Learn what is Exchange protection, how it works, and how to activate and deactivate it. Configure a mail flow rule either automatically or manually.
✍️Before you can activate Exchange protection, you must add your Microsoft 365 tenant to Safetica.
In this article, you will learn more about:
- Introduction
- How Exchange protection works
- How to activate Exchange protection in Safetica console
- How to configure mail flow in Microsoft Exchange admin center
- How to configure policies for Exchange protection
- How to deactivate Exchange protection
Introduction
Exchange protection brings you:
- Email visibility: Gain full visibility into outbound email communication,
auditing all emails (both with and without attachments) sent by your Microsoft 365 users.
✍️For active email protection (i.e. the ability to block emails that violate your policies before they are sent or to notify the user about possible policy violations), activate Outlook protection.
❗If you activate Exchange protection without activating Outlook protection, sent emails will only be audited but not blocked. Safetica will receive a copy of the emails after they are sent for auditing purposes (to create a record) but will not be able to protect sensitive attachments from leaving the company.
How Exchange protection works
After activating Exchange protection, you will gain visibility into every email sent by your Microsoft 365 users, including those without attachments.
The activation process involves creating a mailflow rule in your Exchange Online. Based on this rule, a copy of every sent email will be sent to Safetica Cloud Protection to scrape the necessary metadata and create a DLP record. Since Safetica is added as a hidden recipient in Exchange Online, it is never visible to the email sender.
- An email request is sent from the email sender to Exchange Online.
- Exchange Online sends the email to its intended destination.
- Exchange Online adds internal Safetica address to hidden copy (BCC). Safetica analyzes the necessary data (sender, recipient(s), timestamp, email body size, attachment size, attachment classification identifiers) and creates a DLP record.
- After the email is processed by Safetica Cloud Protection, it is immediately deleted from our queue, including all attachments.
Limitations
- Supports Exchange Online only (not Exchange On-Premises).
- Audits and protects only sent emails.
- Without activated Outlook protection, it supports logging policies only. If you have blocking or notification policies for email, you must activate Outlook protection to extend them into Microsoft 365 environment. Otherwise, Safetica will only log the emails.
How to activate Exchange protection in Safetica console
✍️Exchange protection currently supports auditing of sent emails only.
1. In Safetica console, go to Cloud services, and click your Microsoft 365 tenant.
2. Click the Activate Exchange protection button.
3. You will be shown a list of steps you must perform in your Exchange Online to enable Exchange protection.
4. Check the box and click Finish. Then proceed to Microsoft Exchange admin center.
❗Completing the configuration in the Microsoft Exchange admin center is a crucial prerequisite for the correct operation of this feature.
How to configure mail flow in Microsoft Exchange admin center
You can configure the mail flow rule either:
A. Automatically via our configuration script (recommended) or
B. Manually in Microsoft Exchange admin center.
A. Configure the mail flow rule automatically via configuration script
1. Download this configuration script.
2. Right-click the script and select Run with PowerShell.
3. Afterward, all information about sent emails should become available in Safetica within a few minutes.
B. Configure the mail flow rule manually in Microsoft Exchange admin center
1. In Microsoft Exchange admin center, click Mail Flow in the navigation panel on the left.
2. Then click Rules > Add a rule > Create a new rule.
3. Choose an appropriate name for this rule (e.g. Safetica Cloud Protection).
4. In Apply this rule if... choose The sender is external/internal and Inside the organization.
5. In Do the following select Add recipients to the Bcc box and select copy@audit.cloudprotection.safetica.com
❗Emails must be sent to Safetica Cloud Protection directly from Exchange Online. It is vital that the messages do not pass through any third-party tools, such as an email gateway, before reaching our cloud for processing.
6. In the next step of the wizard (Set rule settings), select Match sender address in message envelope.
7. Save the rule. We recommend you place your new rule at the top of the rule list.
✍️Make sure to set the status of the mail flow rule to Active. By default, all new rules are created as Inactive.
8. Once you successfully complete these steps, all information about sent emails should become available in Safetica within a few minutes.
How to configure policies for Exchange protection
After you finish the activation in Microsoft Exchange admin center, policies configured for the Email destination type will start applying to emails sent by users in your Microsoft 365 tenant.
How to deactivate Exchange protection
You must deactivate Exchange protection in the following order:
- First, deactivate the mail flow rule you previously created. Open Microsoft Exchange admin center and set the status of the mail flow rule to Inactive.
- Open Safetica console, go to Cloud services > your M365 tenant, and deactivate Exchange protection.
❗Always start with deactivating the mail flow rule before proceeding with deactivation in Safetica console.
Read next
Outlook protection: How to activate and deactivate it
Outlook protection: Block (with override) in Outlook
SharePoint protection: How to activate and deactivate it