Locking down your O365 tenant to only accept emails that have routed through Proofpoint's filtering can serve as an additional layer of security. This can be done by using a mail flow rule. We recommend configuring this to alert an administrator if any messages circumvent Proofpoint in order to gain some visibility, then switch over to blocking emails once any necessary exceptions are added.

Start the process of locking down your environment

  • Log into the Exchange Admin Center
  • Navigate to Mail Flow > Rules, then click + Add a Rule
  • Give the rule a name such as "Alert if Mail Bypasses Proofpoint"
  • Give this rule the following structure:
    • Apply this rule if
      • Apply to All Messages
    • Do the following
      • Either “forward the message for approval” or “generate incident report and send to” > admin at your organization
    • Except if:
      • The message properties > include the message type > Calendaring
      • Sender’s IP > is in the range > Proofpoint's sending IP addresses for your region
      • The sender’s domain is:
        • teams.microsoft.com
        • lync.com
        • voicemail.microsoft.com
        • skype.voicemail.microsoft.com
        • microsoft.com
      • The sender is located > Inside the organization

Finalize the lockdown

Once you have added any required exceptions and are confident that no legitimate emails are trying to bypass Proofpoint, making the following changes to the above rule will fully lock down O365:

  • Change the name to something such as "Reject if Mail Bypasses Proofpoint"
  • Change "Do the following" to either:
    • Block the message > [any of these options], or
    • Redirect the message to > hosted quarantine