The digital world offers undeniable convenience and connectivity, but it also introduces new security risks that traditional methods can’t always handle. Here’s why email protection with a solution like Microsoft Defender for Office 365 is crucial:
- Increased Cybercrime: As more and more business happens online, criminals are following suit. Email remains a popular attack vector for phishing, malware distribution, and other malicious activities.
- Evolving Threats: Cybercriminals are constantly developing new methods to bypass security measures. Legacy solutions may struggle to keep pace with these ever-sophisticated threats.
- Financial Loss: Data breaches and ransomware attacks can inflict significant financial damage on businesses. The cost of recovering from a successful cyberattack can be enormous.
- Reputational Damage: A security incident can severely damage your organization’s reputation, leading to lost trust from customers and partners.
Microsoft Detection and Response Team (DART) is an active cybersecurity team within Microsoft. They focus on proactive and reactive incident response for Microsoft customers. They specialize in:
- Investigating and analyzing security compromises: When a Microsoft customer experiences a cyberattack, the DART team can be called upon to investigate the incident, understand its scope, and determine the root cause.
- Providing guidance and support: DART offers expertise and recommendations to help customers recover from security breaches and implement stronger security measures to prevent future attacks.
- Threat hunting and intelligence: DART stays ahead of the curve by actively researching and analyzing emerging cyber threats. They use this knowledge to help Microsoft develop and improve its security products and services.
Many of the tactics and methods used to discover the customers threats are probably based on their findings. See here more on DART.
Table of Contents
Microsoft Defender for Office 365 Plans: Choosing the Right Fit
Choosing the right Defender for Office 365 plan depends on your organization’s security needs. Here’s a breakdown of the two available plans:
Plan 1: Essential Protection
Plan 1 focuses on foundational security features to identify and block threats. It’s ideal for organizations that prioritize basic email protection with:
- Safe Attachments: Sandboxes suspicious attachments to detect unknown threats.
- Safe Links: Protects users from clicking malicious URLs in emails.
- Extended Safe Attachments: Provides the same protection for files in SharePoint, OneDrive, and Teams.
- Impersonation Protection: Stops phishing attacks that spoof legitimate senders.
- Real-time Detections: Quickly identifies and alerts you to potential threats.
Plan 2: Advanced Threat Protection
Plan 2 includes all the features of Plan 1, plus advanced capabilities for proactive threat hunting, investigation, and response:
- Threat Trackers: Saves specific search queries to monitor for emerging threats.
- Threat Explorer: Allows for deep dives into suspicious activity for better threat understanding.
- Automated Investigation and Response: Streamlines incident response by automating repetitive tasks.
- Attack Simulation and Training: Tests user awareness and preparedness with simulated phishing attacks.
- Campaign Views: Provides insights into large-scale attacks by analyzing anti-phishing, anti-spam, and anti-malware data.
Choosing the Right Plan
If your organization needs basic email protection with core threat identification and blocking functionalities, Plan 1 is a good starting point.
However, if your role requires a more comprehensive security approach with proactive hunting, investigation, and remediation capabilities, then Plan 2 is the better choice. It equips you with the tools to not only identify threats but also respond to them efficiently and prevent future attacks.
Microsoft Defender for Office 365 Protection Stack Layers
Layer | Description | Key Features |
---|---|---|
Edge Protection | First line of defense against known threats | Network throttling (DoS protection) IP/Domain reputation filtering Directory-based filtering (blocks directory harvesting) Backscatter detection (prevents NDR attacks) Enhanced Filtering for Connectors (identifies true message source) |
Sender Intelligence | Validates message senders | Account compromise detection (alerts on suspicious activity) Email authentication (SPF, DKIM, DMARC, ARC for sender legitimacy) Spoof intelligence (detects imitation attempts) Bulk filtering (classifies bulk senders based on spam likelihood) Mailbox intelligence (learns user behavior to detect impersonation) |
Content Filtering | Analyzes message content for threats | Mail flow rules (customizable message processing) Antivirus scanning (malware detection in attachments) Attachment filtering (blocks specific types or based on reputation) Heuristic & Machine Learning models (phishing & URL threat detection) Safe Attachments (sandboxing for unknown threats in attachments) URL reputation blocking (blocks messages with malicious URLs) |
Post-Delivery Protection | Ongoing protection after message delivery | Safe Links (time-of-click URL checking) Zero-hour Auto Purge (ZAP) – removes phishing/malware/spam even after delivery Campaign Views (provides insights into attack patterns) User reporting (allows reporting false positives/negatives) Safe Links for Office apps (time-of-click protection within Office applications) Protection for OneDrive/SharePoint/Teams (extends Safe Attachments protection) |
What is Zero-Hour Auto purge?
One of my favorites is ZAP (Zero-Hour Auto purge) It is an detonation chamber for the message, it will initiate and Sandbox environment for testing and when analyzing is done the sandbox is removed completely. When the next message comes, the process will start all over again.
When the message it zapped it’s not logged in the Exchange mailbox audit logs as a system action.
Note! ZAP doesn’t work in standalone EOP environments that protect on-premises mailboxes. MX and Mailboxes have to be in the Cloud.
It’s included on Microsoft Defender for Office 365 P1 and P2
Understanding Zero-hour Auto Purge (ZAP) for Teams Chats
What is ZAP for Teams Chats?
ZAP, or Zero-hour Auto Purge, helps protect your organization from malicious content within Microsoft Teams chats. It scans messages for malware and high-confidence phishing attempts. If ZAP identifies a threat, it takes action to block the message for everyone in the chat.
Important Considerations:
- Currently Limited: ZAP for Teams currently only works with internal messages, not messages from external senders.
- Synchronized Block: Since Teams chats deliver a single copy of the message to all participants, a blocked message is hidden from everyone in the chat simultaneously. This happens initially right after delivery, but ZAP can also take action up to 48 hours later.
- Exclusions by Recipient: Organizations can configure exceptions for specific users or groups, allowing them to receive messages even if ZAP identifies them as potential threats. It’s important to note that these exclusions apply to the recipients, not the senders. ZAP will still scan messages for threats, but won’t block them if all recipients in the chat are excluded from ZAP for Teams protection.
In essence, ZAP prioritizes security within Teams chats by blocking malicious messages for everyone. However, organizations can configure recipient-based exclusions to ensure essential messages reach specific users, even if they trigger a ZAP warning.
See here for an excellent article on the feature by Jeffrey Appel
And for official documentation from Learn
Closure
In conclusion, robust email protection is essential in today’s digital landscape. By understanding the evolving threat landscape and the potential consequences of cyberattacks, you can make informed decisions about securing your organization. Microsoft Defender for Office 365 offers a comprehensive suite of features that align with the security requirements providing the necessary tools to combat modern cyber threats.