockListItems -ListType Sender -Allow -Entries "trusted.sender@partner.example"
Get-TenantAllowBlockListItems | Select-Object Value,ListType,Action,SubmissionTime
Submission Portal und Attack Simulation Submission portal and attack simulation
Benutzer- und Administrator-Submissions helfen Microsoft, Fehlklassifizierungen und neue Angriffe zu erkennen. Attack Simulation Training dient der Sensibilisierung und wird in erster Linie im Defender Portal durchgefĂŒhrt; hier ist die Portalverwaltung oft wichtiger als Exchange-spezifische Cmdlets. User and admin submissions help Microsoft identify misclassifications and new attacks. Attack Simulation Training is used for awareness and is primarily operated in the Defender portal; portal governance is often more important here than Exchange-specific cmdlets.
- Melden Sie False Positives und False Negatives systematisch ĂŒber das Submission Portal. Submit false positives and false negatives systematically through the submission portal.
- Verwenden Sie Attack Simulation fĂŒr Phishing-, Passwort-Reset- und Malware-nahe Trainings. Use attack simulation for phishing, password reset, and malware-adjacent exercises.
- Kombinieren Sie Simulationsergebnisse mit technischen Controls wie Safe Links und Anti-Phishing Policies. Combine simulation results with technical controls such as Safe Links and anti-phishing policies.
Get-UserSubmission -PageSize 25 | Select-Object ReceivedDate,Category,Result,RecipientEmailAddress,NetworkMessageId
# Attack Simulation Training wird primĂ€r im Defender Portal verwaltet; Exchange Online PowerShell bietet hierfĂŒr nur begrenzte Abdeckung.
Get-UserSubmission -PageSize 25 | Select-Object ReceivedDate,Category,Result,RecipientEmailAddress,NetworkMessageId
# Attack Simulation Training wird primĂ€r im Defender Portal verwaltet; Exchange Online PowerShell bietet hierfĂŒr nur begrenzte Abdeckung.
Komplette Sicherheitsabfragen Complete security queries
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -ShowBanner:$false
Get-HostedContentFilterPolicy | Select-Object Name,SpamAction,HighConfidenceSpamAction,PhishSpamAction,BulkThreshold
Get-HostedOutboundSpamFilterPolicy | Select-Object Name,AutoForwardingMode,NotifyOutboundSpam
Get-MalwareFilterPolicy | Select-Object Name,EnableFileFilter,FileTypes,ZapEnabled
Get-AntiPhishPolicy | Select-Object Name,EnableOrganizationDomainsProtection,EnableSpoofIntelligence,EnableMailboxIntelligence
Get-SafeLinksPolicy | Select-Object Name,EnableSafeLinksForEmail,TrackClicks,AllowClickThrough
Get-SafeAttachmentPolicy | Select-Object Name,Action,Redirect,RedirectAddress
Get-DkimSigningConfig | Select-Object Domain,Enabled
Disconnect-ExchangeOnline -Confirm:$false
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -ShowBanner:$false
Get-HostedContentFilterPolicy | Select-Object Name,SpamAction,HighConfidenceSpamAction,PhishSpamAction,BulkThreshold
Get-HostedOutboundSpamFilterPolicy | Select-Object Name,AutoForwardingMode,NotifyOutboundSpam
Get-MalwareFilterPolicy | Select-Object Name,EnableFileFilter,FileTypes,ZapEnabled
Get-AntiPhishPolicy | Select-Object Name,EnableOrganizationDomainsProtection,EnableSpoofIntelligence,EnableMailboxIntelligence
Get-SafeLinksPolicy | Select-Object Name,EnableSafeLinksForEmail,TrackClicks,AllowClickThrough
Get-SafeAttachmentPolicy | Select-Object Name,Action,Redirect,RedirectAddress
Get-DkimSigningConfig | Select-Object Domain,Enabled
Disconnect-ExchangeOnline -Confirm:$false
Die ErgÀnzung beschreibt SCL 0-9, BCL, PCL, wichtige Headerfelder, Defender for Office 365 Plan 2 Features sowie SPF/DKIM/DMARC- und QuarantÀnepraxis.This addition covers SCL 0-9, BCL, PCL, important header fields, Defender for Office 365 Plan 2 features, and SPF/DKIM/DMARC plus quarantine operations.
SCL 0-9, BCL und PCLSCL 0-9, BCL, and PCL
| WertValue | BedeutungMeaning |
|---|---|
| 00 | Nicht als Spam klassifiziert; meist vertrauenswĂŒrdig oder explizit erlaubt.Not classified as spam; usually trusted or explicitly allowed. |
| 11 | Sehr geringe Spam-Wahrscheinlichkeit.Very low spam probability. |
| 22 | Niedrige Spam-Wahrscheinlichkeit.Low spam probability. |
| 33 | Leicht verdÀchtig; hÀufig noch im Posteingang.Slightly suspicious; often still delivered to the inbox. |
| 44 | Grenzfall; hÀufig von tenantweiten Aktionen abhÀngig.Borderline; often depends on tenant-wide actions. |
| 55 | Klarer Spamverdacht, hÀufig Junk Email.Clear spam suspicion, often junk email. |
| 66 | Hohe Spamwahrscheinlichkeit.High spam probability. |
| 77 | Sehr hohe Spamwahrscheinlichkeit.Very high spam probability. |
| 88 | High Confidence Spam; meist QuarantÀne oder Löschung.High confidence spam; usually quarantine or deletion. |
| 99 | High Confidence Phish oder aggressive Policywirkung.High confidence phish or aggressive policy action. |
| SignalSignal | BeschreibungDescription |
|---|---|
| BCLBCL | Bulk Complaint Level von 0 bis 9 fĂŒr Newsletter und Massenmail.Bulk Complaint Level from 0 to 9 for newsletters and bulk mail. |
| PCLPCL | Phishing Confidence Level aus Anti-Phish und Spoof Signalen.Phishing Confidence Level based on anti-phish and spoof signals. |
X-Microsoft-Antispam HeaderfelderX-Microsoft-Antispam header fields
| FeldField | BedeutungMeaning |
|---|---|
| SCLSCL | Spam Confidence Level.Spam confidence level. |
| BCLBCL | Bulk Complaint Level.Bulk complaint level. |
| PCLPCL | Phishing Confidence Level.Phishing confidence level. |
| CATCAT | Kategorisierung wie BULK, PHSH oder SPM.Categorization such as BULK, PHSH, or SPM. |
| SRVSRV | Filterserver oder pipelinebezogene Kennung.Filtering server or pipeline identifier. |
| IPVIPV | IP-Reputationsauswertung.IP reputation evaluation. |
| HH | Header-basierte Heuristik oder PrĂŒfpfad.Header-based heuristic or evaluation path. |
| PTRPTR | Reverse-DNS bzw. PTR Bewertung.Reverse DNS or PTR evaluation. |
| LANGLANG | Erkannte Sprachhinweise.Detected language hints. |
| CTRYCTRY | Abgeleitetes Herkunftsland oder Geo-Signal.Derived country or geo signal. |
| SFVSFV | Spam Filter Verdict wie SKN, NSPM, SPM, PHSH.Spam filter verdict such as SKN, NSPM, SPM, PHSH. |
| X-Forefront-Antispam-ReportX-Forefront-Antispam-Report | Zusammenfassender Bericht weiterer Signale.Summary report of additional signals. |
Defender for Office 365 Plan 2Defender for Office 365 Plan 2
| FeatureFeature | NutzenUse |
|---|---|
| Threat Explorer / Real-time detectionsThreat Explorer / real-time detections | Erweiterte Jagd- und UntersuchungsoberflÀche.Advanced hunting and investigation surface. |
| Attack Simulation TrainingAttack Simulation Training | Phishing-Simulationen und Trainingskampagnen.Phishing simulations and training campaigns. |
| Automated Investigation and ResponseAutomated Investigation and Response | Automatisierte Triage und Remediation.Automated triage and remediation. |
| Campaign viewsCampaign views | Korrelierte Sicht auf groĂflĂ€chige Angriffe.Correlated view across broad campaigns. |
| Threat TrackersThreat Trackers | Aktuelle Akteurs- und Kampagnenlage.Current actor and campaign intelligence. |
| Advanced hunting dataAdvanced hunting data | ZusĂ€tzliche Detektionsdaten fĂŒr SOC und Defender.Additional detection data for SOC and Defender. |
SPF, DKIM und DMARC TroubleshootingSPF, DKIM, and DMARC troubleshooting
| ProblemProblem | PrĂŒfschritteChecks |
|---|---|
| SPF failSPF fail | SPF Record per Resolve-DnsName -Type TXT prĂŒfen; nur legitime Sender einschlieĂen.Check the SPF record with Resolve-DnsName -Type TXT and include only legitimate senders. |
| DKIM failDKIM fail | Selector-CNAMEs prĂŒfen und Get-DkimSigningConfig gegen DomĂ€nenstatus vergleichen.Check selector CNAMEs and compare Get-DkimSigningConfig with domain status. |
| DMARC p=reject NebenwirkungenDMARC p=reject side effects | Alignment, Weiterleitungen und Drittanbieter-Sender prĂŒfen.Check alignment, forwarding, and third-party senders. |
| Intermittierende ZustellungIntermittent delivery | DNS-TTL, Propagation und konkurrierende SPF/DKIM Ănderungen berĂŒcksichtigen.Consider DNS TTL, propagation, and competing SPF/DKIM changes. |
Resolve-DnsName contoso.com -Type MX
Resolve-DnsName contoso.com -Type TXT
Resolve-DnsName selector1._domainkey.contoso.com -Type CNAME
Get-DkimSigningConfig | Select-Object Domain,Enabled,Selector1CNAME,Selector2CNAMEQuarantÀne Deep DiveQuarantine deep dive
| ThemaTopic | HinweisNote |
|---|---|
| Admin releaseAdmin release | Administratoren können selektiv freigeben und zur Microsoft-Analyse melden.Administrators can selectively release and submit to Microsoft analysis. |
| End-user notificationsEnd-user notifications | Benutzerbenachrichtigungen mĂŒssen zur Governance passen.End-user notifications must fit governance requirements. |
| Review before purgeReview before purge | QuarantÀne ist sicherer als sofortiges Löschen bei möglichem False Positive.Quarantine is safer than immediate deletion when false positives are possible. |
| Bulk triageBulk triage | Mit Filter auf Sender, Type, PolicyType und ReleaseStatus arbeiten.Filter by sender, type, policy type, and release status. |
Get-QuarantinePolicy | Select-Object Name,ESNEnabled,EndUserSpamNotificationFrequency
Get-QuarantineMessage -PageSize 50 | Select-Object ReceivedTime,SenderAddress,RecipientAddress,Subject,Type,ReleaseStatus
Release-QuarantineMessage -Identity <QuarantineMessageIdentity> -ReleaseToAllGitHub ReferenzenGitHub references
| RepositoryRepository | NutzenUse |
|---|---|
| microsoft/mhamicrosoft/mha | Microsoft Message Header Analyzer zum Dekodieren von Headern und Routinghinweisen.Microsoft Message Header Analyzer for decoding headers and routing hints. |
FĂŒr Headeranalyse, NDR-Codes und DNS-Propagation siehe auĂerdem Mail Flow TroubleshootingMail flow troubleshooting.For header analysis, NDR codes, and DNS propagation, also see Mail Flow TroubleshootingMail flow troubleshooting.