One of the most overlooked features in Office 365 seems to be Advanced Threat Protection. I am often confronted with environments that have it and do not use it or do not see the value in having it. This gets changed very quickly when something happens that could have been prevented with ATP. I think our goal as sysadmins should be to provide the most secure, stable, and easy to use IT environment to our end-users. A big part of this would be securing the email system in a way that allows the end-users to do what they need to do, and still allow for security. It’s a tightrope walk for sure, but it’s one that I think is necessary. Let’s look at what is available in Office 365 ATP and how it can be implemented.
ATP or Advanced Threat Protection is the service that will analyze your email coming in and going out for trends and threats. This can help identify where the threats are coming from and prevent them from getting to your users. ATP specifically protects from threats posed by email, links, and collaboration tools
There are four parts that make up ATP;
· Threat protection policies
· Threat investigation and response capabilities
· Automated investigation and response capabilities
Threat protection policies
The policies included with ATP provided a good baseline security for most tenants. You can add additional policies as needed. Sometimes this can be a good idea, especially for any users that have their email address publicly available. I.e. executives who have their info posted on the company website.
This policy will check incoming messages for indicators that point to it being a phishing message. Multiple machine learning models are used to analyze messages and to take the correct action based on the policies.
Allows for scanning and detection of malicious attachments, providing zero-day protection. Messages that have attachments that do not have a known signature to a special environment, so that machine learning and analysis techniques can be used to detect any malicious intent. If nothing malicious is found, the message will be delivered to the mailbox. These policies can be applied to SharePoint, OneDrive and Teams.
Active and ongoing protection by providing time of click verification of URLs. Links get scanned each time they are clicked, if they are safe, they will remain accessible while malicious links will be blocked.
Reports are one of the most important features on any security product. ATP gives you some pretty good out of the box reports, and you can utilize PowerBI to give you even better reporting.
With ATP you will get a Threat Protection Status Report, File Types report, Message Disposition report, and a real-time detections report. Although, the real-time detections report is replaced by a threat explorer if you get ATP Plan 2. I prefer the Threat Explorer as I think it gives you more data to work with.
There are a few other reports available once you go look for them, some of them require a PowerShell script to generate the report. These are worth the effort though.
Threat investigation and response capabilities
The intelligence behind the threat investigations is updated on a constant basis. This data is from all ATP clients, so you get the latest info on how to detect threats and how to respond to them. The threat dashboard gives you some good insights at a glance with the ability to drill down into the reports.
The threat explorer will let you isolate threats from the entire organization down to a single user.
As you dig deeper into this console you will find an attack simulator, which is a great tool if you have in house security analysts. This gives the ability to run realistic cyberattacks and identify vulnerabilities, as well as analyze threats.
Automated investigation and response capabilities
AIR or automated investigation and response are designed to save time by immediately investigating threats. These still have to be actioned by your security administrators, which sounds like a hassle. It really isn’t, the investigation part is what takes the most time for your admins. Using AIR you will already know if someone was compromised and can take action on that. With more and more threats being found in the wild every day, the more data we have to investigate with. The Office 365 roadmap has some very good features planned already and Microsoft is always adding something. Which is to our benefit, most of the time at least.
Now that we have a good understanding of what we get with ATP, what do we do with it? Let’s go configure it and start using it.
One of the first things we have to do with any system, is check the prerequisites needed. For ATP the first one is of course to make sure you have the licenses for ATP. These can be added to some Office 365 subscriptions are included in others.
You have to decide which ATP plan is right for your organization
- Office 365 ATP Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.
- Office 365 ATP Plan 1 is included in Microsoft 365 Business Premium.
To set up the policies you will need the permissions to access them. This is usually done by the Global Administrator but can also be accomplished by a Security Administrator. To use the ATP Safe Links protection, you will need to have modern authentication turned on.
Note: Updates to policies “should” take about 30 minutes to replicate to the various data centers. This can take longer if there is an increased workload on the Microsoft servers. Ie, Covid-19 is causing an increased workload.
Now that we have the prerequisites taken care of let’s get started. You will need to go to the protection portal in Office 365. Here is the direct link https://protection.office.com
Once there you will see on the left is a menu called Threat Management, this is where we need to go
We want to go to the Policy section, where we can select the specific policy you want to use
So fun fact here, if you click on the name of the policy nothing happens. You will have to click on the icon or text next to it. Then you will have the policy open up.
If we look at the safe links policy, it is broken up into two different sections. The first one will apply to everyone in the organization. This will be set by a default policy. You may want to make some changes here
You can click the pencil icon to edit the policy. You cannot create a new policy that will apply to the entire organization. When you do click on the edit policy or pencil icon. This is what you will see
You may want to add in here specific websites or URL’s that you want blocked. These URLs will be blocked in email messages and in Office 365 Apps and Office for iOS and Android files. You can use three wildcard asterisks (*) per URL entered. The bottom section has a few settings that apply to Office applications and not email.
When you are done just click save and wait. That is all there is to it. If we need to apply a custom policy, we have the next section where we can do that.
Here you can click the Plus sign to create a new policy, this can be applied to everyone or to specific users. You will get the same features as the default policy above. I find this feature is useful for anyone who receives a lot of potentially bad emails. For example, your marketing staff will often receive the emails from contact forms on company websites. These can be a breeding ground for bad emails.
Here we see that a policy is being created for the marketing staff. I am forcing emails to be scanned before it gets delivered to a mailbox.
As we scroll down to the bottom, you have a section to control who this will be applied to.
You can even apply this to members of a group, which comes in handy. You could create a group based on high risk users or on job function
Note: This can be a great way to add protection for users that often fall for scam emails. This is a particularly important policy in my opinion. Often users will get emails that look legitimate, but have the URL set to fake sites. When a user enters their login info, they are giving it to a bad actor.
Another danger in today’s virtual world is the infamous email attachment. This has been an issue for a long time, and I don’t think it will ever not be an issue. As long as we can send files someone will try to send a bad file. Since now it is not only emailing attachments, you can also share them on OneDrive or other file sharing services. We need to be extra careful. Let’s look at our policy
Safe attachments policy allows us to protect not just email but our file sharing services as well. It is important to note that the safe documents feature for office clients requires M365 E5 or M365 E5 Security license. This is because it will use the Defender service to check the file.
The email section requires we build a policy. This is not configured by default so you will need to do this.
Click the + sign to get started.
These policies will apply if the malware is unknown, or we need to scan it. If you have a Security department or team you may want to consult with them on if they want the attachments delivered to them.
If we select monitor, block, or replace email delivery can be slowed down. You may want to look at Dynamic delivery, this will deliver the message but not the attachment. The attachment will be attached after the scanning is done. Personally, I do not like that option. I feel someone is going to get it, and then email back and say, “What attachment?”
This can cause issues, if the users are not actively aware of the policy and how it works. Most users will not be, and why would they be? That’s our job. I prefer the email delay and to replace the attachment. The message will still deliver, but without the attachment.
As we scroll down, we can have the option to redirect the attachment if malware is detected. I like this option as I want to be able to check when someone says, “but bob said he attached it? Where is it?”
I usually create a special shared mailbox for this, that only admins can access.
Once you are done just click save, and you are off to the races.
This one is a little different, as you can create policies or use the default
You won’t see the default policy like you would in other policies. You have to click on Default Policy to see it.
For the custom policy, click +Create. This will take you to wizard that will let you select the name, who it gets applied to and then let you review your selections. You cannot actually make any policy settings here. Just create it and then click on the name when it appears
Now that you have selected the policy, we can see the sections we can edit.
This gets a little tricky, as any policies that you create have a limit of 60 users you want to protect. This is designed to be more of a layered approach to security.
You would set the default for your baseline, then create policies that would apply to specific groups of people.
If we edit the impersonation settings, you will see this screen
Once you turn this on, you will need to select the users it will apply to. Then we go down the list on the left.
We can automatically include all the domains in your Office 365 tenant or add custom ones if you like.
As we go down you will see that you can set different actions for if the user is impersonated or the domain is.
I like to quarantine the messages or if you are using this in conjunction with a 3rd party spam filter, you may want to just move them to the junk folder.
As you can see there are other options, for instance you could have the messages redirected or BCC your security department. I say security department, but this could be any email address you want to receive these.
Or you could ignore the impersonation completely.
Our next section we come to is mailbox intelligence, this one I always like to turn on and let it work its magic. This will analyze the mail flow for each user and help determine if the message might be from an attacker
And our last section to edit would be the trusted domains, if you have a service or domain that often uses impersonation. This would be things like newsletters you send internally. You will want to add them to the trusted senders or trusted domains section.
Once you have everything set, you have to review and then save all your settings. Looks like we are done then. Well not quite. That was just the impersonation settings. Next we have to go down our list
We still have spoof and advanced settings to configure. On to Spoof settings!
These are pretty simple, you just turn on a few features.
Antispoofing protection will filter email from anyone spoofing your domain. You can allow some domains to do this on the Anti-Spam policy. Next up we are looking at unauthenticated senders.
This happens if you receive an email that was sent through a SMTP server. This was a common practice for sending bulk emails out, but has since been replaced by using an authenticated SMTP. If you receive an email that has no sender or they cannot be verified or authenticated this feature would filter that message.
Next up we have to say what to do with all these messages, I like to use the quarantine feature. Just remember to turn on the daily email to your uses. Otherwise they will not know they have a quarantine message.
Now we can review and save our Antispoofing settings. We have one last section to configure.
Advanced Settings lets you control how aggressive you want to be with your scanning.
This is a simple sliding scale 1- 4, the higher you put it the more aggressive you will be. This can cause some false positives and you will start walking that line between security and user experience.
Here are the specifics of what each number means.
The following advanced phishing thresholds are only available in ATP anti-phishing policies to control the sensitivity for applying machine learning models to messages for determining a phishing verdict:
· 1 – Standard: This is the default value. The severity of the action that’s taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence). For example, messages that are identified as phishing with a very high degree of confidence have the most severe actions applied, while messages that are identified as phishing with a low degree of confidence have less severe actions applied.
· 2 – Aggressive: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.
· 3 – More aggressive: Messages that are identified as phishing with a medium or high degree of confidence are treated as if they were identified with a very high degree of confidence.
· 4 – Most aggressive: Messages that are identified as phishing with a low, medium, or high degree of confidence are treated as if they were identified with a very high degree of confidence.
The chance of false positives (good messages marked as bad) increases as you increase this setting.
The more aggressive you are in this; the more users will have to go hunting for messages. This is often a problem when first implementing threat policies. I recommend you start low and then gradually increase. In a perfect would I would say the opposite start high and then lower it. This in my experience has proven to be more of an issue. The sudden aggressive stance makes people thing there is a problem.
I hope this has helped you, and if nothing else I offer this advice. When you implement this OVER COMMUNICATE. Let the users know about the changes before you make them, send reminders, let them know what to expect and when.