Intelligent anti-phishing technology, automated investigations, and attack simulation – let’s explore some of the advanced protection powers found within Microsoft Defender for Office 365.
Here at ThirdSpace, we’re big fans of Microsoft Defender for Office 365.
Like all of Microsoft’s mobility and security technologies, Microsoft Defender for Office 365 (previously called Office 365 Advanced Threat Protection) is an ever-evolving product with new features constantly being added and refined.
In this blog, I will cover my top five features of Defender for Office 365, how they work, and how they differentiate Defender for Office 365 from competitor offerings to make it a truly compelling security solution.
One of the key protection technologies within Defender for Office 365 is Safe Links and Safe Attachments.
These technologies enhance protection levels against zero-day threats as they can analyse links in emails and office documents.
They also open attachments in emails to find any potential threats hidden inside.
Both Safe Links and Safe Attachment policies apply to internal and external emails in real-time. This is a capability unique to Defender for Office 365 and one that no third party has been able to match.
When a user clicks a link in an email or document, Safe Links checks if the link is malicious by redirecting the link to a secure server in the Microsoft 365 environment.
This server then checks the link against a list of known malicious web sites.
If the site is deemed safe, the browser is redirected to the original link destination. If the site is on the block list, the user is blocked, and the browser displays a warning page to the end-user.
The Safe Links URL wrapping service processes links and encapsulates them within the email or document permanently.
This protection persists for the life of the message, meaning the link will be re-processed and evaluated at every click.
It doesn’t matter if this is a few hours, days, or even years later – the protection still applies.
This defends against attackers who hide malicious URLs with seemingly safe links that are subsequently redirected to unsafe sites after the message has been delivered.
Should a link point to a downloadable file, Safe Links can be configured to execute and scan the file within the sandbox and detonation chamber.
Within this sandbox area, Microsoft Defender will evaluate the content and provide a verdict on whether to allow the end-user to access the file.
This protection extends to links contained in Office applications (Word, Excel, and PowerPoint) and is coming to Teams later in 2020.
Office 365 Safe Attachment policies also route any attachments that do not have a known virus or malware signature to a special hypervisor environment for behavioural analysis.
This environment uses a variety of machine learning and analysis techniques to detect malicious intent. Only if no suspicious activity is detected is the attachment released for delivery to the user’s mailbox.
This protection from malware-infected content in Defender for Office 365 also applies beyond email.
If malicious files or links are uploaded to SharePoint or OneDrive for Business and shared, even via Microsoft Teams, Defender for Office 365 will detect it, block it, and prevent the file from being opened or shared in the future.
Defender for Office 365 possesses significant capabilities to prevent phishing, including impersonation protection to protect your users from lookalike domain attacks.
But one of my favourite unique capabilities of Defender for Office 365 is Mailbox Intelligence.
Mailbox Intelligence uses artificial intelligence (AI) to understand who a user typically communicates with via email (both inside and outside of your organisation).
This allows the system to build a map of usual communication paths between users.
Microsoft Defender for Office 365 then uses this map as a contributing factor in determining the risk an email poses to the recipient.
For example, if an email passes upstream checks but purports to be from the CFO who the recipient has had no prior email correspondence with (or is using a different email address compared to previous communications), Defender can insert warnings directly into the message or quarantine the message entirely.
As warning and alerting decisions are based on previous communication patterns and AI, this ensures a high rate of “true positives” where action is only taken on emails that exhibit a real risk.
This also increases the warning’s effectiveness and reduces the risk of users ignoring or becoming desensitised to them.
See Defender for Office 365 in action. Covering key features and functions, we'll show you:
One of Defender for Office 365’s most powerful features is the recent addition of automated investigation and response (AIR) capabilities.
AIR addresses some of the most common threats that security teams investigate in their day-to-day jobs and uses Office 365 alerts to trigger the use of predefined investigative playbooks.
These playbooks remove the manual effort involved in common email threat response and investigation tasks such as user-reported phishing emails.
When you use AIR in Defender for Office 365 it’s like employing a team of virtual analysts who are dedicated to the important, but often labour and time-intensive tasks associated with investigating email threats.
Upon completion of an automated investigation, security staff are simply required to approve or reject the automatically suggested actions to remediate the threat.
AIR also allows security teams to manually trigger automated investigations from the dashboard for any email and related content (attachment or URLs).
From my experience in previous roles on the frontline, I am all too aware of the volume of time-consuming, email-based investigations undertaken by security teams on a day-to-day basis.
The efficiencies introduced by AIR are a massive time saver and allow more effective use of security resource (which is often in short supply within most organisations).
65% of hackers use spear-phishing as the primary infection vector.Symantec, 2020
Performing regular phishing and social engineering exercises are a vital part of ensuring and maintaining awareness of email and credential security within your organisation. Many organisations use additional third-party platforms to perform these tests and further additional platforms to deliver any required user training.
This increases both the complexity and cost of securing your organisation’s environment.
Microsoft Defender for Office 365 (Plan 2) includes Attack Simulation Training functionality which allows you to detect, quantify and reduce social engineering risk across your user base using the following common attack methods:
As well as being able to choose from a catalogue of payloads based on commonly used social engineering techniques, administrators can create custom payloads as well as being able to choose relevant training content (provided by leading security awareness training provider Terranova) to assign to users who succumb to the simulated attack.
The Attack Simulation Training also features advanced reporting capabilities to gain insights into the threat readiness progress of employees with metrics allowing you to target further training, and possible increased security policy configurations to the areas where it is most required.
Now I know I may be slightly biased, but I firmly believe that as a security solution, Microsoft Defender for Office 365 offers a depth of integration and interoperability that’s impossible to match.
Given the market share as the largest and most widely used technology company of its type in the world, Microsoft has access to an unparalleled view of cyber threats across its entire, global ecosystem every second of every day.
The result is an unrivalled and constantly growing database known as the Intelligent Security Graph.
This graph informs threat protection technologies across multiple services within the Microsoft 365 ecosystem.
This visibility and capability is impossible to match as a third-party solution provider with a dramatically smaller footprint.
Microsoft Defender for Office 365 protects email and collaboration but also forms part of the wider Microsoft 365 Defender suite that includes:
These technologies natively integrate across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
All this functionality and protection can be possible without the overhead and complexity associated with multi-vendor solutions.
It also allows you to achieve an unequalled level of interoperability that is impossible to replicate.
To put this into context please consider the following:
There are many benefits to be gained by removing the time wasted performing cross-platform/cross-portal investigations.
Time that can be saved by adopting a single platform where automated remediation across endpoint, identity, email, and applications is the default.
I know that was a lot to take in and there’s a lot of supporting functionality I haven’t yet touched on!
If you needed more reasons to be persuaded by Microsoft Defender for Office 365 it also includes:
I hope the features I have covered here have given you a flavour of what Defender for Office 365 is capable of and how it can benefit your organisation.
Keep your finger on the pulse of security and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
Paul is a Microsoft certified consultant with extensive experience of high-level solution design and implementation using industry-leading technology from major vendors. Paul's 19 years of IT...
READ AUTHOR'S FULL BIO
See how Microsoft’s leading email security tool protects against phishing, malware, and more.Register now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.