Encrypt Messages with Office 365 Message Encryption
There are a whole bunch of Encryption technologies in Office 365. Office 365 Message Encryption (OME) is Office 365’s way of providing end-to-end message encryption, without requiring any software beyond a web browser for the receiving party. It also does not require the recipient to be running Windows, or using Outlook, or for them to be an Office 365 customer. It is easy to automate, has no certificate requirement, and allows the recipient to reply in an encrypted fashion.
Automatic Message Encryption
Exchange Server administrators will be familiar with the concept of Transport Rules, now Mail Flow Rules in Exchange Online/Office 365. We can use Mail Flow Rules to kick off encryption when a particular condition is met. Below, we’ll explore a few common scenarios.
Before you complete any of the commands below, you’ll need to Connect PowerShell to Exchange Online.
Encrypt Based on Sender’s Group Membership
Say, for example, you need to encrypt all messages sent by the security team. Provided they’re all in a distribution group called ‘Security’ we can handle this like so:
New-TransportRule -Name "Encrypt mail from the Security team" ` -RuleErrorAction Defer ` -FromMemberOf 'firstname.lastname@example.org' ` -SetAuditSeverity Low ` -ApplyOME $true
Encrypt Based on Recipient Domain
If you deal with an organisation that requires all correspondence to be encrypted, this may come in handy. You can create a rule to encrypt all messages to a particular SMTP domain as follows:
New-TransportRule -Name "Encrypt mail to Woodgrove Bank" ` -RuleErrorAction Defer ` -RecipientAddressMatchesPatterns '^[A-Z0-9._%+-]+@woodgrovebank.com$' -SetAuditSeverity Low ` -ApplyOME $true
Encrypt Based on Message Sensitivity (Private/Confidential)
This solution is a mechanism that allows for easy and transparent, but selective, rollout of OME behaviour. You can advise staff that marking a message as “Private” or “Confidential” in Outlook will cause it to be encrypted. This rule looks like the following:
New-TransportRule -Name "Encrypt mail marked as Private or Confidential" ` -RuleErrorAction Defer ` -HeaderMatchesMessageHeader "Sensitivity"` -HeaderMatchesPatterns "Private","Company-Confidential" ` -SetAuditSeverity Low ` -ApplyOME $true
Encrypt Based on Subject
This solution encrypts messages based on the content of a subject. This means that users can enter a specific string in a message subject to have it encrypted upon send. This might be useful if you already have plugins that categorize messages (think [SEC=UNCLASSIFIED]).
New-TransportRule -Name "Encrypt mail with [encrypt] in subject" ` -RuleErrorAction Defer ` -SubjectMatchesPatterns '(?:^|\W|\w)\[encrypt\](?:$|\W|\w)' -SetAuditSeverity Low ` -ApplyOME $true
_Thanks to this thread for prompting me to have a think about this one.