Protect your email and Office environment from malicious actors
Email is one of the most targeted attack vectors in your environment, and there are many moving pieces. There are spam and phishing attacks. And there isn't one size fits in terms of how they attack. They can use malware, attachments, and links. Anyway, if you're reading about the MS-500 then I'm sure you're aware of the security issues related to email. So without wasting a lot of time let's jump into the defenses.
Before we talk about each policy let's talk about defaults. By default messages that contain word-filtered content is directed to the user's junk email folder. In short, spam. Spam is unwanted, unsolicited email that gets sent out in bulk. Phishing emails are fraudulent messages designed to trick someone into revealing sensitive information or installing malicious software. In short, spam is junk email while phishing attacks are more malicious. Phishing messages are directed to the junk folder or the quarantine depending on the confidence level. High confidence phishing emails, in other words, emails that Microsoft 365 is confident it is phishing will go to the quarantine while messages that Microsoft 365 is not 100% positive is phishing will go to the junk email folder.
First up on the list is anti-spam. There are 3 distinct policies for anti-spam: inbound, connection, and outbound.
Anti-spam inbound policy
The anti-spam inbound policy is exactly what it sounds like. It filters inbound (or messages coming into your organization) for spam. Now, you may think that only inbound spam is managed in this policy. That would be a fair assumption but also incorrect. The anti-spam inbound policy also tells Microsoft 365 how to handle phishing emails. It also tells Microsoft 365 how long to store emails in the quarantine before they get deleted. Let's jump in and look at the settings.
How to edit the default anti-spam inbound policy
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Anti-spam . Click Anti-spam inbound policy (default).
There are a lot of properties that can be set so I won't go over each one but know there is more information if you hover over the I next to some of the properties.
Notice there are four sections: description, spam threshold and properties, actions, and allowed/blocked senders and domains.
The description is simply the description that admins will see when they open the policy.
The spam threshold and properties will tell Microsoft 365 when to mark an email as spam. For example, there's a bulk email threshold slider. To flag, more emails as spam drag the slider to a lower number. To flag, fewer emails as spam slide the slider to a high number.
The actions section will tell Microsoft 365 what to do when it finds a message that's spam, phishing, or bulk email. For example, you may want the email to go to the user's junk email folder or you may want the email to go to the quarantine. The actions section is where you'll find the retain spam in quarantine for this many days setting.
The allowed/blocked senders and domains tell Microsoft to either allow a sender through the filters or block them. For example, let's say you are a partner of GitBit and want all emails from GitBit to be allowed through the spam filters. Simply add GitBit.org to the Allowed domains section.
The connection filter is where you can tell Microsoft to allow emails through or block emails from specific IP addresses. Maybe you are receiving a lot of spam from a particular address. Add it to the IP block list. The connection filter also has a "safe list". In short, Microsoft verifies some IP addresses are particularly safe to allow through. By checking the Turn on safe list you are telling Microsoft to manage your allowed list (along with your custom added IP addresses)
Anti-spam outbound policy (Default)
Microsoft doesn't just protect you from the world. Microsoft also protects the world from you. In short, if you or your devices continually get hacked and send out spam messages you can limit how many messages a user can send per hour or per day. That way if a user account gets hacked and starts sending out massive amounts of emails you can automatically lock down that account.
In the outbound spam policy, you'll also find the automatic forwarding setting. In short, malicious users will a lot of times gain access to one of your mailboxes and they'll set up forwarding to automatically forward all emails received by the mailbox to their own mailboxes (that are outside your environment). This setting will either allow the automatic forwarding or block the automatic forwarding. It's up to you. By default, it blocks the automatic forwarding. So if a user wants to forward their work email to their Gmail and you want to allow them to do it you'll need to adjust the outbound policy automatic forwarding.
Safe attachments provide an additional layer of security for any attachments coming into your environment. In short, Microsoft can check attachments in a virtual environment to detect any malicious actions the attachments may cause. This process is known as detonation.
What licenses are required?
Safe attachments are available to any organization that has Microsoft Defender for Office 365 plan 1 or Microsoft Defender for Office 365 plan 2 licenses.
How to configure safe attachments
Anyway, let's configure a safe attachment policy to replace malicious attachments.
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Safe attachments. Click Create.
2. Name the policy "replace unsafe attachments" Click Next.
3. Add each of your domains into the Domains section. Click Next.
4. set Safe Attachments unknown malware response to Replace. Set the quarantine policy to DefaultFullAccessPolicy. Click Enable redirect. Enter your email address in the Send messages that contain blocked... Click Next.
6. Click Submit.
That's it. Now you've created a policy that will remove malicious attachments but deliver the email to the user's inbox.
Safe attachments unknown malware response
Did you notice there were 5 options for what happens to unknown malware in attachments? Here's a quick run down of the options:
- Off: Disables the safe attachments policy. This is useful if you don't want safe attachments to run on a mailbox or two. Be careful configuring this setting to your entire tenant.
- Monitor: Scans the attachments and delivers them even if malware is found and tracks the results. This is useful if you want to see if attachments are making it through without blocking them. Be careful configuring this setting for your entire tenant.
- Block: Block all emails that have malware detected. This is common and most likely the best option.
- Replace: Remove the attachment but deliver the email anyway. This is good if you have a user or two that receives a lot of attachments that are getting blocked but the user needs to know that the email was blocked.
- Dynamic delivery: Sometimes safe attachments cause there to be a delay in the email delivery. When you're having users complain that there is a delay when receiving emails with attachments then this option may be for you. In short, the email will be delivered automatically to the user's inbox and then after the scanning is complete the attachment will show up.
How to monitor what attachments are removed
There are two places to see what happens to emails/attachments. The first is the Message Trace in the Exchange admin center. The second is in the reports section of the Microsoft Defender admin center.
How to monitor emails in Message Trace
1. Go to Exchange admin center > Mail flow > Message trace. Click Start a trace. Enter the senders or recipients' email in the space provided. Click Search.
2. Click the message you want to view. Expand Message events. Click the Send event.
How to view messages in the Microsoft 365 Defender reports
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Safe attachments > Reports.
Safe links are used to protect your users against malicious links. Safe Links isn't just for email though. It will protect your users from malicious links in emails, and office apps. For example, if a user plugs in a USB drive with a Word document into their computer and the Word document has a link to a malicious site then safe links will protect the user.
You can manually add URLs to a block / allow list. For example, let's say you want to block any of your users from accessing a link to contoso.com. How do we block it?
How to block malicious URLs manually
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Tenant Allow/Block List > URLs > Block. Add the URL to the "Add URLs with wildcards" section. Set the Remove block entry after to the number of days to block the URL. Click Add.
Understanding block URLs
Blocking URLs can be a bit tricky but powerful. For instance, you can use wildcards. Let's take a couple of examples.
*.contoso.com would block all subdomains of contoso.com. It would block www.contoso.com, ftp.contoso.com, 1.www.contoso.com, etc. It would not block contoso.com.
malware.*com would be invalid and not block anything.
*.phishing.*.* would be invalid and not block anything.
How to track when users click links
By default when a user clicks a link it isn't tracked. In short, you'll never know when a user clicks the link. Let's change that so we can monitor who's clicking bad links.
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Safe links > Global settings. Disable Do not track when users click protected links in Office 365 apps. Click Save.
anti-phishing became a little too big for this article so it's been moved to its own section. https://www.gitbit.org/course/ms-500/learn/Protecting-email-against-phishing-attacks-GCOOUsSBT.
Anti-malware is your standard attachment filtering service. It provides common attachment filtering so you can block exes, isos, etc. It also has a zero-hour purge feature which will delete attachments that make it to the inbox and then are found to be malicious. Finally, you can edit who's notified when a message is found to contain malware.
How to edit the anti-malware settings
1. Go to Microsoft 365 Defender admin center > Policies & rules > Threat policies > Anti-malware. Click the Default (default) policy. Click Edit protection settings.