In this document, you will learn how to configure a policy in Microsoft Office 365 to forward your emails to Lumu for compromise assessment. Lumu Email Intelligence is a unique threat analysis tool that runs advanced correlations between your inbox, known indicators of compromise (IoCs), and network traffic.

Learn more about how Lumu Email Intelligence helps you understand who is targeting your organization, how they are doing it, and how successful they are in our documentation.

Requirements

You must have Office 365 admin permissions to access the Exchange admin center.

Office 365 Setup

Lumu assigns a unique email address to your organization. You can find the email address assigned to your organization by going to the Lumu Portal and navigating to Lumu Email Intelligence, under the Intelligence sub-menu. 

1. Sign in to Office 365 using your admin account, and then navigate to Admin centers >  Security.

2. Once you are in the Office 365 Security & Compliance section, go to Threat management > Policy, and then click to access the Anti-spam area.

3. On the Anti-spam settings page, click “Create a policy”, then select “Inbound”.

• Name: Enter a unique, descriptive name for the policy. Don't use the following characters: \ % & * + / = ? { } | < > ( ) ; : , [ ] ".
• Description: Enter an optional description for the policy.

In the “Users, groups and domains” area, apply the conditions or exceptions to the internal recipients that the policy applies to. In the following example, we set the policy to all the recipients of an organization domain.

In the “Actions” section, we recommend configuring the following settings:

• Spam: select the action to take on messages that reach the minimum threshold to be considered as spam. As some legitimate messages can be classified as spam (false positives), we recommend selecting the option “Move message to Junk Email folder”, so the message is delivered to the mailbox and moved to the Junk Email folder. Optionally, you can set this option to “Redirect message to email address” to send the message to Lumu for compromise assessment. You can specify the recipients later in the “Redirect to this email address box” option.

WARNING: The “Redirect message to email address” action sends the message to other recipients instead of the intended recipients. Be aware that when selecting this option, the message will not be delivered to the recipient mailbox, and Lumu only stores the metadata of the analyzed messages. Know more about Lumu and data privacy. In short, the content of the messages redirect to Lumu and can not be recovered.

• High confidence spam: messages that contain malicious URL, or malware fall into this category. These messages have low probabilities of being false positives. We recommend setting this option to “Redirect message to email address” to send the message to Lumu for compromise assessment.
• Phishing email: as this filtering option can contain false positives, we recommend setting as “Quarantine message” to send the message to quarantine instead of the intended recipients. You specify how long the message should be held in quarantine later in the Quarantine box. Optionally, you can set this to “Redirect message to email address” to send the message to Lumu for compromise assessment. 
• High confidence phishing email: select the action to take on messages that contain URLs for phishing websites. Due to the low probabilities of being false positives, we recommend setting this option to “Redirect message to email address” to send the message to Lumu for compromise assessment.
• Bulk email: messages that in many cases come from advertisements or marketing campaigns. In this section, you can keep the default configuration "Move message to Junk Email folder" or forward the emails for Lumu analysis through the action "Redirect message to email address".

• Redirect to this email address: enter the unique email address provided by Lumu to your company. You can enter multiple email addresses to deliver the message separated by semicolons (;).

In figure 8, we have an example of an active anti-spam policy. The custom anti-spam policies are displayed in the order they are processed (the first policy has the Priority value 0).

For further details about anti-spam policies for Office 365, consult the Microsoft documentation.