How do I protect my Office 365 users from malware and phishing?... What you need to know!

Office 365's adoption is growing at the speed of light, and that means that it is also growing as an attack vector. Combining this with the growth in email-based malware and phishing attacks we need Microsoft to step up to the plate and protect us, and of course, they have!

In a previous article, I wrote about Windows Defender Advanced Threat Protection and said that we would look at the Office 365 version next. APT features two power plays that almost no one else can offer.

  1. ATP is powered by the Intelligent Security Graph - this means it is learning from threats sent to one mailbox and applying this learned protection to us all.
  2. ATP has a "detonation chamber" - this chamber will take an email attachment and well detonate it! See what is does, is it malware or is it safe?

O365 ATP makes up the third side of the protection triangle that started by detecting an on-premises attack with ATA, it then covered an attack on the device with Windows Defender ATP, and now we are stopping an attack vector through email with a very similar technology.

O365 ATP has a detonation chamber for attachments and can rewrite unsafe links preventing both attacks reaching the end user. Office 365 ATP is made up of two components

  1. Safe Attachments
  2. Safe Links

Let's explore them a little more...

Safe Attachments

afe attachments begin with a policy that deals with what to do with attachments sent to a user via O365. The actions range from;      

 

  • Do nothing    
  •  Monitor
  •  Block
  •  Replace
  •   Dynamic deliver

Once we decide what we are going to do with an attachment we can then decide whom this applies to. A simple default policy could likely;

·        Dynamically deliver the mail (with a notice that an attachment is being scanned and will be delivered shortly, if safe)

·        Apply this at the enterprise level

 

This policy would inspect all attachments company-wide. A short delay would be experienced by all users of around 2-8 minutes.With safe attachments, we have a number of options we can take, but the most useful are to apply a company policy to deliver the body of an email and send all attachments to the detonation chamber. After a short delay, the email attachments gets delivered (or not) to the original email if it's safe. With this policy we know the email got there ok, we can read the mail and wait for the attachment to be cleared.

Safe Links

Phishing attacks in email send an internet link that often looks legitimate but leads the end user to a nefarious location. Safe Links scans the URL and then cross references it with known attack locations. 

 

Just like Safe Attachments, Safe Links is configured as a policy online. There are fewer options in Safe Links than Safe Attachments, and it’s a very easy policy to configure. The policy settings allow us to do;

  •  Use safe attachments
  •  Monitor the user clicks
  •  Prevent access to the link

Safe links verification happens in near real time and does not have the same delay as Safe Attachments does. 

As with all these articles there I have recorded a youtube video that explains the process.

paul keely