Another day in troubleshooting email connectivity issues for our end users.
This one was a bit harder then usual. A user complained that she is no longer receiving O365 secure messages from an external trusted 3rd party which is also using O365 on the web using OWA. This issue only came up very recently.
Analyzing the message logs showed that there is an incoming secured message with the common message.html file attachment indicating an O365 secured envelope. Checking the URL section of SMA message tracking showed the following 4 lines:
12 Aug 2020 16:40:49 (GMT -04:00) Message 418310336 URL: https://ak=a.ms/cp_rms.=--_b699e927-0dd0-4d4a-b119-c4b45737d85b_Content-Description:, URL category: Uncategorized URLs, Condition: URL Category Rule, Attachment name: None.
12 Aug 2020 16:40:49 (GMT -04:00) Message 418310336 URL: https://aka.ms/protectedmessage, URL reputation: 5.0, Condition: URL Reputation Rule, Attachment name:None.
12 Aug 2020 16:40:49 (GMT -04:00) Message 418310336 URL: https://outlook.office365.com/Encryption/api.svc/mail/upload?urlversion=2&recipientemailaddress=xxxxxxxx@yyyy.zzz&senderemailaddress=xxxxxxxx@yyyy.zzz&senderorganization=... URL reputation: 9.1, Condition: URL Reputation Rule, Attachment name:None.
12 Aug 2020 16:40:49 (GMT -04:00) Message 418310336 URL: https://outlook.office365.com/Encryption/store.ashx?urlversion=2&recipientemailaddress=jessica.xxxxxxxx@yyyy.zzz&senderemailaddress=xxxxxxxx@yyyy.zzz&senderorganization=... URL reputation: 9.1, Condition: URL Reputation Rule, Attachment name:None.
aka.ms is a trusted Microsoft owned short URL service, so seeing the first line of the URL resulting in a blocked URL category :Uncategorized was a bit surprising.
Further investigating the issue showed that the incoming message did look like expected:
Opening the resulting message.html then displayed the following secure envelope:
Checking all the links and URL's present did not reveal the blocked URL's on that page. Next step was to inspect the source of that page and drill deeper.
As expected we found very quickly the redirect links for sign-in like : httpx//outlook.office365.com/Encryption/store.ashx?urlversion=2&recipientemailaddress=xxxxxxxx@yyyyy.zzz... looking further there was the first occurrence of a URL using Microsoft's short URL service aka.ms: "Get Outlook for your device here: httpx://aka.ms/protectedmessage." This message only seems to be displayed in certain cases on mobile devices.
The more interesting find was the following line:
Learn more at https://ak= a.ms/cp_rms.= -_b699e927-0dd0-4d4a-b119-c4b45737d85b_ 

While we did expect that creating a URL exception for aka.ms/* in the Cisco ESA would ignore triggering the URL filter would always complain about this line. Looking at the encoding of the URL we can see that there is an issues with the CRLF encoding in the URL resulting in incorrect parsing by the Cisco ESA.
We are currently working with MS Premium Support to get this OWA 365 template updated.
Another problem solved.
Comments