New Microsoft 365 CASB integration

Switch to our new Microsoft 365 integration technology, get more details from email audit, and prepare for even more future benefits.

In Safetica 10.3, you have the option to switch your Office365 integration to a new Microsoft 365 CASB technology that brings several improvements and unlocks a range of benefits in the future. For now, it enhances Microsoft 365 email audit with data category detection, email sizes, and attachment sizes.

This technology update concerns only email audit. File audit for Microsoft 365 will be added later. If you are only interested in file audit (i.e., SharePoint protection), do not switch to the new integration technology for now.

In this article, you will learn about:

 

Current limitations

There are a few limitations that the new Microsoft 365 CASB technology has for now, but we will address them in the future versions of Safetica:

  • If the admin adds a Distribution group from Exchange into a Safetica Zone, we evaluate only this specific address, not the addresses of individual users from that group. If the admin wanted to set the zone for the whole group, they must add all the users into it.
  • It only supports Exchange Online (not Exchange On-Premise).
  • It audits only sent emails.
  • It supports logging and blocking policy modes. If you have the notification mode set up, Safetica will only log the email. The User override and Shadow copy features have the same limitation.
  • It supports only general policies and data policies based on metadata and 3rd party classification.
  • To enable the integration for another Safetica instance, you need to disable the previous one first. For testing separate Safetica instances, we recommend using different Office 365 tenants. You can also disable your current Safetica instance, and then enable the integration on another one.

It will not be possible to audit received emails when switching to the Microsoft 365 CASB technology. We are working on enabling this capability in the near future.

 

How the new Microsoft 365 CASB technology works

First, you have to activate the new technology in Safetica Management Console.

Afterward, go to your Exchange Admin Center and forward email communication to Safetica.

 You can create exceptions for this email forwarding rule for specific users.

How does Safetica processes the emails?

Frame 4

  1. An email request is sent from email sender to Exchange Online
  2. The email is forwarded from Exchange Online into our CASB queue and processed. The customer’s audit and DLP settings are loaded and evaluated. If required, a log about the email is stored, and DLP policies are applied.
  3. From here there are 2 outcomes
    1. The email is violating certain DLP policy and it's dispatch must be stopped. In this case we return a Non-delivery report (NDR) to the email sender (step 4a)
    2. The email is not violating any DLP policy and it can be delivered to the recipient.

    1. Email sender receives NDR message
    2. The message is returned to Exchange Online and deleted from our queue. It is then sent to its intended destination.

If steps 3 or 4 cannot proceed, the email is returned to customer's Exchange and deleted from our queue.

 

When returning emails back to Exchange Online after processing, we locate your Exchange Online server based on the MX DNS records configured for your email domains. Records pointing to an Exchange Online server (.mail.protection.outlook.com) are prioritized. If no such record exists, other MX records will be used, which may lead to your email may not being returned to Exchange Online directly. If this behavior is not desired, please add MX records that point directly to your Exchange Online servers.

Which checks are in place to assure high availability and reliability?

Architecture design is aligned with other CASB solutions which are present on the market today. The CASB server is a shared cloud service hosted by Safetica. Because of the critical nature of Safetica in this scheme, we have implemented extensive monitoring and backup mechanisms to minimize any risk of service outage. We use the West Europe region (main) and North Europe region (backup) Azure data centers.  

How are DLP policies evaluated and applied?

  • Policy evaluation is skipped if the email has a Safetica classification tag in its header because the endpoint should have already processed it.
  • Safetica detects the metadata classifications of attached files (such as MS Office documents, .pdf, etc.) and applies context data policies, 3rd party policies, and general policies (sender, receiver, zones).

 

How to set up the new integration in Safetica Management Console

  1. Go to Maintenance > Integration settings > Office 365 integration.
  2. Switch to new Office 365 integration.
  3. You will be asked to sign in to your Azure tenant. Safetica then creates app registration for syncing the ADD user list and email domains. This is where you will set up the Mail flow rules. Nothing will happen until then.
  4. The old integration will be disabled and old rules in Exchange cleaned up.

Now you need to set up Mail flow rules in your Exchange Online for emails to be forwarded to Safetica server.

How to set up your Exchange Online mail flow

Sign in to the Exchange Admin Center (https://admin.exchange.microsoft.com) and create a Mail flow rule that will forward your outgoing emails to Safetica server.

To set up Mail flow rules, you must have Exchange Admin rights.

The configuration has three parts:

  1. Outgoing Connector configuration
    1. Go to Exchange admin center > Mail Flow > Connectors and select Add a connector.
    2. Select Connection from Office 365 to Your organization's email server.
    3. Fill in a name and keep Retain internal Exchange email headers checked.
    4. Select Only when I have a transport rule set up that redirects messages to this connector.
    5. In Routing, fill in the CASB server domain name: mail.cloudprotection.safetica.com
    6. In Security restrictions, select Issued by a trusted certificate authority (CA) and fill in the certificate subject name: mail.cloudprotection.safetica.com
    7. Complete the validation and save the connector.
HubSpot Video

 

2. Incoming Connector configuration

    1. Go to Exchange admin center > Mail Flow > Connectors and select Add a connector.
    2. Select Connection from Your organization's email server.
    3. Fill a name and leave on Retain internal Exchange email headers.
    4. Fill in the certificate subject name (this will be provided to you by Safetica)
    5. Save the connector.
HubSpot Video

 

3. Mail Flow Rule configuration

    1. Go to Exchange admin center > Mail Flow > Rules and select Create a new rule...
    2. Click More options...
    3. In Apply this rule if... choose The sender is external/internal and Inside the organization.

If you want to restrict which emails should be forwarded to Safetica server, you can add more conditions here. Inside the organization, however, must always be selected.

          d.  In Do the following... select Redirect the message to the following connector and choose the Outgoing connector you’ve created.

          e.   In Except if... select A message header matches these text patterns and input a header with name X-St-Checked-Casb and value yes.

           f.   Check Stop processing more rules.

           g.  Save the rule. We recommend you place your new rule at the top of the rule list. Rules placed before this mail flow rule are evaluated twice. First, when the email is passed to Safetica; and second, when the email is forwarded back to Exchange.

           h.   All configured emails will be forwarded to CASB after a short while.


HubSpot Video

 

If you experience any issues, you can deactivate the rule by unchecking the ON checkbox. After that, emails will stop being forwarded to Safetica CASB.