Solved

Affects of flagging 365 mailbox as secops mailbox


Hello

I am setting up the course ‘Security Awareness Training’ for a company we provide IT support for. According to this guide https://answers.webroot.com/Webroot/ukp.aspx?pid=4&app=vw&vw=1&solutionid=2938 I need to add ‘Secops Mailbox’ in order for the training to work. 

 

It is my understanding that flagging a mailbox as ‘Secops’ just opens the mailbox up to any rules I then put into Phishing simulation. I just wanted to confirm this is the case and that there will be no adverse affects from flagging the mailbox as a ‘Secops’ mailbox. I am changing 30 or so mailboxes so wanted to double check before finalising the settings

 

Thanks in advance :)

 

H

icon

Best answer by ggreenbaum 8 September 2022, 22:56

View original

21 replies

Userlevel 1
Badge

Hi H,

 

Thanks for reaching out. Correct - you need to designate a secops mailbox. This designation is scoped to the phishing simulation. Ideally, a SecOps mailbox is a dedicated mailbox that's used by security teams to receive unfiltered messages (both good and bad) for investigation and analysis.  However, you can designate any valid mailbox.

Are you concerned with a particular adverse impact?

 

Thanks!

HI

 

Thank you for getting back back to me. Nothing in particular it’s just I will be flagging close to an entire company’s mailboxes so just wanted to confirm that their will be no funny affects like REAL spam messages getting through etc. If it just flags the mailbox so the simulation settings apply then it is all gravy :)

 

Just wanted to confirm before I flag everyone’s mailbox xD

 

Cheers!

 

H

I have a similar question. Do I need to mark ALL mailboxes as SpecOp mailboxes if they are all users being tested? Will  that allow all the spam and malicious emails too? Im confused. 

@HarryW  & @ggreenbaum URGENT

Hi Guys I am setting up my first awareness training client. I added the “Microsoft 365 Defender > Email & Collaboration > Policies & rules > Threat Policies > Advanced Delivery > Phishing simulation tab” allowed webroot simulation domains 5 of the training ones and 5 of the phishing ones. 

 

Do I have to add all mailboxes I will be testing under: Microsoft 365 Defender > Email & Collaboration > Policies & rules > Threat Policies > Advanced Delivery > SecOps mailbox tab”? and will that only allow the domains and sending IP addresses I added in the Phishing simulations tab? 

 

I have the same question Harry had on will this expose all users mailboxes to spam other than the fake spam generated by the Webroot Awareness Training platform? 

Userlevel 1
Badge

Hello @cyberkite  you only specify a single mailbox as the SecOps mailbox, and by specifying the specific Webroot domains to be allowed, these will be the only ones to bypass other policies you have in place. Hope this helps.

@ggreenbaum why just a single mailbox and not all user mailboxes that are part of our clients Webroot Awareness campaign?

@ggreenbaum and do i really need to designate a secops mailbox as client is small and they only have users mailboxes, nothing along the lines of it team mailbox for secops. The Phishing simulation tab is all setup, is that enough for this to work without defining a secops mailbox? 

Userlevel 1
Badge

Hi @cyberkite just to clarify, you’re adding multiple target mailboxes to this single SecOps location in Microsoft 365 Defender:

 

 

@ggreenbaum I haven't added anything there yet. im trying to understand like Harrys original comments and my subsequent replies:

SecOps Mailbox tab =

1. do I add all user mailboxes in there if I plan to add them to Webroot Awareness campaigns?

 

2. or Is this area optional if I want to test good and bad emails and analyse them i add one secops mailbox eg: it@ ? 

i feel im not getting the answer i need to successfully set this up until this is clarified.

The Webroot help page on that is a little bit unclear in the SecPps Mailbox section whether: A) every single user mailbox that recieves the campaign has to be added in there, OR B) whether it's just for special IT mailbox where you want to have unfiltered access so you Forward actual viral emails for analysis and nothing to do with the webroot Awareness campaign setup. OR C) whether one random user mailbox out of the list of the 11 mailboxes needs to be sampled in there so that my clients all 11 mailboxes will be able to use the setup in the other tab "Phishing simulation"

 

As I said in the outset, we do not have a specialist mailbox that we need in that client's tenant to receive unfiltered viral emails. We just need to set up a webroot awareness campaign successfully and push it out to about 11 user mailboxes.

Please give us specific answer also: Do we need to add them to the SecOps tab in defender portal to make that work or not required and that part can be skipped? 

 

 

Hi @cyberkite just to clarify, you’re adding multiple target mailboxes to this single SecOps location in Microsoft 365 Defender:

 

 

your question above Is redundant because I don't know whether I should be adding multiple user mailboxes or not because I don't really understand the purpose of this tab and why we adding it in order to make the campaigns in Webroot work. see my above set of questions

@cyberkite you will need a single mailbox to be designated as a SecOps mailbox.  This, in combination with allowing the Webroot domains and IPs, will allow the messages from our Security Awareness Training to be delivered.  

Only a single user needs to be designated as SecOps.  This is to prevent all SAT messages from going straight to the junk folder.  

Regarding the concern if adding this access will open you up to more spam in general, it should not.  When following the steps in this article, https://answers.webroot.com/Webroot/ukp.aspx?pid=4&app=vw&vw=1&solutionid=2938, the next step after adding a SecOps mailbox is to specify Webroot’s IP addresses and domains in the Sending Domain section.  This is what allows our messages but does not open you up to ALL spam messages.  

@CL-OT doesn't make sense because Webroot support confirmed today that if I have multiple user mailboxes  that Im wanting to include in SAT campaign i need to add them all to the SecOps Mailbox tab. 

Both you and ggreenbaum is explaining in terms of a "single mailbox explanation" to be added there so SAT messages go through. Can you translate into non developer explanation and confirm if i have 11 mailboxes i need to test in a  SAT campaign, then i need to add those 11 mailboxes to SecOps Mailbox tab right?. Webroot support said i need go add all 11 if I'm sending SAT campaign to those 11. You're saying i only need a "sampler" mailbox, not the 11 im sending SAT campaign. Whose is correct ?- your teams seem a little not in sync. Not uniform or not super clear answers between dev and support teams what confuse end users including us. Very important detail that can affect security and keep config simple. 

Thanks though for clarifying the relationship between "SecOps Mailbox" tab and the  "Phishing simulation" tab - ive added the SAT sending ips and selected SAT domains in there.  And thanks for clarifying that it doesn't expose the mailbox to a flood of real spam, just allows Webroot SAT emails through without going into junk mail folder. 

 

Userlevel 1
Badge

@cyberkite sorry for the confusion here, from my testing I can confirm that you need only add a single address for SecOps. Your allow list will conform to the settings in the Phishing Simulations tab. 

 

I will reach out to you directly to see if we can set up a screenshare to troubleshoot further. Based on our findings, I’ll coordinate with Support.

Thanks.

@cyberkite sorry for the confusion here, from my testing I can confirm that you need only add a single address for SecOps. Your allow list will conform to the settings in the Phishing Simulations tab. 

 

I will reach out to you directly to see if we can set up a screenshare to troubleshoot further. Based on our findings, I’ll coordinate with Support.

Thanks.

Sorry, are you a webroot employee? I will only do this with Webroot support staff. Your profile is not labelled as Webroot employee. 

I dont feel its necessary to screenshare with non Webroot staff - sorry man.  It’s a simple question that everyone will come up with when setting up. 

Im getting 2 answers. 

I will defer to what Webroot support team answered on the ticket - if I have 11 user mailboxes then I add 11 user mailboxes to SecOps Mailbox tab - thats their answer. Ive sent them your replies and Im waiting for them to reply  on ticket #469277

Sorry guys but help documents need to align with Webroot support team and experts on community forum  - sorry to be a pain but Im staring at the SecOps Mailbox tab and Phishing Simulation tab and trying to follow the steps. I’ll wait for ticket reply. 

 

I look forward to clarification and hope that help pages  are improved for everyone's benefit in terms of grammar, clarity, precision. I have to contend with 50+ vendors and in my view the vendors that make their help documents understandable to IT staff are the winners. Sadly Microsofts documentation is written by a specific english style based in certain part of the world and their grammar is different from Australian english or British english or US english. Often its written in a messy way on Microsoft. I said it to them in the past they need to fire their Documentation manager and hire me.  Webroots documentation is clearer  just needs to be field tested by someone who never used Webroot. 

@cyberkite - I can confirm that @ggreenbaum is an employee, and is the Product Manager for SAT.  

Thanks for the ticket number.  I reviewed your comments there, and I can understand your confusion vs. what’s in is thread.  Sorry for the inconsistency.  You mention getting two answers.  @ggreenbaum confirmed in testing that only one SecOps mailbox is necessary.  He has also mentioned he will be contacting Support to clear up the confusion so that we have a uniform answer on this one.  I hope this clears up things for you.  

Userlevel 7
Badge +22

@cyberkite Also can confirm @ggreenbaum is Webroot employee. He is a moderator status which ranks higher in on this community platforms’ status (insided).

 

I will change it shortly here for everyone’s confirmation.

 

Please feel free to DM our employees screenshots or other info knowing that they are going to official employees.

Userlevel 1
Badge

SecOps mailbox designation is not required for WSAT operation. SecOps mailbox designation allows for unfiltered mail and is therefore a best practice for administrator oversight but SecOps designation should not be applied to target user mailboxes. Refer to the Microsoft documentation for further detail.

SecOps mailbox designation is not required for WSAT operation. SecOps mailbox designation allows for unfiltered mail and is therefore a best practice for administrator oversight but SecOps designation should not be applied to target user mailboxes. Refer to the Microsoft documentation for further detail.

The Microsoft documentation is as clear as mud imho. This conflicts when what I was told by Webroot. That each mailbox needs to be Secops as long as you are doing testing. 

Now I'm further confused by the further answers.

But I did get a clear answer from senior Webroot management and they will update Help page for that aspect accordingly to clarify. I gather there may be some who have added user mailboxes in SecOps exposing them to attacks.

 

"The intent of a "SecOps Mailbox" is to allow a Security Operations team to have a dedicated mailbox to receive all messages (good or bad), without them being filtered. As a result, it would not be advisable to configure your targeted end-user mailboxes as being SecOps mailboxes - this would open them up to legitimate phishing or malware attacks outside of the simulated campaigns you are intending to allow/whitelist. Should you have a need to inspect all incoming mail - which is something certain companies might wish to do - creating a unique SecOps address and subsequently assigning it as a SecOps mailbox would be advisable. However, this is not* a requirement to use the Security Awareness Training product, and it is certainly not a recommended best practice for all your end user mailboxes."

 

So to answer your question: "Do I need to add ALL 11 users mailboxes into "SecOps Mailbox" tab for the rules added in "Phishing simulation" tab to work for ALL 11 users so that the the SAT campaign to works and does not get junk mailed etc by Outlook anti spam?"

- "No, please do not designate any user mailboxes as SecOps mailboxes. If you have previously done so, please remove this designation from them so that legitimate malware or phishing messages are filtered in accordance with your existing security policies."

 

Phishing simulation tab: 

"To put it simply - Configuring M365 Defender to whitelist our simulated phishing and/or training campaigns can be done in a much more targeted way than leveraging SecOps mailboxes. To do so, you need only follow the section titled "Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy"

This section has you creating an advanced delivery policy (Sender IPs and Domains) specifically for our messages and our messages only, as compared to how a SecOps mailbox would function in allowing all incoming mail to be unfiltered. By creating an advanced delivery policy to allow our phishing simulations, you specify the sending IP, domains being uses, and simulation URL. Any other messages that fall outside of this policy would still be filtered by M365 Defender (default Defender and Exchange antispam policies outside of the Phishing simulation tab)"

Reply