29,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Navigate the "security Wild West" with Microsoft Defender for Office 365, your shield against the complex and rapidly evolving cyber threats. Written by a cybersecurity veteran with 25 years of experience, including combating nation-state adversaries and organized cybercrime gangs, this book offers unparalleled insights into modern digital security challenges by helping you secure your organization's email and communication systems and promoting a safer digital environment by staying ahead of evolving threats and fostering user awareness.
This book introduces you to a myriad of security threats and challenges organizations encounter and delves into the day-to-day use of Defender for Office 365, offering insights for proactively managing security threats, investigating alerts, and effective remediation. You’ll explore advanced strategies such as leveraging threat intelligence to reduce false alerts, customizing reports, conducting attack simulation, and automating investigation and remediation. To ensure complete protection, you’ll learn to integrate Defender for Office 365 with other security tools and APIs.
By the end of this book, you’ll have gained a comprehensive understanding of Defender for Office 365 and its crucial role in fortifying your organization's cybersecurity posture.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 587
Veröffentlichungsjahr: 2024
Ähnliche
Mastering Microsoft Defender for Office 365
Streamline Office 365 security with expert tips for setup, automation, and advanced threat hunting
Samuel Soto
Mastering Microsoft Defender for Office 365
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Dhruv J. Kataria
Publishing Product Manager: Prachi Sawant
Book Project Manager: Ashwin Dinesh Kharwa
Senior Editor: Mudita S
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Proofreader: Mudita S
Indexer: Hemangini Bari
Production Designer: Alishon Mendonca
DevRel Marketing Coordinator: Marylou De Mello
First published: September 2024
Production reference: 1140824
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK.
ISBN 978-1-83546-828-9
www.packtpub.com
To my mother, Migdonia Serrano Quiñones, and the memory of my father, Samuel Soto Sosa, for their sacrifices and for exemplifying the importance and power of determination and humbleness. To my wife, Haruka, and my son, Kentarou, for their love and support during life’s journey; behind every great man, there is a loving family supporting him. Finally, to you, the reader, for your desire to learn and become a better security professional.
– Samuel Soto
Contributors
About the author
Samuel Soto, a seasoned cybersecurity expert, has forged a 25-year career across both the public and private sectors worldwide. Since joining Microsoft in 2020, he has been regularly engaged in thwarting complex security challenges. His portfolio includes high-profile engagements in cyber threat intelligence, specifically dealing with nation-state adversaries and organized cybercrime gangs. Samuel’s experience and leadership in digital transformations, coupled with an entrepreneurial spirit, has seamlessly bridged the technology-business gap, allowing him to make significant strides during critical recovery and transformation efforts for many governments’ environments and Fortune-100 companies.
I want to thank the people who have been close to me and supported me, especially my wife, Haruka, my son, Kentarou, and my parents, Migdonia Serrano Quiñones and Samuel Soto Sosa.
About the reviewers
Chris Tierney is a principal incident response security researcher on the Microsoft Detection and Response Team (DART) and has been helping customers respond to their security incidents during their time of need. He has worked in security for a decade and, broadly, in IT for the last 18 years. He has lived and worked in Japan since 2014 across the defense and public sector industries. Recently, he graduated from the SANS Institute with a master’s in information security engineering. Chris’s true professional passions are mentoring new and upcoming members of the security community to break into the field, cultivate their passions, and achieve their goals.
Paul Sudduth is a cybersecurity enthusiast with over two decades of experience in safeguarding critical systems, in both the military and corporate sectors. He holds a bachelor’s degree in cybersecurity and information assurance and possesses an array of prestigious certifications, including GIAC, GCIH, and GSEC. His background encompasses contributions to numerous high-profile cybersecurity projects and initiatives. He is a member of the SANS Advisory Board.
Table of Contents
Preface
Part 1 – Introduction and Basic Configuration
1
The Security Wild West
The cyber threat landscape – how do others get attacked?
Cyber threats and their evolution
The role of emerging technologies
The human factor
Common attack vectors related to Office 365
Email-based attacks
Credential theft
Third-party integrations
Cloud-based attacks
Malicious insiders
Office productivity tool deployments – how do others deploy?
Components of Microsoft 365
Microsoft 365 cloud architecture
Microsoft Defender – a primer
Overview of the Microsoft Defender ecosystem
Holistic approach to security and Zero Trust
Protecting your productivity tools
EOP components
Licensing for EOP
Defender for Office 365 – why not just stay with EOP?
Understanding the ROI
The direct and indirect costs of cyber threats
The impact of Defender for Office 365 on ROI
Summary
References
2
Basic Components of Defender for Office 365
Blocking malicious files and attachments
Safe Attachments
Safe Documents
Safe Attachments for SharePoint, OneDrive, and Teams
Protecting from malicious links and phishing
Safe Links technology
Anti-phishing policies
Empowering your users
The Report Message add-in
Protecting against compromised internal accounts or devices
How advanced protection for internal mail works
Examples of attacks mitigated
Knowing and investigating what is happening in your environment
Real-time reports
Threat trackers
Campaign views
Automated investigation and response
Integration with other Defender security products
Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps
Microsoft Purview Data Loss Prevention
How Defender for Office 365 could have averted famous attacks
Democratic National Committee email hack
Sony Pictures Entertainment hack
Summary
References
3
Basic Checks and Balances
Common security frameworks and approaches
ISO 27001
NIST Cybersecurity Framework
HIPAA
PCI DSS
GDPR
FISMA
What are an organization’s vision, policies, and procedures?
Vision in cybersecurity
Cybersecurity policies
Cybersecurity procedures
Integration and importance
Identifying an organization’s needs and quantifying these
Summary
References
4
Basics of Configuration
Preparation and prerequisites
Licenses
Permissions required
It is all about the organization’s risk profile
Creating the proper risk profile
Risk profiles in Defender for Office 365
Looking deeper into preset policies
Configuring the preset policies
The administrative portals
Enabling Standard protection preset policies
Enabling Strict protection preset policies
Summary
References
Part 2 - Day-to-Day Operations
5
Common Troubleshooting
Is this working properly?
Users impacted
Systems impacted
Blast radius
Applying the Pareto principle
Analyzing incident impact
Continuous monitoring and feedback
Where do I find what is wrong?
Audit log search
Mailbox auditing
The Incidents page
Has this been fixed before?
Step-by-step guides
Microsoft Service Health Status page
Microsoft 365 troubleshooting library
Microsoft Community Hub
Microsoft paid support
Summary
References
6
Message Quarantine Procedures
I stopped the message. Now what?
Identifying quarantined email messages
Verifying the validity of quarantined messages
How Defender for Office 365 quarantines emails
Quarantining Teams messages
Everyone gets a seat at the quarantine table
Options available for the user management of quarantined messages
Step-by-step actions to manage quarantined messages
Policies
Quarantine policy
Quarantine notifications, global settings
Inbound anti-spam policy
Implementing policies and simplifying your approach
Order of implementation
Configuring the quarantine policy
Quarantine notification settings
Anti-spam policy
Summary
References
7
Strengthening Email Security
Phishing – a danger both inbound and outbound
Anti-phishing policies
Policy sections and fields
Configuring anti-phishing policies
Stopping outbound spam
Let’s start with authentication
Configuring SPF, DMARC, and DKIM
Outbound spam filtering
Outbound anti-spam policies
Configuring outbound anti-spam policies
Summary
References
8
Catching What Passed the Initial Controls
Understanding email flow
Inbound mail flow
What about the outbound mail flow?
Mail flow rules
Message tracing – unveiling the mystery of your emails
Diving deep into Safe Links policies – protecting your users from malicious URLs
User warnings
Safe Links policies
Keeping malicious files out
Anti-malware policies
Safe Attachment policies
Extending beyond email
Policy priorities
Alert policies
Alert policy fields
Configuring alert policies
Summary
References
9
Incidents and Security Operations
A holistic view of Microsoft Defender XDR
Incidents and more incidents
Knowing how to prioritize
Filters
Managing incidents
Understanding the information on the incident
AIR
A high-level overview of AIR
Alerts that trigger AIR
Reviewing AIR pending actions
Viewing AIR results
Managing false positives and false negatives
Security operations
Daily activities
Weekly activities
Ad hoc activities
Summary
References
Part 3 – Making the Tool Work for Your Organization
10
Magnifying the Unseen – Threat Intelligence and Reports
Threat intelligence comes to the rescue
The Threat analytics dashboard
The threat analytics report
Going a step further with Defender TI
Intel Profiles
Intel Explorer
Intel projects
Security reports
Permissions required
The compromised users report
The Exchange Transport Rule report
The Auto forwarded messages report
The Mailflow status report
Mail latency report
The Post-delivery activities report
The Spoof detections report
The Submissions report
The Threat protection status report
The Top Malware Report
The Top senders and recipients report
The URL threat protection report
The User reported messages report
Summary
References
11
Integration and Artificial Intelligence
Introducing APIs
The Microsoft Graph security API
The advanced hunting API
The Alerts_v2 API
The Alerts API (Legacy API)
The Incidents API
The attack simulation API
The secure score API
The Threat Intelligence API
API exploration and integration
AI to the rescue
Copilot for Security
Deploying Copilot for Security
Using Copilot for Security
Summary
References
12
User Awareness and Education
Why we need to train users
Introducing attack simulation training
Using simulations and payloads
Understanding payloads
Creating a simulation
Automating the training
Simulation automation
Payload automation
Training campaigns
Understanding reports and insights
Summary
References
Index
Other Books You May Enjoy
Preface
Over the course of my 25+ years in the information technology and security fields, I have had the opportunity to support many organizations with varying security budgets. One common observation I’ve made is the tendency for security strategies to rely on a single set of isolated security technologies. This approach often overlooks the most vulnerable areas, including email clients such as Outlook, document processing software such as Word, and even messaging applications such as Teams.
Unfortunately, even organizations with substantial security budgets lack a focused security strategy that addresses real-world attacks. As a result, many of these organizations experience breaches, some of which go unnoticed until their entire environment is compromised. It’s a recurring theme in the news, with major companies from the Global 500 reporting significant breaches, facing hefty fines, and losing customer trust.
Sometimes, a breach can be as simple as an employee accidentally clicking on a link in an email while trying to assist someone, leading to the infection of internal corporate systems. The aftermath of such incidents involves not only lost business but also extensive damage control, including costly investigations and recovery processes that can run into millions of dollars.
The absence of an integrated and focused security strategy results in a lack of proactive and effective protection. Consequently, organizations are forced to resort to incident response and containment measures once a breach occurs. Recognizing this issue, Microsoft, a leader in software, cloud, and security, has developed Defender for Office 365. This set of security tools is specifically designed to safeguard the everyday tools that end users interact with.
In this book, I aim to provide you with not only a comprehensive understanding of the threats you need protection from but also insights into how Defender for Office 365 operates, as well as how you can leverage it to ensure your organization doesn’t fall victim to poor productivity tool security.
Who this book is for
If you’re looking to enhance the security of productivity software such as Office 365, you’ve come to the right book. Whether you’re a novice or an experienced IT or security professional, this book offers practical insights to support and administer Defender for Office 365 deployments. It starts by covering fundamental security concepts and Office 365 deployments to ensure inclusiveness for all readers. The discussion then delves into the various components of Defender for Office 365, guiding users in how to determine the optimal configuration for their environment and providing methods to track their success.
What this book covers
Chapter 1, The Security Wild West, introduces you to common security concepts and how Microsoft Defender security products protect your organization. Zero trust is covered, along with how to get executive support.
Chapter 2, Basic Components of Defender for Office 365, explores the basic components of Defender for Office 365, how these work against common security threats, and the impact of misconfiguration on the end user.
Chapter 3, Basic Checks and Balances, examines the security frameworks and approaches used by many organizations and how to identify what works for your organization. Guidance is provided on how to qualify these requirements into trackable metrics to help strategize your deployment.
Chapter 4, Basics of Configuration, walks you through a basic deployment and how to ensure it aligns with an organization’s security requirements, while minimizing end the user impact.
Chapter 5, Common Troubleshooting, covers the common approaches to troubleshooting issues in Defender for Office 365 and tips on saving time during maintenance. Effective approaches are introduced to handle rare and complex issues.
Chapter 6, Message Quarantine Procedures, discusses how to manage message quarantines and strike a good balance between effective quarantines and minimal end user impact.
Chapter 7, Strengthening Email Security, dives into advanced configuration, including measures to minimize malicious messages coming from your environment.
Chapter 8, Catching What Passed the Initial Controls, covers more advanced protections to handle malicious messages that evade the initial controls deployed for advanced attacks or internal threats. Guidance is provided on the proper analysis and control of message routing by using mail flow and message tracing.
Chapter 9, Incidents and Security Operations, explores effective security operations to decrease missed threats. Automation is introduced to improve efficiency, increase visibility, decrease wasted man-hours, and decrease alert fatigue among the security team members.
Chapter 10, Magnifying the Unseen – Threat Intelligence and Reports, examines threat intelligence and the many options available to enrich signals and alerts, helping you to further improve security operations and threat hunting. Reports are also discussed to track the effectiveness of security efforts and threat intelligence quality.
Chapter 11, Integration and Artificial Intelligence, discusses approaches to leveraging information from third-party tools to improve security operations, including approaches to integration. Artificial intelligence is introduced, including how to use Copilot for Security to further improve security operations.
Chapter 12, User Awareness and Education, provides guidance on how to execute effective security training, as well as how to use the features available in Defender for Office 365 to execute training that mimics real-world attacks.
To get the most out of this book
You will need a basic understanding of how to use a web browser, as well as evaluation licenses for Office 365 and Defender for Office 365 if your organization does not have any licenses yet.
Software/hardware covered in the book
Operating system requirements
Microsoft Outlook
Windows or macOS
Microsoft Teams
Windows or macOS
Microsoft Word
Windows or macOS
Microsoft Excel
Windows or macOS
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Open a PowerShell window and connect to your EOP tenant by using Connect-ExchangeOnline.”
A block of code is set as follows:
Hostname: _dmarc TXT value: v=DMARC1; p=<reject | quarantine | none>; pct=<0-100>; rua=mailto:<DMARCAggregateReportURI>; ruf=mailto:<DMARCForensicReportURI>When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Set-HostedContentFilterPolicy -Identity "MyASFPolicy" -[ASFSetting] TestBold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “They can also revoke the Remember MFA on the device option.”
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Mastering Microsoft Defender for Office 365, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link belowhttps://packt.link/free-ebook/978-1-83546-828-9
Submit your proof of purchaseThat’s it! We’ll send your free PDF and other benefits to your email directlyPart 1 – Introduction and Basic Configuration
In this part, we will introduce you to the cyber security threat landscape, security strategies, the Defender ecosystem, and the security deficiencies that Defender for Office 365 should correct. We will also explain the different components of Defender for Office 365 and how they work together to protect an organization. We will discuss what happens when a component is misconfigured. Next, we will help you identify the type of security your organization needs and align your Defender for Office 365 deployment accordingly. Finally, we will teach you how to perform a basic deployment of Defender for Office 365 and explain the impact it will have on end users.
This part contains the following chapters:
Chapter 1, The Security Wild WestChapter 2, Basic Components of Defender for Office 365Chapter 3, Basic Checks and BalancesChapter 4, Basics of Configuration1
The Security Wild West
Welcome to this detailed guide on Microsoft Defender for Office 365. The dangers of constantly evolving security threats have never been more evident. Understanding the security tools that impact most end user activities is the key to lowering your organization’s security risks. In this book, we will explore the complexities of deploying Microsoft Defender for Office 365. This is one of Microsoft’s premier security tools for protecting Office 365, a productivity and communication suite used by most organizations. In the following chapters, our focus will be to provide rationale for the reader to understand the importance of this security tool, along with guidance on configuring, using, and leveraging its advanced features, such as integration and proactive threat hunting.
Our security expedition will begin in Chapter 1, where we will navigate today’s dangerous cyber threat landscape. We will establish a foundation for security by providing insights into the diverse facets of cyber threats, including advanced persistent threats, and into the impact of emerging technologies on security. We will explore the common attack vectors associated with Office 365, offering a contextual understanding of the daily threats organizations face. This understanding is crucial for comprehending the full scope of the capabilities of Defender for Office 365, and for understanding how the various components protect and integrate into a typical Office 365 deployment.
To ensure a complete understanding and provide guidance for a more diverse set of organizations, we will cover the reasons why migrating from Exchange Online Protection (EOP) to Defender for Office 365 is not just a change in product, but also a significant advancement in fortifying a productivity environment. The concept of Zero Trust will also be visited to include how this popular architecture design approach is supported by Defender for Office 365, and to discuss how we can benefit from it in our environment. The chapter ends with a discussion on some ways to kick-start the conversation with an organization’s executives on what return on investment (ROI) can be expected from implementing Defender for Office 365. By the time you reach the end of this book, you will possess a thorough understanding of Defender for Office 365, how to gain executive backing for its implementation, and how to leverage its functionalities to leapfrog security efforts in your organization. I welcome you on your quest to become a master of Microsoft Defender for Office 365.
This chapter will cover the following topics:
The security threat landscape and how it impacts your organizationTypical approaches to deploying and attacking productivity toolsThe security tools that Microsoft offers and how they support security strategiesThe typical protection approach for productivity toolsDiscussing the ROI of Defender for Office 365 with your C-suite executivesLet our journey begin!
The cyber threat landscape – how do others get attacked?
Security is always a game of cat and mouse. Adversaries are constantly learning new tricks and developing new attacks, both on the technical and social engineering sides. For example, let’s consider credit cards. In the mid-nineties, fake number generators were a major problem. To defend against this, credit card companies introduced ways to verify numbers in real time, so attackers had to find a way to capture real numbers online via fake websites. Credit card companies again smartened up and set up further protections to prevent captured credit cards from being used. As such, adversaries are now using credit card skimmers to physically copy and clone cards. This constant back and forth is also occurring on a different scale and impacting not only individuals, but organizations and governments too. Remember, the technological advancements we are currently experiencing are not used exclusively by law-abiding individuals. The advancements are giving adversaries multiple new platforms to change their approaches.
Cyber threats and their evolution
Over the years, cyber threats have changed, transitioning from simple viruses and worms to more intricate types of attacks, such as ransomware, phishing, and advanced persistent threats (APTs). Ransomware is a notable threat that involves encrypting data and demanding a ransom for its release (Newman & Burgess, 2023). In contrast, phishing attacks focus on manipulating individuals, luring them into revealing sensitive information through deceitful emails or fake websites (Wong, 2023).
The emergence of APTs adds a layer of intricacy to the ever-evolving landscape of cybersecurity threats. These groups’ calculated attacks, frequently funded and directed by governments, have a long-term perspective, aiming to either steal sensitive data or disrupt operations. A key characteristic of most APTs is their persistent nature, with some groups operating covertly for many months at a time due to substantial resources backing their operations (Yasar & Rosencrance, 2023). A famous example is the SolarWinds attack, which saw the Russian-based group APT29, or Cozy Bear, going to great lengths to hide their presence for nine months.
The role of emerging technologies
The emergence of Artificial Intelligence (AI), Machine Learning (ML), and the Internet of Things (IoT) has made the cybersecurity landscape increasingly complex. Despite the benefits of these technologies, it’s vital to acknowledge the potential vulnerabilities they introduce, making them susceptible to exploitation by cybercriminals. Attackers find IoT devices particularly enticing due to their lack of security controls out of the box, as well as many instances of organizations not securing IoT devices and thereby exposing them to the internet.
While many organizations have leveraged AI and ML to improve security tools, such as next-generation antivirus agents, the potential for misuse still exists. Cybercriminals have identified multiple opportunities to use these technologies to automate attacks, evade detection, and mimic human behavior, all to deceive unsuspecting victims (Tamer Charife & Michael Mossad, (n.d.)). This problem has been particularly notable with the rise of deepfake videos, which have been used by nation-states to cause confusion among opposing nations’ citizens, and to influence public opinion in the adversary’s favor.
The human factor
Even with the constant progress of technology, we cannot ignore the fact that the human element remains a crucial weakness. Social engineering attacks, known for their ability to manipulate individuals and extract sensitive information, have a high success rate. This highlights the significance of continuous education and awareness, as it enables individuals to more effectively identify and react to these threats (SecurityScoreCard.com, 2024).
Having discussed the most common vectors seen in general, it helps to have a look at the most common vectors as they refer to Office 365.
Common attack vectors related to Office 365
Long gone are the days of faxes and punch cards. Using productivity tools has become crucial for running a successful business in today’s world. The Office 365 suite has proven to be invaluable in maintaining efficient operations not only due to the flexibility in content creation, but also the ability to continue working anywhere, even if you need to change devices, just by using a web browser. However, the widespread use of these technologies has made them a bigger target for cybercriminals, as there is a higher chance of success for them. The following are just some of the many attacks common to Office 365 and multiple other productivity suites.
Email-based attacks
Among the many attack vectors, it is crucial to highlight that email continues to be one of the most common and extensively abused methods. Cybercriminals often resort to phishing or spear-phishing attacks, where they craft deceptive emails that mimic email messages with the aim of tricking individuals into revealing sensitive information, clicking on a link, or even downloading malicious attachments. The popularity of Office 365’s Outlook has caused it to become a key component of many attacks. Adversaries include malicious messages that mimic the look of messages in Outlook originating from corporations or even Microsoft itself (GeeksforGeeks, 2023).
Credential theft
Credential theft is another common attack vector. It involves attackers employing techniques such as trying commonly used or publicly leaked passwords to gain unauthorized access to an account, either by password sprays or brute force. These types of attacks leverage the lack of identity management security practices in many environments, including not using Conditional Access policies or modern multi-factor authentication (MFA) approaches. These security practices may be omitted to prevent user notification fatigue, which attackers take advantage of. Once an attacker successfully accesses a user account and gains access to the Office 365 environment, they can take advantage of the user’s privileges for enumeration of the environment and lateral movement (Groenewald, 2022). Such an attack was observed in the 2022 Uber breach, which saw an account being compromised due to MFA notification fatigue.
Third-party integrations
Office 365’s integration with third-party apps provides attackers with an opportunity to exploit integration misconfigurations. A common attack vector is the use of legacy authentication methods, such as those observed in many organizations’ Exchange Online deployments. This weakness was so commonly used that Microsoft decided to disable legacy authentication in any out-of-the-box configurations after October 1, 2022. Weak application passwords are another common misconfiguration that Microsoft security guidance recommends not to use, as they can be leveraged to circumvent MFA.
Cloud-based attacks
By exploiting synchronization tokens, Attacker-in-the-Cloud (AitC) attacks take advantage of the authentication and data synchronization processes used by cloud services. Unlike traditional Attacker-in-the-Middle (AitM) attacks that eavesdrop on data in transit, AitC attacks manipulate authentication tokens, giving attackers unrestricted access to a user’s cloud-stored data without compromising their login credentials directly.
The subtlety of AitC attacks makes them particularly treacherous. By being ignorant of the authentication token tampering, the user remains unaware of the attacker’s presence as they confidently access and store data in the cloud. As a result, an intruder can silently observe, manipulate, or pilfer data without detection.
Malicious insiders
Lastly, we cannot forget malicious insiders, which are present in all organizations and present one of the most damaging vectors. In an organization, certain individuals take advantage of their access to the Office 365 environment for malicious activities, such as stealing sensitive information, disrupting operations, or facilitating external attacks (Anastasov, 2023).
To gain a better understanding of the role these attack vectors play in productivity tools, it is good to have a look at what a typical deployment looks like.
Office productivity tool deployments – how do others deploy?
Microsoft Office 365 offers a suite of cloud-based productivity tools and services designed to empower an organization’s digital landscape. Let’s explore the key aspects of Microsoft 365, including its components and typical architecture, from an organization’s viewpoint, covering hybrid and cloud-only environments.
Components of Microsoft 365
Microsoft 365 encompasses far more than just email. It includes a complete suite of collaboration tools that, aside from the traditional office productivity applications, facilitate content creation and sharing. The tools you will most likely encounter in most organizations include the following:
Exchange Online: This service enables efficient communication for organizations through email hosting and management. Some of its features include shared calendars and contacts (Microsoft, 2023).SharePoint Online: SharePoint is a collaborative platform designed for document management and content sharing. It allows teams to create, share, and manage content and applications (Microsoft, 2023).Teams: Microsoft Teams acts as a collaboration hub, encompassing chat, video conferencing, file sharing, and integration with other Microsoft 365 apps (Microsoft, 2023).OneDrive for Business: Users can securely store, share, and access files from anywhere with this personal cloud storage service (Microsoft, 2023).Office apps: Also known as Microsoft 365, Office apps are accessible via the browser and on different devices. Microsoft 365 includes familiar Office apps such as Word, Excel, PowerPoint, and more (Microsoft, 2023).Microsoft Entra ID (Azure Active Directory): Entra ID, formerly Azure Active Directory, offers identity and access management for Microsoft 365 services, improving security and user administration (Microsoft, 2023).Microsoft 365 is not only about the components it contains, but also about how these components are deployed and integrated into an organization’s environment. It helps to view the different possible architectures.
Microsoft 365 cloud architecture
Organizations have the flexibility to deploy productivity tools in various ways to meet their specific needs. The two most common approaches are cloud-only and hybrid:
Cloud-only environment: With a cloud-only configuration, all Microsoft 365 services and data are housed in the cloud. This simplifies management, reduces infrastructure costs, and offers scalability. However, it may demand a reliable internet connection.Hybrid environment: Many organizations choose a hybrid approach, mixing on-premises infrastructure with cloud services. This enables them to use their current investments while transitioning to the cloud. An example is integrating on-premises Active Directory with Entra ID.Having a thorough understanding of Microsoft 365 components is just one piece of the puzzle. Microsoft’s reputation for offering comprehensive, integrated environments that boost office productivity means that security has not been forgotten. A nicely integrated suite of security tools is offered that aims to help maintain an organization’s security posture with minimal impact on productivity.
Microsoft Defender – a primer
Microsoft Defender creates a comprehensive ecosystem of security technologies, which intertwine seamlessly to deliver a complete and holistic approach to organizational security. By integrating multiple components, this platform enhances cybersecurity postures across identities, endpoints, cloud applications, and digital estates. This fosters a collaborative defense that adapts to organizational requirements while protecting against a constant barrage of new security threats.
Overview of the Microsoft Defender ecosystem
The ecosystem comprises several robust components, each contributing to different aspects of cybersecurity:
Figure 1.1 – The Microsoft Defender line of products and their focus
Microsoft 365 Defender XDR: This central hub and security portal, formerly called Microsoft Threat Protection, acts as a unified front for all the alerts and signals provided by the entire Defender security suite. The acronym XDR stands for Extended Detection and Response. This comprehensive security solution offers end-to-end insights across endpoints, email, data, identities, and applications. By automating security operations, incident response efforts become more efficient.Microsoft Defender for Endpoint: This endpoint detection and response (EDR) solution included out of the box in all modern Windows operating systems via its unified agent strengthens security measures at the device level. This component surpasses ordinary next-generation antivirus solutions by providing advanced threat protection (ATP) for endpoints. It does this by using artificial intelligence to identify, examine, and address sophisticated threats, vulnerabilities, and breaches.Microsoft Defender for Office 365: With a focus on safeguarding the enterprise’s communication and collaboration footprint, this module provides protection against threats such as phishing, malware, and more. It covers email, OneDrive, SharePoint, and other Office 365 services.Microsoft Defender for Identity: With a primary focus on safeguarding organizational identities, this agent offers increased visibility into the intricate processes and traffic associated with identity management in a domain controller. Leveraging on-premises Active Directory traffic in-depth analysis at the domain controller level to include certificate services and federation can help with identifying and investigating advanced threats, compromised identities, and malicious insider actions targeting the organization.Microsoft Entra Privileged Identity Management: This component improves upon the out-of-the-box protections and identity governance controls provided by Entra to include just-in-time privileged access, automated access reviews, enhanced audit history, and other features.Microsoft Defender for Cloud Apps: This security solution acts as a protective bubble, safeguarding software-as-a-service (SaaS) applications and monitoring the control plane of cloud platforms. It offers insights into cloud application usage, shadow IT, misconfiguration, and potential cybersecurity risks.Microsoft Defender for Cloud: As of the time of writing, this component is only accessible from the Azure portal, but alerts and findings are shared with Microsoft Defender XDR and visible from the Microsoft Defender 365 portal. Formerly named Azure Security Center, this tool provides a comprehensive and unified security posture management solution. It provides auditing according to common industry recommendations and correction via automation across all of Microsoft’s cloud environments, including Azure, Microsoft 365, and hybrid environments, as well as third-party cloud environments such as AWS and GCP.Microsoft Sentinel: This tool resides in the Azure platform, but can be accessed from both the Azure portal and the Defender portal. This cloud-native solution combines Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) capabilities to deliver advanced security analytics and threat intelligence throughout the organization, allowing for the identification of sophisticated attacks that involve multiple elements. By leveraging the capabilities of AI, Sentinel empowers organizations to address security threats swiftly and effectively by filtering and acting on the most relevant security data.Microsoft Purview: This is an all-inclusive data governance service that aids organizations in uncovering, comprehending, categorizing, and safeguarding their data. It allows for safeguarding across diverse sources, whether on-premises, in multi-cloud environments, or within SaaS applications. Purview’s goal is to overcome the obstacles of data discovery, cataloging, and maintaining data sensitivity and compliance.Microsoft Defender EASM: Microsoft’s offering for external attack surface management provides continuous discovery and tracking of an organization’s external digital footprint to discover openings and vulnerabilities that could be exploited.Microsoft Defender Threat Intelligence: This product augments the threat intelligence already offered by Microsoft Defender products from incident investigations, detections in the field, and analysis from Microsoft security experts. This product provides in-depth information on current threats, actors, and other points of interest.Implementing these tools can tremendously boost your security visibility and posture, especially when these are properly tuned, but it is not enough. An effective security strategy goes beyond just deploying tools. It involves designing an environment with security in mind. The Zero Trust approach can provide a way for many organizations to transition to a stronger security foundation from the beginning.
Holistic approach to security and Zero Trust
Microsoft’s Defender suite draws special attention to the principle of integrated security by delivering an interconnected security strategy across an organization’s entire digital estate. By sharing signals across its ecosystem, Defender effectively uses its extensive visibility, machine learning, and automation to proactively address, identify, analyze, and counter threats across all essential domains (Microsoft, 2023).
Suppose a phishing campaign targets an organization. In such a case, Microsoft Defender for Office 365 would swiftly flag the suspicious email and collaborate with Microsoft 365 Defender to automate investigations and expedite incident response (Microsoft, 2023). The combination of increased visibility and interoperability seamlessly aligns with the Zero Trust approach to security architecture.
The term Zero Trust centers on a straightforward yet powerful concept: trust no one and always verify access attempts. Unlike traditional perimeter-based security models, Zero Trust acknowledges the potential for threats to emerge from both external and internal sources within the organization. This approach shifts the emphasis from basic perimeter defense to a comprehensive defense strategy that carefully examines every access request, regardless of its source (Irei & Shea, 2022).
The essence of Zero Trust lies in three fundamental principles:
Verify identity: Verify that all users and devices trying to access resources in an environment have been properly authenticated and authorizedLeast privilege access: Provide users with only the access they require to fulfill their job duties, and no extra permissionsContinuous monitoring: Continuously monitor network activities, swiftly identifying and resolving any irregularities that may occurThe Microsoft Defender suite goes beyond traditional security measures by incorporating the Zero Trust model into its design, ensuring that its tools and services align with the principles of this security approach:
Endpoint security: Microsoft Defender for Endpoint diligently monitors endpoints at all times, ensuring strict adherence to security policies before granting access. If anomalies are detected, the solution can swiftly address threats, maintaining the constant application of the verify principle of Zero Trust (ThreatLocker, 2023).Identity management: With the help of AI-driven technology, Microsoft Defender for Identity and Entra ID’s user risk, sign-in risk, and conditional access policies can proactively detect and stop identity-based threats. By meticulously confirming the identity of each user and device, it seamlessly adheres to the Zero Trust principle, refusing to grant blind trust.Information protection: Microsoft Defender for Office 365 ensures real-time monitoring of data access. By communicating with Entra ID, verifying user identities, and restricting access to sensitive data, the least privilege principle is upheld (Irei & Shea, 2022).Integrated threat intelligence: The suite’s threat intelligence capabilities provide constant surveillance of the threat landscape, adjusting to emerging risks and ensuring that security measures and tools keep pace with threats. This proactive approach aligns with the Zero Trust model’s emphasis on remaining constantly vigilant (ThreatLocker, 2023).To enhance their resilience against cyber threats, organizations are advised to use the full range of tools available in the Microsoft Defender suite. By leveraging the complete ecosystem, they gain advantages such as a cohesive security stance, easy information exchange, and efficient incident handling. Continuous monitoring ensures that an organization’s defenses are constantly vigilant. Now that we have seen how all these tools and approaches work at a high level, let’s dig deeper into what makes Defender for Office 365 special compared to more typical productivity security tools.
Protecting your productivity tools
Before we discuss what Microsoft Defender for Office 365 can do for your organization, it’s crucial to grasp the underlying security solution that forms the basis for email protection: EOP. EOP, a cloud-based email filtering service developed by Microsoft, offers advanced protection against spam and malware. Its effectiveness has made it a key component in protecting many organizations’ mailboxes by blocking malicious files, spam, and phishing attempts. With its integration with Microsoft Exchange Online and Office 365, EOP offers enhanced security and reliability features to protect organizational communications.
EOP components
With EOP, organizations can enjoy a wide range of features that are specifically designed to safeguard their email communications:
Anti-malware protection: With its multi-layered anti-malware engine, EOP thoroughly examines and filters email content, ensuring any known malicious software is detected. This practice serves as a barrier, preventing harmful content from infiltrating an organization’s inboxes (Davis et al., 2023).Spam filtering: Through its advanced algorithms, EOP efficiently detects and removes unwanted emails, ensuring users’ inboxes remain clutter-free and secure.Connection filtering: EOP effectively blocks emails from malicious IP addresses by utilizing real-time block lists and establishing a safe sender list, ensuring seamless delivery of genuine emails (Davis et al., 2023).Policy tips: When integrated with Data Loss Prevention (DLP), EOP offers users policy tips to alert users about potential policy violations before sending an email, providing a way to minimize unintentional sharing of sensitive data (Davis et al., 2023).Transport rules: By configuring transport rules, administrators can enforce specific actions based on predetermined conditions, ensuring that emails meeting certain criteria are managed accordingly.Safe attachments: This feature scans email attachments in a special environment before they are delivered to the recipient, ensuring that no hidden malicious content can execute unauthorized processes within an organization’s network (Davis et al., 2023).No comprehensive enterprise security tool is free. Understanding the license structure is the key to securing good ROI.
Licensing for EOP
Microsoft offers EOP as part of both Exchange Online and Office 365 subscription packages. However, organizations that maintain their own mail servers can also get EOP as a standalone service to take advantage of its security measures. Here is the breakdown of the licensing structure:
EOP standalone: Tailored to meet the needs of organizations utilizing on-premises Exchange servers. With this subscription, you get access to comprehensive protection that includes anti-malware and anti-spam filtering.Office 365 E1: This comprehensive package combines EOP with other productivity tools such as OneDrive, SharePoint, and Teams, giving you everything you need in one bundle.Office 365 E3 and E5: These advanced enterprise packages go beyond EOP and offer additional security features such as ATP and data governance tools.The licensing costs may differ based on region, number of users, and any additional services or customizations requested by the organization. Precise pricing details can be obtained by directly consulting with Microsoft or its partners.
Defender for Office 365 – why not just stay with EOP?
Although EOP provides a strong security foundation, the increasing sophistication of cyber threats has expanded the range of attack vectors beyond email. Microsoft Defender for Office 365 aims to bolster the security of email and collaboration tools, providing a robust level of protection against evolving threats. By utilizing Defender for Office 365 instead of solely relying on EOP, users can enjoy heightened security measures and greater peace of mind (MSFTTracyP & Davis, 2023). Defender for Office 365 builds on many of the features offered by EOP, as shown in the following figure:
Figure 1.2 – Comparison of features between EOP and Defender for Office 365
Now that we have a general overview of the inclusions during the migration from EOP to Defender for Office 365, let’s explore the nuances of these additional attributes.
Advanced security capabilities
EOP provides essential protection against threats, such as spam, malware, and phishing. However, Microsoft Defender for Office 365 strengthens this safeguard by incorporating extra measures such as Safe Attachment and Safe Links, which provide more advanced protection against harmful attachments and links. These features analyze links and attachments in real time to protect against potential harm.
Comprehensive protection across tools
Microsoft Defender for Office 365 is a versatile security service that considers more than just email threats. It ensures the safety of links and attachments across collaboration tools within Microsoft 365. As collaboration tools are more deeply incorporated into daily operations, having a holistic security solution becomes crucial.
Automation and response
One major benefit of Microsoft Defender for Office 365 is its Automated Investigation and Response (AIR) capability. This feature helps security teams by automating threat monitoring and remediation.
Customization and flexibility
While EOP offers fundamental protection, Microsoft Defender for Office 365 provides enhanced flexibility through custom policies. Organizations can customize security settings to match their specific requirements.
Advanced investigation tools
Not only does Defender for Office 365 offer protection, but it also includes tools for extensive threat investigation. Features such as Threat Explorer empower security teams to analyze the intricacies of a security event, providing critical insights for mitigating threats and preventing future incidents.
Comprehensive plans
There are different plans available with Microsoft Defender for Office 365. These are tailored to suit different organizational needs. For example, Defender for Office 365 Plan 1 includes all EOP features and provides real-time detections. On the other hand, Plan 2 provides additional advanced features, such as post-breach capabilities and attack simulation training.
You have learned about Defender for Office 365 features and benefits, but how do you communicate them to your executives? You should consider their expectations for the ROI and the time frame for achieving it.
Understanding the ROI
When organizations consider implementing Defender for Office 365, executives will inquire about the ROI. Financial loss, damage to brand reputation, and loss of customer trust can all be consequences of cyberattacks. Since calculating ROI for security investments is beyond the scope of this book, we will focus on essential points to facilitate organization-wide discussions.
The direct and indirect costs of cyber threats
Understanding the typical cost of a cyberattack is crucial for organizations to discuss the benefits of implementing Defender for Office 365. The cost and impact can differ significantly, so to estimate what an attack would cost your organization, we need to examine the following direct and indirect costs based on industry, size, laws, and location:
Direct costs: Some immediate financial outlays comprise paid ransoms, system restoration, investigation, and regulatory and legal fees. A study conducted by IBM found that the average direct cost of a data breach to a company is $3.86 million. The cost of each lost or stolen record is estimated to be approximately $146. Direct breach costs are influenced by the cause of breach, number of records lost, and industry. The direct costs of healthcare breaches can reach an average of $7.13 million per breach, as stated by IBM (IBM, 2024).Indirect costs: The consequences of cyberattacks include damage to brand reputation, erosion of customer trust, and potential business loss from system downtime. According to Microsoft’s 2020 Global Threat Report, the average indirect cost of a data breach for surveyed global organizations is $8.64 million. This estimate covers costs from business disruption, revenue loss, and brand reputation damage after a breach. According to Microsoft’s report, breached organizations experienced a notable decline in customer retention, requiring an average of over 14 months to regain customer trust. The biggest factor in indirect breach costs is the loss of loyal customers. The report revealed that small and medium-sized businesses have higher indirect breach costs than larger enterprises (Microsoft, 2020).When you talk to executives, you need to clarify the problem you want to solve, because they won’t allocate funds for new tools based on intuition. You should also quantify the negative impact of the problem in financial terms to highlight its urgency.
The impact of Defender for Office 365 on ROI
To persuade your executives to adopt Defender for Office 365, you need to demonstrate how it addresses the gap you have identified in your current security posture. You can structure your argument around three main benefits: threat prevention, operational efficiency, and compliance enhancement. Use relevant data and examples to support each point, and tailor them to your organization’s specific needs and goals. These three main benefits can be thought out in the following manner.
Threat mitigation: ATP features, such as anti-phishing, anti-malware, and safe attachments, are included in Microsoft Defender for Office 365. By utilizing these features, the solution can deflect a significant number of cyberattacks and avoid associated costs.Operational efficiency: Traditional security solutions’ level of false positives often overwhelms IT teams. Microsoft Defender’s AI-driven algorithms minimize false positives, allowing IT staff to concentrate on genuine threats. This improves productivity and reduces expenses caused by wasted man-hours.Compliance and governance: Failure to comply with data protection regulations can lead to significant financial penalties. By using Microsoft Defender for Office 365, organizations can adhere to these regulations and potentially avoid expensive penalties.The positives mentioned are extra points that you can account for when discussing with executives why Defender for Office 365 deployment should be funded. Remember that some executives might already be desensitized to negative news. Thus, providing points that touch on improving operations and lowering costs might put the deployment on the fast track for funding approval.
Summary
The benefits of using Microsoft Defender for Office 365 are many and varied. Although financial savings are obvious, the intangible benefits are just as important. Investing in strong security solutions not only protects organizations from financial loss, but also strengthens their brand value in today’s digital world.
Cyber threats, ranging from phishing campaigns to intricate ransomware attacks, challenge organizations daily. These threats apply to all organizations, big or small, with Office 365 being particularly targeted because of its widespread usage. The vulnerability doesn’t stop at emails; it encompasses file sharing and other collaboration tools as well. That said, Microsoft 365 provides more than just productivity. It also integrates with the Defender tools. Microsoft Defender surpasses the status of being a mere set of security tools. Its features, ranging from real-time threat detection to sophisticated investigation tools, are a testament to its holistic protective approach. Along with its obvious protective features, Defender for Office 365 also brings intangible benefits. Those include peace of mind, together with enhanced organizational reputation and fostered stakeholder trust, which leads to an amplified ROI. Microsoft Defender showcases the dynamic nature of cybersecurity, emphasizing the necessity of proactive defense and adaptability. The upcoming chapter will provide a granular look at each component, explaining how they contribute to bolstering an organization’s security strategy and how we need to think about their configuration before attempting a deployment.
References
Wong, D. (2023). The Evolution of Phishing Attacks. Cybersecurity Today. Retrieved from https://cybersecurity.att.com/blogs/security-essentials/the-evolution-of-phishing-attacksYasar, K., & Rosencrance, L. (2023). advanced persistent threat (APT). Security. https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APTSecurityScoreCard.com (2024). The Human Factor in Cybersecurity.https://securityscorecard.com/blog/the-human-factor-in-cybersecurity/Newman, L. H., & Burgess, M. (2023, July 12). Ransomware Attacks Are on the Rise, Again. WIRED. https://www.wired.com/story/ransomware-attacks-rise-2023/Tamer Charife & Michael Mossad (n.d.) AI in cybersecurity: A double-edged sword. Retrieved from https://www2.deloitte.com/xe/en/pages/about-deloitte/articles/securing-the-future/ai-in-cybersecurity.htmlGroenewald, S. (2022). This is How Hackers Are Stealing Your Microsoft 365 Credentials. Micro Pro IT Support. https://micropro.com/blog/this-is-how-hackers-are-stealing-your-microsoft-365-credentials/Anastasov, K. (2023). Insider Threats in Office 365: Detection and Prevention Strategies. Medium. https://medium.com/cybersecurity-science/insider-threats-in-office-365-detection-and-prevention-strategies-1744d112e145GeeksforGeeks. (2023, May 30). Types of Email Attacks. GeeksforGeeks. https://www.geeksforgeeks.org/types-of-email-attacks/Microsoft. (2023). Microsoft 365 and Office 365 service descriptions. Retrieved from https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-service-descriptions-technet-libraryMicrosoft. (2023). Microsoft Digital Defense Report. Retrieved from https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MDDR_FINAL_2023_1004.pdfMicrosoft. (2023). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved from https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/ThreatLocker. (2023, September 29). The evolution of Endpoint Security. ThreatLocker. https://www.threatlocker.com/blog/the-evolution-of-endpoint-securityIrei, A., & Shea, S. (2022, October 20). What is the zero-trust security model?Security. https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-networkDavis, C., Chakrabarti, R., & Simpson, D. (2023, October 24). Exchange Online Protection (EOP) overview. Retrieved from Microsoft Learn: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwideMSFTTracyP & Davis, C. (2023, October 25). Why do I need Microsoft Defender for Office 365?. Retrieved from Microsoft Learn: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-about?view=o365-worldwideIBM. (2024). Cost of a Data Breach Report 2024. Retrieved from https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/Microsoft. (2020). Microsoft Digital Defense Report. Retrieved from https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf2
Basic Components of Defender for Office 365
The successful implementation of a security solution necessitates a comprehensive grasp of its purpose and functionality. This comprehension can aid in further delineating the sequence and execution of the deployment, as well as gaining a more profound insight into the solution’s impact on the organization. Throughout this chapter, we will take a detailed journey through the various aspects and functionalities of Defender for Office 365, shedding light on its critical role in modern cybersecurity. Please note that this chapter will serve as a review of how the components protect, as configuration and deployment will be covered in detail in later chapters, so it is recommended for the reader to focus more on how the component fits within their organization’s security strategy versus how it is configured.
We will begin by examining the robust mechanisms employed by Defender for Office 365 to block malicious files and attachments, which serve as a frontline defense against many cyber threats. Following this, we will delve into how it effectively shields your organization from malicious links and phishing attempts, as these are among the most common and damaging cyber-attacks.
Moreover, we will discuss how Defender for Office 365 empowers users by equipping them with the knowledge and tools to recognize and avoid potential threats. We will also conduct an in-depth analysis of its monitoring and investigation capabilities, highlighting how it enables you to understand and respond to security incidents within your environment.
We will explore the seamless integration of Defender for Office 365 with other Defender security products, enhancing your overall security posture. Lastly, we will review famous historical cyberattacks, analyzing how the deployment of Defender for Office 365 could have mitigated or even prevented these incidents. This analysis will provide valuable insights and lessons for strengthening your defense strategies.
This chapter will cover the following topics:
Ways to stop malicious files and attachments in their tracksWays to prevent your users from being victims of malicious links and phishingHow to allow your users to support your organization’s security goalsWays to perform security investigations in your environmentWays to leverage Defender’s integration capabilitiesA look at some famous attacks and how our solution could have been usedLet’s continue our journey!
Blocking malicious files and attachments
Microsoft Defender for Office 365 offers comprehensive protection against malicious files across the entire Microsoft 365 collaboration product lineup. The protection encompasses email, SharePoint, OneDrive, Teams, and even offers document-level security through integration with Defender for Endpoint. In this section, we delve into these components, exploring their intricacies and examining the consequences of misconfiguration.
Safe Attachments
Safe Attachments in Microsoft Defender for Office 365 offers an extra layer of protection from malware in email attachments. By opening the attachments in a virtual environment, commonly referred to as a sandbox, before they reach the recipients, it ensures their safety. The process, known as detonation, enables the Safe Attachments component to examine the attachments’ behavior and impact with no risk of harm to the recipients’ devices or systems. Depending on the recipient’s Safe Attachments policy, the attachment can be blocked, replaced, or monitored if it is deemed malicious (Microsoft, 2023).
The Safe Attachments component can scan a wide range of file formats, including popular archive types including .zip and .rar. It can also scan files that are hidden within other files, such as a Word document housing an Excel spreadsheet. The Safe Attachments component can process attachments of up to 25 MB per message.
Safe Attachments policies, configurable in the Microsoft 365 Defender portal or Exchange Online PowerShell, govern the operation of the Safe Attachments component. Although there is no default Safe Attachments policy, there is a security policy called Built-in protection preset that automatically offers Safe Attachments protection to all recipients, unless covered by other custom or preset policies. The misconfiguration of this component can have various impacts on the security and productivity of the organization and its users. Some of the possible impacts are as follows:
Inadvertently setting block or redirect on the wrong users can lead to delayed delivery and a decrease in user control over attachments. For example, if a valid attachment is mistakenly flagged as malicious, it will be prevented from reaching the intended recipient, substituted with a text document, or rerouted to an alternative email address. This can lead to frustration and confusion, which will affect trust and collaboration between users and external parties.Opting for off or monitor could expose recipients to harmful attachments that can damage their device or data. For instance, if an unchecked malicious attachment is sent, it can reach the recipient unnoticed or unaltered. The recipient could unknowingly open the attachment, triggering the execution of the malware and posing a threat to their system or network.An example of a malicious attachment stopped via the Safe Attachments feature is shown in the following screenshot.
Figure 2.1 – Malicious attachments stopped
Protection extends beyond email attachments to encompass productivity files stored in cloud storage and devices.
Safe Documents
By extending the Safe Attachments configuration, the Safe Documents component adds an extra layer of security to Office documents opened in Protected View or Application Guard for Office, safeguarding against malware. The cloud backend of Microsoft Defender for Endpoint is utilized to scan documents and files (Defender for Endpoint does not need to be installed on the device), providing an extra layer of security before granting users permission to exit Protected View or Application Guard for Office. The process, known as verification, enables the Safe Documents component to examine the behavior and effects of documents and files without interfering with users’ devices or systems. If the document or file is determined to be malicious, it may be blocked, quarantined, or monitored based on the user’s Safe Documents policy settings (Microsoft, 2023).
The Safe Documents component can scan various types of files, including common Office formats such as .docx, .xlsx, and .pptx, as well as archive formats such as .zip and .rar. It can also scan files that are hidden within other files, such as a Word document with an embedded Excel spreadsheet. The Safe Documents component is capable of processing documents with file sizes of up to 60 MB.
Safe Attachments for SharePoint, OneDrive, and Teams
The enhanced safeguard provided by Safe Attachments can be expanded to SharePoint, OneDrive, and Teams. This approach safeguards organizations against additional vectors resulting from users or malicious individuals introducing and disseminating harmful files to an environment through methods other than email (Microsoft, 2023). This protection works as follows:
File scanning: Just like the Safe Attachments feature for email attachments, files are scanned and opened in a virtual environment to observe any potential consequences (known as detonation). This feature is key for modern threats that have not been previously identified in malware signatures and that do not behave in a way that can be easily detected by typical machine learning models.Password-protected files: During detonation, the system verifies password-protected files by cross-referencing them with a database of commonly used passwords or
