Chris Lehr - Portland OR
@chrislehr.com
Formerly @chrislehratx No more Twitter. My opinions are my own. Technology, old dull man things and more!
admin.microsoft.com/Adminportal/...
This will speed up a LOT of investigative efforts, I imagine. Awesome stuff to see from MSFT!
This will speed up a LOT of investigative efforts, I imagine. Awesome stuff to see from MSFT!
September 17, 2025 at 4:04 PM
admin.microsoft.com/Adminportal/...
This will speed up a LOT of investigative efforts, I imagine. Awesome stuff to see from MSFT!
This will speed up a LOT of investigative efforts, I imagine. Awesome stuff to see from MSFT!
Little late on posting this out, but I wrote a blog on auditing and blocking Direct Send in Exchange Online using MDO tools to audit and EXO ETRs to block. Enjoy and let me know any changes you'd recommend! thecloudtechnologist.com/2025/08/09/a...
An improved approach to blocking Direct Send Abuse
Guest post By Chris Lehr Executive Summary If you are a Microsoft 365 customer and you are seeing an uptick of spam and phish emails sent to your domain, but also from your domain that seem to be g…
thecloudtechnologist.com
August 19, 2025 at 2:48 AM
Little late on posting this out, but I wrote a blog on auditing and blocking Direct Send in Exchange Online using MDO tools to audit and EXO ETRs to block. Enjoy and let me know any changes you'd recommend! thecloudtechnologist.com/2025/08/09/a...
KQL to review #DirectSend abuse
EmailEvents
| where SenderMailFromDomain == RecipientDomain
| where isempty(Connectors)
| where DeliveryAction !in ("Junked", "Blocked")
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| where AuthenticationDetails.DMARC == "fail"
EmailEvents
| where SenderMailFromDomain == RecipientDomain
| where isempty(Connectors)
| where DeliveryAction !in ("Junked", "Blocked")
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| where AuthenticationDetails.DMARC == "fail"
August 5, 2025 at 11:47 PM
KQL to review #DirectSend abuse
EmailEvents
| where SenderMailFromDomain == RecipientDomain
| where isempty(Connectors)
| where DeliveryAction !in ("Junked", "Blocked")
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| where AuthenticationDetails.DMARC == "fail"
EmailEvents
| where SenderMailFromDomain == RecipientDomain
| where isempty(Connectors)
| where DeliveryAction !in ("Junked", "Blocked")
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| where AuthenticationDetails.DMARC == "fail"
Holy shit. Lumen is down so bad you cannot get to their web site. Wonder if this has to do with the at&t purchase and transition?
June 19, 2025 at 10:35 PM
Holy shit. Lumen is down so bad you cannot get to their web site. Wonder if this has to do with the at&t purchase and transition?
FYI XE, XJ and XS are no longer valid ISO country codes for MSFT Antispam inbound policies. If you chose to use these at some point in the future, you will find your antispam policy is no longer editable. To fix:
set-hostedcontentfilterpolicy -regionblocklist {@remove="XJ","XS","XE"}
set-hostedcontentfilterpolicy -regionblocklist {@remove="XJ","XS","XE"}
June 13, 2025 at 4:50 PM
FYI XE, XJ and XS are no longer valid ISO country codes for MSFT Antispam inbound policies. If you chose to use these at some point in the future, you will find your antispam policy is no longer editable. To fix:
set-hostedcontentfilterpolicy -regionblocklist {@remove="XJ","XS","XE"}
set-hostedcontentfilterpolicy -regionblocklist {@remove="XJ","XS","XE"}
@xsalazar.bsky.social love the elevator tracker. Please consider a “is the 17th underpass usable” tracker!
May 30, 2025 at 4:00 PM
@xsalazar.bsky.social love the elevator tracker. Please consider a “is the 17th underpass usable” tracker!
New EXO Tenant limits coming soon. techcommunity.microsoft.com/blog/exchang...
Introducing Exchange Online Tenant Outbound Email Limits | Microsoft Community Hub
We’re introducing new tenant-level outbound email limits (also known as the Tenant External Recipient Rate Limit or TERRL).
techcommunity.microsoft.com
May 5, 2025 at 3:51 PM
New EXO Tenant limits coming soon. techcommunity.microsoft.com/blog/exchang...
TIL - those times when it says block but the message inboxed is answered right here.
April 17, 2025 at 4:45 AM
TIL - those times when it says block but the message inboxed is answered right here.
May 5th MSFT will Junk messages not meeting these requirements - generally aligning with the Google/Yahoo requirements here. If your domain sends 5000+ emails per day, make sure your SPF, DKIM and DMARC are configured and aligned correctly!
techcommunity.microsoft.com/blog/microso...
techcommunity.microsoft.com/blog/microso...
Strengthening Email Ecosystem: Outlook’s New Requirements for High‐Volume Senders | Microsoft Community Hub
Introduction
In an era where email remains one of the most widely used tools for personal and business communications, Outlook is stepping up its commitment...
techcommunity.microsoft.com
April 2, 2025 at 4:44 PM
May 5th MSFT will Junk messages not meeting these requirements - generally aligning with the Google/Yahoo requirements here. If your domain sends 5000+ emails per day, make sure your SPF, DKIM and DMARC are configured and aligned correctly!
techcommunity.microsoft.com/blog/microso...
techcommunity.microsoft.com/blog/microso...
This is fantastic news - email entity, threat explorer and policy pages have been notably slow in some tenants in recent months. Nice to see it is getting attention. m365admin.handsontek.net/microsoft-de...
Microsoft Defender for Office 365: Enhancing page load performance - M365 Admin
Microsoft Defender for Office 365 is enhancing page load performance to address user feedback on latency. Phase 1, starting in late March 2025 and ending by late June 2025, targets improvements in Sub...
m365admin.handsontek.net
April 2, 2025 at 4:32 PM
This is fantastic news - email entity, threat explorer and policy pages have been notably slow in some tenants in recent months. Nice to see it is getting attention. m365admin.handsontek.net/microsoft-de...
Its been less than 10 years since Obama was "allowed" to use an iPhone and today our government accidentally sent war plans to a reporter over Signal. We've come so far!! www.theverge.com/2016/6/11/11...
Obama finally upgraded from his BlackBerry
But he still wants something better
www.theverge.com
March 24, 2025 at 10:45 PM
Its been less than 10 years since Obama was "allowed" to use an iPhone and today our government accidentally sent war plans to a reporter over Signal. We've come so far!! www.theverge.com/2016/6/11/11...
Bravo - Allowing admins to add allows to their allow list. Finally.
March 10, 2025 at 7:57 PM
Bravo - Allowing admins to add allows to their allow list. Finally.
Ditching that Felon
February 20, 2025 at 9:46 PM
Ditching that Felon
Any recommendations aside from this one? Sort of abandoning some media and looking for advice.
February 10, 2025 at 2:38 AM
Any recommendations aside from this one? Sort of abandoning some media and looking for advice.
Reposted by Chris Lehr - Portland OR
There are 2 good reasons to join #BikeLoud
1️⃣By giving, you show you value safe streets. In the very contested arena of street use, our leaders take note. We want to be a formidable force for streets that function well for all of us
2️⃣We sponsor lots of fun events
secure.lglforms.com/form_engine/...
1️⃣By giving, you show you value safe streets. In the very contested arena of street use, our leaders take note. We want to be a formidable force for streets that function well for all of us
2️⃣We sponsor lots of fun events
secure.lglforms.com/form_engine/...
December 3, 2024 at 3:09 PM
There are 2 good reasons to join #BikeLoud
1️⃣By giving, you show you value safe streets. In the very contested arena of street use, our leaders take note. We want to be a formidable force for streets that function well for all of us
2️⃣We sponsor lots of fun events
secure.lglforms.com/form_engine/...
1️⃣By giving, you show you value safe streets. In the very contested arena of street use, our leaders take note. We want to be a formidable force for streets that function well for all of us
2️⃣We sponsor lots of fun events
secure.lglforms.com/form_engine/...
Reposted by Chris Lehr - Portland OR
If you are an IT Pro or in InfoSec check out the #kql queries from this book at github.com/KQLMSPress/d.... Pick yourself up a copy with that extra Santa money. Thanks for the shout out @k0grad.bsky.social.
December 27, 2024 at 12:13 AM
If you are an IT Pro or in InfoSec check out the #kql queries from this book at github.com/KQLMSPress/d.... Pick yourself up a copy with that extra Santa money. Thanks for the shout out @k0grad.bsky.social.
See the top domains your Microsoft 365 users send email to. #KQL
EmailEvents
| where EmailDirection == "Outbound"
| extend recipientdomain = split(RecipientEmailAddress, '@')[1]
| project recipientdomain
| summarize count()by tostring(recipientdomain)
EmailEvents
| where EmailDirection == "Outbound"
| extend recipientdomain = split(RecipientEmailAddress, '@')[1]
| project recipientdomain
| summarize count()by tostring(recipientdomain)
December 18, 2024 at 12:05 AM
See the top domains your Microsoft 365 users send email to. #KQL
EmailEvents
| where EmailDirection == "Outbound"
| extend recipientdomain = split(RecipientEmailAddress, '@')[1]
| project recipientdomain
| summarize count()by tostring(recipientdomain)
EmailEvents
| where EmailDirection == "Outbound"
| extend recipientdomain = split(RecipientEmailAddress, '@')[1]
| project recipientdomain
| summarize count()by tostring(recipientdomain)
Reposted by Chris Lehr - Portland OR
Neat - using a custom domain name here was pretty simple to set up. @chrislehr.com to tag me now.
November 21, 2024 at 7:01 PM
Neat - using a custom domain name here was pretty simple to set up. @chrislehr.com to tag me now.
My first blog post of 2024 - implementing DANE in Microsoft 365 using DNSSEC #DANE #ExchangeOnline #Microsoft365 #EXO #Defender musings365.com/2024/11/21/e...
Enabling DANE in Microsoft 365 Exchange Online
Microsoft announced support for DANE this year, and there isn’t really much reason to NOT implement this, but there are a few requirements that might be difficult for organizations to meet. T…
musings365.com
November 21, 2024 at 6:16 PM
My first blog post of 2024 - implementing DANE in Microsoft 365 using DNSSEC #DANE #ExchangeOnline #Microsoft365 #EXO #Defender musings365.com/2024/11/21/e...
KQL EmailEvents by country - improved!
EmailEvents
| where geo_info_from_ip_address(SenderIPv4) != ""
| extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
| extend country = tostring(parse_json(GeoIPInfo).country)
| project country
| summarize count()by country
EmailEvents
| where geo_info_from_ip_address(SenderIPv4) != ""
| extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
| extend country = tostring(parse_json(GeoIPInfo).country)
| project country
| summarize count()by country
November 18, 2024 at 7:49 PM
KQL EmailEvents by country - improved!
EmailEvents
| where geo_info_from_ip_address(SenderIPv4) != ""
| extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
| extend country = tostring(parse_json(GeoIPInfo).country)
| project country
| summarize count()by country
EmailEvents
| where geo_info_from_ip_address(SenderIPv4) != ""
| extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
| extend country = tostring(parse_json(GeoIPInfo).country)
| project country
| summarize count()by country
