Encrypt Messages with Office 365 Message Encryption
Written on October 5, 2016

There are a whole bunch of Encryption technologies in Office 365. Office 365 Message Encryption (OME) is Office 365’s way of providing end-to-end message encryption, without requiring any software beyond a web browser for the receiving party. It also does not require the recipient to be running Windows, or using Outlook, or for them to be an Office 365 customer. It is easy to automate, has no certificate requirement, and allows the recipient to reply in an encrypted fashion.

Automatic Message Encryption

Exchange Server administrators will be familiar with the concept of Transport Rules, now Mail Flow Rules in Exchange Online/Office 365. We can use Mail Flow Rules to kick off encryption when a particular condition is met. Below, we’ll explore a few common scenarios.

Before you complete any of the commands below, you’ll need to Connect PowerShell to Exchange Online.

Encrypt Based on Sender’s Group Membership

Say, for example, you need to encrypt all messages sent by the security team. Provided they’re all in a distribution group called ‘Security’ we can handle this like so:

New-TransportRule -Name "Encrypt mail from the Security team" `
    -RuleErrorAction Defer `
    -FromMemberOf '[email protected]' `
    -SetAuditSeverity Low `
    -ApplyOME $true

Encrypt Based on Recipient Domain

If you deal with an organisation that requires all correspondence to be encrypted, this may come in handy. You can create a rule to encrypt all messages to a particular SMTP domain as follows:

New-TransportRule -Name "Encrypt mail to Woodgrove Bank" `
    -RuleErrorAction Defer `
    -RecipientAddressMatchesPatterns '^[A-Z0-9._%+-][email protected]$'
    -SetAuditSeverity Low `
    -ApplyOME $true

Encrypt Based on Message Sensitivity (Private/Confidential)

This solution is a mechanism that allows for easy and transparent, but selective, rollout of OME behaviour. You can advise staff that marking a message as “Private” or “Confidential” in Outlook will cause it to be encrypted. This rule looks like the following:

New-TransportRule -Name "Encrypt mail marked as Private or Confidential" `
    -RuleErrorAction Defer `
    -HeaderMatchesMessageHeader "Sensitivity"`
    -HeaderMatchesPatterns "Private","Company-Confidential" `
    -SetAuditSeverity Low `
    -ApplyOME $true

Encrypt Based on Subject

This solution encrypts messages based on the content of a subject. This means that users can enter a specific string in a message subject to have it encrypted upon send. This might be useful if you already have plugins that categorize messages (think [SEC=UNCLASSIFIED]).

New-TransportRule -Name "Encrypt mail with [encrypt] in subject" `
    -RuleErrorAction Defer `
    -SubjectMatchesPatterns '(?:^|\W|\w)\[encrypt\](?:$|\W|\w)'
    -SetAuditSeverity Low `
    -ApplyOME $true

_Thanks to this thread for prompting me to have a think about this one.

Cmdlets Used

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.