console.log( 'Code is Poetry' );
In this article I wrote about how Microsoft is deprecating direct send due to security concerns. I also wrote a report to help identify what’s being sent via direct send.
Well Microsoft just released updated guidance.
Wait… Really?
Yes and this is a good move to disable this due to its nature, but let’s dig into this… First look at this post which will give you some background. But we will dive into it.
So how does Direct Send work exactly?
This allows the sending of email to the default connector in Exchange Online. In order to do this several things will need to be done, you will need to allow the sending IP, create a connector and configure the application or device to send directly to the mx record. You can read about it here. It’s very convenient but with the convenience comes the security concerns…
Welp… I can’t turn it off right now, so yeah now what?
The fix here is to create a Transport Rule in Exchange Online. Here’s the powershell way
New-TransportRule -Name "Redirect to quarantine if not coming from known IPs" -Quarantine $true -ExceptIfHeaderContainsMessageHeader 'X-MS-Exchange-Organization-AuthAs' -ExceptIfHeaderContainsWords 'Internal' –ExceptIfSenderIpRanges ‘MX records + on-premises IPs + other authorized IPs ' -StopRuleProcessing $true -Priority 0
This can also be accomplished in the admin center as well.
Rule parameters are:
Apply this rule if: Apply to all messages
Do the following: Deliver the message to the hosted quarantine and Stop processing more rules
Except if: sender ip addresses belong to one of these ranges: ”MX records + on-premises IPs + other authorized IPs“
OR
‘X-MS-Exchange-Organization-AuthAs’ header contains ”Internal”
