Microsoft Defender for Office 365 articles https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/bg-p/MicrosoftDefenderforOffice365Blog Microsoft Defender for Office 365 articles Sat, 23 Oct 2021 12:12:21 GMT MicrosoftDefenderforOffice365Blog 2021-10-23T12:12:21Z Automatic Redirection to Microsoft 365 Defender is coming! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/automatic-redirection-to-microsoft-365-defender-is-coming/ba-p/2764996 <P>Back in March 2021, we introduced the new Microsoft 365 Defender portal (<A href="#" target="_blank" rel="noopener">https://security.microsoft.com</A>) to our Microsoft Defender for Office 365 customers, offering a consolidated user-interface that makes it easier for security admins to manage day-to-day security investigations. The new Microsoft 365 Defender portal is the new home for all Office 365 customers who protect their organization’s email and collaboration tools, whether you are using Microsoft Defender for Office 365, or Exchange Online Protection.</P> <P>&nbsp;</P> <P>Today, we are excited to announce that all security-related functionality will be automatically redirected from the Office 365 Security &amp; Compliance Center (<A href="#" target="_blank" rel="noopener">https://protection.office.com</A>) to the Microsoft 365 Defender portal. This includes all existing functionality under Threat Management and Alerts experiences. The new portal contains all the existing security features, includes a growing list of capabilities unified across Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311424i250AA4FF218EDAD2/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P><EM>Figure 1: View of the Microsoft 365 Defender portal.</EM></P> <P>&nbsp;</P> <P>Microsoft 365 Defender helps organizations detect, investigate, and remediate security incidents across multiple Defender products. To understand what’s new and improved, see our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/new-home-for-microsoft-defender-for-office-365/ba-p/2176179" target="_blank" rel="noopener">earlier post</A> on the new and unified security capabilities like Incidents, Advanced Hunting, Threat Analytics and more.</P> <P>&nbsp;</P> <P>Many customers already benefit from using the Microsoft 365 Defender portal and have already begun turning on automatic redirection and are moving over different users and teams from Security &amp; Compliance Center. In that time, we’ve received lots of feedback and have made significant improvements to the portal. To make this transition easier, we are now turning automatic redirection on by default.</P> <P>&nbsp;</P> <P>For customers who already turned-on automatic redirection from the Security &amp; Compliance Center, the Microsoft 365 Defender portal will now include redirection of all Alerts functionality. Compliance users can review and manage their alerts in the Defender portal too, or move to the Compliance Center, if they need additional compliance-related functionality. They can choose where to view or manage alerts, as the Office 365 alerts are available in both portals.</P> <P>&nbsp;</P> <P>Who does this impact? All customers who use the Security &amp; Compliance Center Threat Management or Alerts functionality to protect their organization’s emails and messages against phishing, spam, and malware.</P> <P>&nbsp;</P> <P>Customers who need a bit more time to make this transition can turn off automatic redirection and continue working in the old Security &amp; Compliance Center. To stay up to date and take advantage of the latest features, we strongly suggest making the appropriate arrangements and moving to the new Microsoft 365 Defender portal in the next couple of months. If you have an issue with your transition, we would love to hear from you! You can reach out to us via the in-portal Feedback option, support, or partners if available.</P> <P>For additional information about the automatic redirection, see <A href="#" target="_blank" rel="noopener">our documentation</A>.</P> <P><SPAN>&nbsp;</SPAN></P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> <P>&nbsp;</P> Mon, 27 Sep 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/automatic-redirection-to-microsoft-365-defender-is-coming/ba-p/2764996 Marina_Kidron 2021-09-27T16:00:00Z Improving the reporting experience in Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/improving-the-reporting-experience-in-microsoft-defender-for/ba-p/2760898 <P>We place a high priority on our customers trust in Microsoft Defender for Office 365 and we know that to earn that trust, we need to take measures to make it seamless for SecOps professionals to assess the security of their Office 365 with a reporting tool that supports a data rich environment. Customizable filters and consistent reporting of email security details are essential in the cyber security space where malicious and credential phishing emails are the #1 attack vector used by bad actors.</P> <P>&nbsp;</P> <P>That’s why we’re bringing you an improved reporting experience in Microsoft Defender for Office 365. These new reporting features and improvements will help refine SecOps professional’s workflows when assessing Office 365 security effectiveness. Some of those features and improvements include:</P> <UL> <LI>Retirement of outdated reports</LI> <LI>Revamp of legacy data computation logic&nbsp;&nbsp;&nbsp;</LI> <LI>Addition of new filtering attribute</LI> <LI>Data oriented email detail panel</LI> </UL> <P>&nbsp;</P> <H1>New evolved reporting</H1> <P>After receiving feedback from our customers, we’ve decided to make the reporting experience easier by consolidating a few existing reports and adding new views to the threat protection status report and the Mail flow status report. As a result, we’re launching a new spam view in the threat protection status report. We've also updated the mail flow status report, which will make the report easier to visualize, and will be available later this month. Deprecated reports include the malware email detection report, the spam report, the safe attachment file types, and deposition report, the sent and received email report, and the URL trace report that previously lived in the exchange admin center. Below you’ll find screenshots of what some of the new views will look like.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FaithEbenezer_Oquong_0-1631891761380.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311108i56B30BE0512FB87E/image-size/large?v=v2&amp;px=999" role="button" title="FaithEbenezer_Oquong_0-1631891761380.png" alt="FaithEbenezer_Oquong_0-1631891761380.png" /></span></P> <P>Figure 1:&nbsp;Previous Funnel view</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FaithEbenezer_Oquong_1-1631891802079.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311109i55E387088AC19BBE/image-size/large?v=v2&amp;px=999" role="button" title="FaithEbenezer_Oquong_1-1631891802079.png" alt="FaithEbenezer_Oquong_1-1631891802079.png" /></span></P> <P>Figure 2: New "<STRONG>Sankey</STRONG>” view in Mailflow status report (coming soon)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FaithEbenezer_Oquong_2-1631891872623.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311111i00AB6A4AE24A7BA5/image-size/large?v=v2&amp;px=999" role="button" title="FaithEbenezer_Oquong_2-1631891872623.png" alt="FaithEbenezer_Oquong_2-1631891872623.png" /></span></P> <P>Figure 3: New spam view in the threat protection status report&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H1>Addition of new filtering attributes</H1> <P>In order for SecOps to focus the scope of their assessment with a lot more granularity, we are providing security professionals the ability to filter data by organization domain, policy type and name, priority account user tag, recipient address and email directionality (inbound and outbound). &nbsp;Check out the screenshot highlighting the addition of this new filtering attribute below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FaithEbenezer_Oquong_3-1631892068425.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311112iE1FCF62B81FC2DCF/image-size/large?v=v2&amp;px=999" role="button" title="FaithEbenezer_Oquong_3-1631892068425.png" alt="FaithEbenezer_Oquong_3-1631892068425.png" /></span></P> <P>Figure 4: New filtering attributes in the Threat protection status report</P> <P>&nbsp;</P> <P>&nbsp;</P> <H1>Data oriented email detail panel</H1> <P>Earlier this year we launched the email entity page, which gives SecOps a 360-degree view of an email, putting all the relevant details in the hands of the analyst. We are now replacing the email details panel in the threat protection status report with a panel that provides the same in-depth view of each email, which will bolster SecOps confidence in their day-to-day assessment. You can view how much simpler the new details flyout is in the screenshot below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FaithEbenezer_Oquong_4-1631892180666.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311113iDB8261F8DF43012B/image-size/large?v=v2&amp;px=999" role="button" title="FaithEbenezer_Oquong_4-1631892180666.png" alt="FaithEbenezer_Oquong_4-1631892180666.png" /></span></P> <P>Figure 5: Email summary in the threat protection status report&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H1>Stay tuned!</H1> <P>We’re continuing to improve the reporting experience and workflow for security teams. A few improvements you can expect to see in the coming months include a greater than 90-day data retention period, and PowerBI and reporting API integration. We’re excited to offer this enhanced reporting experience for customers to better assess email security trends within their business over time.</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> Mon, 20 Sep 2021 17:04:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/improving-the-reporting-experience-in-microsoft-defender-for/ba-p/2760898 Faith-Ebenezer_Oquong 2021-09-20T17:04:41Z Microsoft Defender for Office 365 Ninja Training: September 2021 Update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-defender-for-office-365-ninja-training-september-2021/ba-p/2685081 <P><SPAN>We have published a lot of new Microsoft Defender for Office 365 resources over the past few months and these are now included in the Ninja training.&nbsp;If you want to refresh your knowledge and get updated, here is what has been added since its initial release in <A title="Microsoft Defender for Office 365 Ninja Training April 2021" href="#" target="_blank" rel="noopener">April, 2021</A>.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Legend:</STRONG></P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_0-1629919864122.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305708i474E2B5864BDB465/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_0-1629919864122.png" alt="CTang885_0-1629919864122.png" /></span>&nbsp;&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Product videos&nbsp;</SPAN></TD> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_1-1629919864328.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305709i51BABD00B23EF3D8/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_1-1629919864328.png" alt="CTang885_1-1629919864328.png" /></span>&nbsp;&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Webcast recordings</SPAN></TD> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_2-1629919864354.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305710iF90B8AEC883CFCFC/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_2-1629919864354.png" alt="CTang885_2-1629919864354.png" /></span>&nbsp;&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Tech Community</SPAN></TD> </TR> <TR> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_3-1629919864349.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305711i3E0726E77939258D/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_3-1629919864349.png" alt="CTang885_3-1629919864349.png" /></span>&nbsp;&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Docs on Microsoft</SPAN></TD> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_4-1629919864129.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305712i7B3818076AF39D27/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_4-1629919864129.png" alt="CTang885_4-1629919864129.png" /></span>&nbsp; Blogs on Microsoft</TD> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_5-1629919864345.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305713iE250552DC34043F2/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_5-1629919864345.png" alt="CTang885_5-1629919864345.png" /></span>&nbsp; GitHub</TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_6-1629919864335.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305714i61D0CDE8088763BF/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_6-1629919864335.png" alt="CTang885_6-1629919864335.png" /></span>&nbsp; Interactive guides</TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="900"> <TBODY> <TR> <TD width="268px" height="28px"> <P><EM><STRONG>Module (ordered by Competency Level)</STRONG></EM></P> </TD> <TD width="368px" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="368px" height="66px"> <P><STRONG>Email Security - Fundamentals:</STRONG></P> <P>Module 4. Protection Feature</P> </TD> <TD width="368px" height="66px"> <UL> <LI><A href="#" target="_blank" rel="noopener">Protect against malicious links with Safe Links in Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="81px"> <P>&nbsp;</P> <P><STRONG>Email Security - Intermediate:</STRONG></P> <P>Module 2. Alert Management</P> <P>&nbsp;</P> </TD> <TD width="368px" height="81px"> <UL> <LI><A href="#" target="_blank" rel="noopener">Managing alerts in Microsoft Defender for Office 365</A></LI> <LI><A href="#" target="_blank" rel="noopener">Protect your most visible and most targeted user with Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="93px"> <P><STRONG>Email Security - Intermediate:</STRONG></P> <P>Module 4. ZAP (Zero-hour auto purge)</P> </TD> <TD width="368px" height="93px"> <UL> <LI><A href="#" target="_blank" rel="noopener">Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="66px"> <P><STRONG>Email Security - Intermediate:</STRONG></P> <P>Module 5. Investigating Alerts</P> </TD> <TD width="368px" height="66px"> <UL> <LI><A href="#" target="_blank" rel="noopener">Incident correlation with Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="100px"> <P><STRONG>Email Security - Intermediate:</STRONG></P> <P>Module 9. Alert Handling</P> </TD> <TD width="368px" height="100px"> <UL> <LI>&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Campaign Views in Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="93px"> <P><STRONG>Email Security - Intermediate:</STRONG></P> <P>Module 10. Manage quarantined messages</P> </TD> <TD width="368px" height="93px"> <UL> <LI><A href="#" target="_blank" rel="noopener">Managing the user quarantine in Microsoft Defender for Office 365</A></LI> <LI><A href="#" target="_blank" rel="noopener">Manage the admin quarantine in Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD> <P><STRONG>Email Security - Advanced:</STRONG></P> <P>Module 5. Attack Simulation Training</P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> </TD> <TD> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-one/ba-p/2412854" target="_blank" rel="noopener">Setting up a New Phish Simulation Program - Part One</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-two/ba-p/2432167" target="_blank" rel="noopener">Setting up a New Phish Simulation Program - Part Two</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Tue, 14 Sep 2021 15:30:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-defender-for-office-365-ninja-training-september-2021/ba-p/2685081 CTang885 2021-09-14T15:30:00Z Automatically triage phish submissions in Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/automatically-triage-phish-submissions-in-microsoft-defender-for/ba-p/2733752 <P><FONT color="#000000">This post is a continuation of a <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/making-the-secops-team-more-efficient-focused-email-actions/ba-p/2557387" target="_blank" rel="noopener">recent blog</A> covering the latest improvements to automated email investigations in Microsoft Defender for Office 365. In this post, we’ll look at how the Microsoft Digital Security and Resilience (DSR) team has co-operatively worked with the Defender for Office 365 team to reduce Microsoft's internal caseload for user submitted phish by more than 40%.</FONT></P> <P>&nbsp;</P> <H2><FONT color="#000000">Security doesn’t stop once an email is delivered</FONT></H2> <P>&nbsp;</P> <P><SPAN>Despite the number of</SPAN> protective controls security teams have in place, <SPAN>threat actors will continue to increase their level of sophistication</SPAN><SPAN>. For this reason,</SPAN> mitigation remains a crucial element to combat phish<SPAN>ing attacks</SPAN> that make it through our defenses. Microsoft’s Security Operations Center (SOC) is equipped with Microsoft Defender for Office 365’s fully functional tools and automation to quickly detect, investigate, and effectively remediate malicious emails. <SPAN>Since minutes matter, </SPAN>the Automated Investigation and Response (AIR) features have been key in enabling <SPAN>the Digital Security and Resilience SOC group </SPAN>to move quickly.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Hohayaty_0-1631127650987.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309061i508DA3F0F4304EF7/image-size/large?v=v2&amp;px=999" role="button" title="Hohayaty_0-1631127650987.png" alt="Hohayaty_0-1631127650987.png" /></span></P> <P><EM>Figure 1: Minutes matter - Why technology advancement, detections, and reporting are needed.</EM></P> <P>&nbsp;</P> <H2>Enabling user phish reporting</H2> <P>&nbsp;</P> <P>Beyond prevention and detection, it is imperative that we cultivate a security conscious culture<SPAN>. To do this, we</SPAN> equip our employees<SPAN>,</SPAN><SPAN>&nbsp;</SPAN>our first and last line of defense<SPAN>,</SPAN> with skills to identify a <SPAN>phish and</SPAN> provide <SPAN>them with </SPAN>simple reporting <SPAN>that delivers a</SPAN> consistent experience across all platforms.</P> <P>&nbsp;</P> <P><SPAN>Since there are thousands of reported emails per day, i</SPAN><SPAN>t is vital that e</SPAN>mployee<SPAN>s re</SPAN><SPAN>ceive</SPAN> reporting o<SPAN>n</SPAN> potential missed threats. Microsoft leverages Defender for Office 365’s <SPAN><A href="#" target="_blank" rel="noopener">Report Message add-in</A></SPAN> to enable easy user phish reporting. End-user reports are visible within the Microsoft 365 Defender portal – but more importantly these phish reports generate alerts and <SPAN><A href="#" target="_blank" rel="noopener">automated investigations within Defender for Office 365</A></SPAN>. Automation from AIR is key to ensure that our SOC can prioritize the reports that present the greatest risk. With the transition to AIR, Microsoft saw SOC efficiency significantly improve for time to resolution, moving away from manual steps to a fully integrated investigation and remediation platform.</P> <P>&nbsp;</P> <P>Since the Microsoft SOC utilizes a service management toolset for case assignment, we integrated it with the Office 365 management activity API to assign alerts/investigations from Defender for Office 365. This is critical to SOC management, as it integrates into our regular processes and reporting tools for our team. <SPAN>For a more efficient user submission process, </SPAN>DSR is working with the Microsoft 365 Defender and Defender for Office 365 teams to move to the <SPAN><A href="#" target="_blank" rel="noopener">Sentinel APIs</A></SPAN> <SPAN>and</SPAN> begin leveraging <SPAN>Defender </SPAN>incident capabilities in a similar fashion.</P> <P>&nbsp;</P> <H2>Prioritizing key cases</H2> <P>&nbsp;</P> <P>In 2020 we analyzed SOC cases and determined that the employee reported messages are not often malicious and include malware or high confidence phish. W<SPAN>hile w</SPAN>e continue to encourage employees to report suspicious <SPAN>e</SPAN>mails, more than 60% of <SPAN>the </SPAN>cases remediated were benign and <SPAN>reported as </SPAN>false positives. Benign cases occur when users report normal notifications, newsletters or spam emails as phish because they find them suspicious or annoying, b<SPAN>ut</SPAN><SPAN> there is no real phishing threat</SPAN>. <SPAN>T</SPAN><SPAN>o </SPAN><SPAN>ensure</SPAN> <SPAN>that </SPAN><SPAN>priority is placed on </SPAN><SPAN>remediat</SPAN><SPAN>ing</SPAN><SPAN> emails present</SPAN><SPAN>ing</SPAN><SPAN> the greatest risk</SPAN><SPAN>,</SPAN> <SPAN>d</SPAN>istinguishing between phish and spam cases in Automated Investigation and Response (AIR) investigations became our focus.</P> <P>&nbsp;</P> <P>We worked with the Defender for Office 365 team, who <SPAN>created a</SPAN> new phish classification<SPAN> schema,</SPAN> to separate high confidence phish<SPAN>, including </SPAN>credential theft and Business Email Compromise<SPAN>,</SPAN> from ‘normal’ phish<SPAN>, including </SPAN>unauthenticated, spoofed, or impersonated domains<SPAN>,</SPAN> and spam. <SPAN>‘Normal’ phish and spam</SPAN> commonly detect improperly configured marketing or operational emails that cause benign phish detections<SPAN>.</SPAN> This better <SPAN>informs </SPAN>SOC of t<SPAN>he</SPAN> types of threats users may have reported, <SPAN>and allow them </SPAN><SPAN>to more proactively remediate risk due</SPAN><SPAN> to </SPAN>high confidence phish<SPAN>ing attacks</SPAN>.&nbsp;</P> <P>&nbsp;</P> <H2>Measuring success of improved phish submission handling</H2> <P>&nbsp;</P> <P>In March 2021, we delivered a cluster analysis that showed early indication that removal of spam (benign-positive) cases substantially reduced total phishing cases and saved thousands of dollars in monthly operational costs.</P> <P>&nbsp;</P> <P>How<SPAN> does this work</SPAN>? To reduce <SPAN>the total number of </SPAN>cases and <SPAN>better target</SPAN> more malicious <SPAN>email</SPAN>s<SPAN> reported</SPAN>, investigations will only create actions when malicious <SPAN>e</SPAN>mails <SPAN>containing </SPAN>malware<SPAN> or</SPAN> high confidence phish appear in <SPAN>the inbox or junk </SPAN><SPAN>folder</SPAN><SPAN>s of </SPAN>mailboxes. This means that lower severity threats may get reported by the end users, but only the most severe get identified as ‘pending actions’ for our SOC team to focus on. On this latter point, DSR is working with the Defender for Office 365 team to test new email threat clustering analysis that uses the latest delivery location in identifying needed actions. Emails that have been removed from the cloud mailboxes will no longer require attention. In addition, automatic refresh of investigations’ pending actions will remove/cancel actions that end up redundant due to either Zero-hour auto purge (ZAP) or other SOC actions. This is particularly important as we reduce the time between reporting phish emails and ZAP and continue to get better at removing malicious emails faster.</P> <P>&nbsp;</P> <P>We expect location aware actions will improve the user submission handling with the following:</P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI>Reduced action volume and more accurate clustering due to normal phish <SPAN>will </SPAN>not requir<SPAN>e</SPAN> action (i.e., removes false-positive issues caused by “normal phish” spoofing common in bulk mail and operational emails)<SPAN>.</SPAN></LI> <LI>You won’t need to approve every action in an incident/investigation<SPAN>. R</SPAN>efreshed pending actions will show when emails still linger (i.e., if you approve the largest cluster deletion, others will close on refresh over time)<SPAN>.</SPAN></LI> </UL> <P>&nbsp;</P> <H2>Continued efficiency and effectiveness improvements</H2> <P>&nbsp;</P> <P>What happens when we don’t agree with the verdict? Admin submissions and SOC (admin) actions can be quickly accessed from the AIR user submission investigation. Links to review emails identified in investigations let the SOC analyst to quickly move to Threat Explorer or Advanced Hunting. From there, analysts can submit an Admin Submission when they identify threats <SPAN>or </SPAN>are not getting the proper verdict. <SPAN>If </SPAN>the email cluster <SPAN>wasn’t </SPAN>identif<SPAN>ied</SPAN><SPAN> as</SPAN> something needing remediation<SPAN>, the analysts can then manually remediate it themselves</SPAN>. We are working with the Defender for Office 365 team on new admin action capabilities that will enable us to link these admin remediation actions to existing investigations/incidents.</P> <P>&nbsp;</P> <P>As DSR continues to move forward with improvements to our user submission and false negative handling processes, we will continue to work with the Defender team to identify further improvements such as sending end user<SPAN>s</SPAN> feedback on their phish reports into the automated investigation process. We expect continued improvements will lead to even more efficiency, as well as more effectiveness at reducing threat exposure when used in conjunction with new protections the Defender for Office 365 team is continuing to deliver.</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A></SPAN><SPAN>.</SPAN></P> <P>&nbsp;</P> Thu, 09 Sep 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/automatically-triage-phish-submissions-in-microsoft-defender-for/ba-p/2733752 Hohayaty 2021-09-09T16:00:00Z Simplifying the Quarantine Experience https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/simplifying-the-quarantine-experience/ba-p/2676388 <H2>Managing false positives should be easy</H2> <P>As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize their security tools in a way that best fits and meets their needs while ensuring that such customization do not compromise on the productivity of its employees. This is why in Microsoft Defender for Office 365 we look at not only offering the best protection and tools to manage detected threats and possible misses, but also focus on continually improving the solutions we offer for protection from false positives. After all, email remains the number one attack vector used by bad actors. Our key principles remain:</P> <UL> <LI>Making it easy for end user to identity false positive across a variety of situations such as individual mailboxes, shared mailboxes, and delegated scenarios</LI> <LI>Keeping users secure as they interact with these emails</LI> <LI>Ensuring security teams can efficiently review and act on quarantine messages.</LI> </UL> <P>&nbsp;</P> <H2>Exciting new updates are coming soon!</H2> <P>Microsoft Defender for Office 365 is rolling out key quarantine management features that will help empower SecOps professionals and end users when triaging emails:</P> <UL> <LI>Quarantine folder policy and user release request workflow</LI> <LI>Customer organization branding</LI> <LI>Streamlined email submission from the quarantine portal</LI> <LI>Robust release of bulk quarantined emails &nbsp;</LI> <LI>Secured preview of quarantined emails</LI> <LI>Quarantine support for shared mailboxes &nbsp;</LI> </UL> <P>&nbsp;</P> <H2>Quarantine folder policy and user release request workflow</H2> <P>Today Microsoft allows organizations to empower their end users to triage phishing messages. Some organizations would prefer to limit these triage capabilities to their security teams, and others find the capability allows them to augment a smaller SecOps team by extending the process to end users.</P> <P>&nbsp;</P> <P>With the new quarantine folder policy, SecOps will be able to configure custom end user access (including request release permissions) to messages quarantined by Exchange Online Protection and Microsoft Defender for Office 365 policies which will help alleviate the inefficiencies that comes with fixed controls.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_0-1629757851705.png" style="width: 951px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305257iBA7FB61917115ADC/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_0-1629757851705.png" alt="Figure 1: New quarantine policy allows for granular control of user access" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: New quarantine policy allows for granular control of user access</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Custom organization branding</H2> <P>Deception is a key component of phishing attacks, and customers want to eliminate any hesitation when it comes to legitimate system automated messages. We are adding capabilities to making it possible for SecOps to customize end user quarantine notifications with their respective organization logo, email display name, and disclaimer. Doing so helps ensure that users have safe and secure access to their quarantined messages and trains them to recognize legitimate notifications.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_1-1629757851716.png" style="width: 201px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305256i5C9A96D849D8C86D/image-size/medium?v=v2&amp;px=400" role="button" title="GiulianGarruba_1-1629757851716.png" alt="Figure 2: Custom organizational branding for quarantine notifications." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: Custom organizational branding for quarantine notifications.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Streamlined email submission from quarantine portal</H2> <P>With this change we’re giving SecOps the ability to allow senders for a specified period, right from the quarantine workflow. When releasing emails to end users, admins can now opt to remember this decision by creating an entry in the tenant allow/block list that corresponds to the indicator of compromise aligned with the message in question. SecOps can now also choose to allow or prevent users from submitting messages to Microsoft for analysis.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Robust release of bulk quarantined emails</H2> <P>Quarantine release should be efficient, not tedious. In large organizations it can take time to triage quarantine mails. The previous structure in place was aimed at releasing emails in a serialized approach but will now be replaced with a parallel form, helping streamline the process and save your SecOps team valuable time. &nbsp;&nbsp;</P> <P>&nbsp;</P> <H2>Secured preview of quarantined emails</H2> <P>To limit exposure to unwanted or malicious content, we are enhancing how users preview quarantined messages to provide additional security against embedded threats.&nbsp; With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_2-1629757851744.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305258i42F03EEDEE48B9D1/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_2-1629757851744.png" alt="Figure 3: Images are withheld from users to prevent embedded threats." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: Images are withheld from users to prevent embedded threats.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Quarantine support for shared mailboxes</H2> <P>With this update, users who have been granted delegate access to shared mailbox either through direct access or security group access will now be able to triage the quarantine folder items of those mailboxes. This makes managing the quarantine for shared mailboxes easier for users.</P> <P>&nbsp;</P> <H2>Support for priority accounts</H2> <P>In 2020 we launched Priority Account Protection in Defender for Office 365, helping security teams focus on the most visible and most targeted users in their environments. We’re expanding this visibility by incorporating priority account tags in the quarantine experience, enabling security teams to focus on these priority accounts as they triage the quarantine folder.&nbsp;</P> <P>&nbsp;</P> <H2>Sending end user quarantine notification with user mailbox language locale</H2> <P>We are providing the possibility for end user spam notification to go out by default in the end user mailbox language setting.</P> <P>Previously, security admins had to choose the user specific language for Office 365 to use while sending user quarantine notifications. In an organization where users speak multiple languages this becomes a challenge.</P> <P>&nbsp;</P> <H2>A new look for the quarantine portal</H2> <P>We are revamping the design of the quarantine portal to allow for a better user experience when triaging false positive emails. This new look and feel is more than a cosmetic change – we’ve designed the new experience to help surface more data in a more useful and simple way. The screenshots below show what the new UX adds, like more filters, a revamped flyout, and better filter visibility.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_3-1629757851758.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305260i074AFEDE1CAA34C7/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_3-1629757851758.png" alt="Figure 4: The quarantine portal today" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 4: The quarantine portal today</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_4-1629757851768.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305259i2F8660822A08A189/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_4-1629757851768.png" alt="Figure 5: The new look for the quarantine portal" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 5: The new look for the quarantine portal</span></span></P> <P>&nbsp;</P> <H2>New email detail panel</H2> <P>Earlier this year we launched the email entity page, which gives SecOps a 360-degree view of an email, putting all the relevant details in the hands of the analyst. We are replacing the email details panel in quarantine with a panel that provides the same in-depth view of each email in quarantine which will bolster SecOps confidence when making decisions.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_5-1629757851781.png" style="width: 638px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305262i7F0B335653ED040D/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_5-1629757851781.png" alt="Figure 6: We've added components from the email entity page to the quarantine experience." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 6: We've added components from the email entity page to the quarantine experience.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Stay tuned!</H2> <P>We’re continuing to enhance the quarantine experience and workflow for both end users and security teams. Here’s a few enhancements you can expect to see in the coming months:</P> <UL> <LI>We’ll be adding an hourly frequency for end user spam notifications to enable customers to increase the frequency of these notifications to users when the need arises</LI> <LI>Large scale bulk release, allowing SecOps to release more than 100 mails at a time</LI> <LI>Enhanced search functionality to accommodate things like such as partial string matches</LI> </UL> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=s-vozLO43rI" align="center" size="small" width="200" height="113" uploading="false" thumbnail="https://i.ytimg.com/vi/s-vozLO43rI/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=vnar4HowfpY" align="center" size="small" width="200" height="113" uploading="false" thumbnail="http://i.ytimg.com/vi/vnar4HowfpY/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 24 Aug 2021 15:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/simplifying-the-quarantine-experience/ba-p/2676388 Faith-Ebenezer_Oquong 2021-08-24T15:00:00Z Microsoft Teams gets more Phishing Protection! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-teams-gets-more-phishing-protection/ba-p/2585559 <P>We’re proud to announce that Microsoft Teams users can now be protected from malicious link-based phishing attacks using the power of Safe Links in Microsoft Defender for Office 365.</P> <P>&nbsp;</P> <P>As more and more users in different organizations across the globe settle into a new way of collaborating in response to the need to work remotely and in a hybrid fashion, it has become critical to increase the level of protection for those users as they interact with and look to be productive on these platforms.</P> <P>&nbsp;</P> <P>Use of Microsoft Teams has exploded over the past 18 months. And with it, our focus and commitment to ensure that Microsoft Teams is the most secure real-time collaboration platform, has only grown. With today’s announcement, organizations with Microsoft Defender for Office 365 can further protect Microsoft Teams users from malicious phishing attacks that are often orchestrated using weaponized URLs.</P> <P>Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender. We’re super excited to announce that this capability is now generally available.</P> <P>&nbsp;</P> <H2>Hybrid work is here to stay</H2> <P>Today’s global workforce is facing unprecedented times. As we learn from a recent sudden shift to remote work and look ahead towards the future of hybrid work, effective collaboration across multiple locations and multiple time zones is key to the success of businesses. Over the past 18 months we’ve seen use and adoption of collaboration tools skyrocket as customers roll out remote and hybrid work strategies and the tools necessary to support this new normal. In fact, since February 2020, we’ve seen weekly meeting time <A href="#" target="_blank" rel="noopener">more than double for Microsoft Teams users</A>, and that number continues to rise.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_0-1627273784564.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298309iF68C2FD2A61ED7CC/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_0-1627273784564.png" alt="Girish_Chander_0-1627273784564.png" /></span></P> <P><FONT size="2">Figure 1: Findings from Microsoft's Work Trend Index</FONT></P> <P>&nbsp;</P> <H2>Integrated threat protection for all of Office 365</H2> <P>Microsoft Defender for Office 365 remains committed to protecting all of Office 365 against threats to email and collaboration tools. This means going beyond email to protect tools like OneDrive, SharePoint, Office apps, and of course Microsoft Teams. Defender for Office 365 provides comprehensive coverage against threats like phishing, malware, and business email compromise, giving administrators the tools necessary to not only prevent and detect these threats, but to investigate and remediate the risks they see as well. &nbsp;&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_1-1627273784592.png" style="width: 648px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298308i194410204BFB0596/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_1-1627273784592.png" alt="Girish_Chander_1-1627273784592.png" /></span></P> <P><FONT size="2">Figure 2: Microsoft Defender for Office 365 provides comprehensive coverage throughout the lifecycle of an attack</FONT></P> <P>&nbsp;</P> <H2>Preventing URL-based attacks with Safe Links</H2> <P>Safe Links has been a critical feature in Defender for Office 365 since its introduction in 2015. At its core, Safe Links provides time-of-click verification of URLs. This process entails scanning URLs for potentially malicious content and again evaluating them when they are clicked on by a user. In fact, every month our detonation systems detect close to 2 million distinct URL-based payloads that attackers create to orchestrate credential phishing campaigns. Each month, our systems block over 100 million phishing emails that contain these malicious URLs.</P> <P>&nbsp;</P> <H3><SPAN>Why scan URLs at time of click? &nbsp;</SPAN></H3> <P>Attackers are smart just like the rest of us. As detection technologies evolve to block malicious sites quicker, sending malicious links to users becomes less effective. So attackers evolve their attacks. Instead of sending malicious links to users, attackers now send benign links. Once the link has been delivered, the attacker redirects the link to a malicious site.</P> <P>&nbsp;</P> <P>Consider the following: An attacker drafts a phishing email impersonating Microsoft and requesting that you login to review changes to your account. The link included is from a redirection service that permits the owner to change the destination at any time. The attacker sends the email, having configured the link to point to Microsoft.com, but a few minutes later changes the link to point to a malicious site intended to capture your login information. At the time the email is received by your organization, the link appears to be harmless, and so the mail is delivered.</P> <P>&nbsp;</P> <P>With time of click inspection, however, Safe Links would have checked the link on delivery, and ensured that whenever the link is clicked it is redirected and inspected. If the link is malicious, the user is prevented from accessing the site, and if the link is harmless, the user is allowed to continue.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_2-1627273784653.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298310i02E7489583D032CA/image-size/medium?v=v2&amp;px=400" role="button" title="Girish_Chander_2-1627273784653.png" alt="Girish_Chander_2-1627273784653.png" /></span></P> <P><FONT size="2">Figure 3: Safe Links prevents users from accessing malicious sites</FONT></P> <P>&nbsp;</P> <H2>Protection beyond email</H2> <P>We’ve been hard at work over the past few years partnering across Microsoft to extend the protection of Safe Links beyond email and across Office 365. Safe Links is already available in Microsoft 365 apps (like Word and PowerPoint), Office apps on iOS and Android, and Office online. And today, we’re excited to announce that these capabilities have been expanded even further.</P> <P>&nbsp;</P> <H2>Safe Links is now available in Microsoft Teams</H2> <P>Today we’re excited to share that Safe Links for Microsoft Teams is now generally available. This means that our customers can take advantage of time of click protection for links in conversations, group chats, and channels in Microsoft Teams.</P> <P>Securing collaboration tools is incredibly important given the evolving nature of work, and Safe Links is just one part of a growing list of security and compliance capabilities in Microsoft Teams including <A href="#" target="_blank" rel="noopener">conditional access</A>, <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-teams-blog/microsoft-teams-now-included-in-microsoft-365-multi-geo/ba-p/2540634" target="_blank" rel="noopener">Multi-Geo support,</A> and <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-teams-blog/secure-and-compliant-collaboration-with-microsoft-teams/ba-p/2169463" target="_blank" rel="noopener">more</A>!</P> <P>&nbsp;</P> <H2>Get started today</H2> <P>Safe Links for Microsoft Teams is available to customers who are using both Microsoft Teams and Microsoft Defender for Office 365. To configure Safe Links to protect users in Microsoft Teams, configure a Safe Links policy in the Microsoft 365 Defender <A href="#" target="_blank" rel="noopener">portal</A>. To learn more about configuring Safe Links policies for email and other Office 365 tools like Microsoft Teams, <A href="#" target="_blank" rel="noopener">visit our documentation</A>.</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=vhIJ1Veq36Y" align="center" size="small" width="200" height="113" uploading="false" thumbnail="https://i.ytimg.com/vi/vhIJ1Veq36Y/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Aug 2021 22:15:50 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-teams-gets-more-phishing-protection/ba-p/2585559 Girish_Chander 2021-08-27T22:15:50Z Making the SecOps Team More Efficient - Focused Email Actions https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/making-the-secops-team-more-efficient-focused-email-actions/ba-p/2557387 <H4 id="toc-hId--598887991"><FONT size="3">This post was authored by&nbsp;<LI-USER uid="758148"></LI-USER>, a Senior Program Manager<SPAN>&nbsp;</SPAN>from the Microsoft Defender for Office 365 team.</FONT></H4> <P>&nbsp;</P> <P><EM>This blog is part one of a multi-part series focused on the new and improved incident response capabilities within Microsoft Defender for Office 365.</EM></P> <P>&nbsp;</P> <P>Security operations (SecOps) teams frequently need to investigate security alerts associated with emails and online interaction.&nbsp; Critical to this is ensuring that malicious emails associated with a likely attack are fully removed from all mailboxes – plus verifying no users or mailboxes have been compromised through interaction with any delivered emails.&nbsp; These days, the attack methods used by malicious actors, along with the high volume of email they send out, ensures that SecOps team are always busy with this task.</P> <P>&nbsp;</P> <P>Earlier in May 2021, we announced that <A href="#" target="_blank" rel="noopener">Microsoft is positioned as a leader</A> in The Forrester Wave™: Email Security, Q2 2021, receiving the highest possible score in the incident response category. This represents the latest validation of our relentless effort, strategy, and focus on offering our customers industry-leading protection against threats orchestrated over email and collaboration tools – and of course industry-leading incident response capabilities.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Microsoft Defender for Office 365 is now rolling out three email investigation improvements that will drive additional SecOps efficiencies. The following changes will directly reduce the volume and prioritize the most malicious automated investigations for SecOps approval:</P> <UL> <LI>Email actions are created only when malicious emails’ latest delivery location is in a cloud mailbox</LI> <LI>Pending email actions are updated based on the latest delivery location</LI> <LI>Investigations prioritize the most malicious threats for action</LI> </UL> <P>&nbsp;</P> <H2><SPAN>Email actions are created only when malicious emails’ latest delivery location is in a cloud</SPAN> <SPAN>mailbox</SPAN></H2> <P>Previously automated investigations in Defender for Office 365 leveraged ‘original delivery information’ to identify emails that needed cleanup.&nbsp; This provided a view of emails that were initially visible to end users with recommendations on emails that should be removed.&nbsp; With this change, we are now pivoting the investigation email clustering analysis to the ‘latest delivery location’ information.&nbsp; As a result, investigations for things like Zero-hour auto purge (ZAP) or user submissions will show malicious emails that are still present in inbox or junk folders at the time of the investigation still in need of removal.&nbsp; The email location information for emails and email clusters will clearly show the latest delivery location and number of emails ‘in mailbox’, ‘not in mailbox’ (i.e. blocked or remediated), and ‘on-premise/external’ (inaccessible to Defender for Office 365’s remediation).&nbsp; Most importantly, to reduce SecOps work, the email analysis will now only trigger pending email actions when the emails are considered malicious and at least one email still in a cloud ‘mailbox’.</P> <P>&nbsp;</P> <P>The latest delivery location and action changes that are currently rolling out apply to both the original emails that triggered the alerts as well as identified email clusters for similar emails and malicious URLs and files.&nbsp; The net effect of these changes is that you’ll see more current location information with fewer email actions required, particularly for ZAP alert investigations.&nbsp; After this change, if you see pending email actions for ZAP investigations, you should review and approve those actions to remove any residual email threats that remain.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_0-1626463685139.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296478i612C3DC3DD617279/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_0-1626463685139.png" alt="Figure 1: Investigation email cluster has no items still in the mailbox, therefore the threat has been prevented and has no pending action" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: Investigation email cluster has no items still in the mailbox, therefore the threat has been prevented and has no pending action</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Pending actions are updated based on the latest delivery location</H2> <P>The Defender for Office 365 team is also improving investigations to re-analyze the email status <EM>after</EM> the investigation has completed.&nbsp; Until an investigation’s actions are approved or rejected, the investigation will periodically re-evaluate the investigation’s email findings and actions against the latest delivery locations then update the remediation status. This updates the investigation’s findings and the pending actions based on the latest remediations from ZAP, manual admin actions, as well as other approved automated investigations actions.&nbsp; If all malicious emails with pending actions have been removed from the mailboxes, the actions will cancel, with the incident and action center showing the emails as remediated (with updated location information).&nbsp; If all the investigation’s email actions have been completed by other remediations, then the investigation will change to ‘remediated’, and the original alerts will close.</P> <P>&nbsp;</P> <H2>Investigations prioritize the most malicious threats for action</H2> <P>Investigations are also being updated to surface to SecOps personnel the most relevant threats, helping ensure they are given sufficient attention and that actions are driving critical containment activities.&nbsp;</P> <UL> <LI>First, the investigation’s email analysis is changing to use the latest Defender for Office 365 threat categories: malware, high-confidence phishing, normal phishing, and spam.&nbsp; This provides security teams with the ability to focus on the most critical malicious threats included in the investigation (high confidence, e.g. a credential theft URL) vs. items that are simply suspicious.&nbsp; It also ensures that comparing investigations to threat explorer or advanced hunting data provides more consistent results in terms of threat types.</LI> <LI>A second improvement is that investigations only create recommended actions for emails and email clusters determined to be the most critical threats: malware, high-confidence phishing, malicious URLs and malicious files.&nbsp; This further reduces SecOps workloads –by focusing valuable time and actions on malicious emails.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_1-1626463685185.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296480i1BF5860B05F9EE2B/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_1-1626463685185.png" alt="Figure 2: This email cluster evidence has an action because it’s malicious high-confidence phishing, with emails remaining in the mailbox." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: This email cluster evidence has an action because it’s malicious high-confidence phishing, with emails remaining in the mailbox.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GiulianGarruba_2-1626463685211.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296479i9ECA5AD4AB9CB10A/image-size/large?v=v2&amp;px=999" role="button" title="GiulianGarruba_2-1626463685211.png" alt="Figure 3: In cases where email clusters only have suspicious items like the spam and normal phish cluster in the example above, the automated investigation will no longer queue a pending action.&nbsp; Only malicious items in mailboxes get actions." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: In cases where email clusters only have suspicious items like the spam and normal phish cluster in the example above, the automated investigation will no longer queue a pending action.&nbsp; Only malicious items in mailboxes get actions.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><BR />Coming up in Part 2...</H2> <P>In this blog, we talked about the new email analysis improvements in Defender for Office 365 investigations and how they will improve SecOps efficiencies.&nbsp; The new threat types, latest delivery locations, and updates after investigation completion ensure that SecOps teams get clearer threat data, more accurate and recent location information, plus fewer and more focused actions. In the next <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/automatically-triage-phish-submissions-in-microsoft-defender-for/ba-p/2733752" target="_self">blog post</A>, we will hear from some of our closest partners leveraging these capabilities in Microsoft Defender for Office 365 to help efficiently and effectively detect and respond to threats. Stay tuned!&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;<A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> Thu, 09 Sep 2021 16:37:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/making-the-secops-team-more-efficient-focused-email-actions/ba-p/2557387 Giulian Garruba 2021-09-09T16:37:58Z ICYMI: Announcing Microsoft 365 Defender Streaming API https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/icymi-announcing-microsoft-365-defender-streaming-api/ba-p/2414420 <P>The Microsoft 365 Defender team is happy to announce that the Microsoft 365 Defender Streaming API is now available in public preview.</P> <P>&nbsp;</P> <P>Read yesterday's post on the Microsoft 365 Defender blog <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767" target="_self">here</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286140i5D25C0F97FDFD6A2/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Select the events you want to export in the Microsoft 365 Defender Streaming API settings" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Select the events you want to export in the Microsoft 365 Defender Streaming API settings</span></span></P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A><SPAN>.</SPAN></P> Thu, 12 Aug 2021 17:59:17 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/icymi-announcing-microsoft-365-defender-streaming-api/ba-p/2414420 Giulian Garruba 2021-08-12T17:59:17Z Join us for an AMA! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/join-us-for-an-ama/ba-p/2370457 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-05-19 17_07_01-PowerPoint Slide Show - AMA banner.pptx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/282028i8872433F6F56E95D/image-size/large?v=v2&amp;px=999" role="button" title="2021-05-19 17_07_01-PowerPoint Slide Show - AMA banner.pptx.png" alt="2021-05-19 17_07_01-PowerPoint Slide Show - AMA banner.pptx.png" /></span></P> <P>&nbsp;</P> <P>The Microsoft Defender for Office 365 team wants to hear from you! We’re excited to invite you to join us&nbsp;for a Tech Community Ask Microsoft Anything (AMA). Our team will be on hand to answer any of your questions about Microsoft Defender for Office 365, Exchange Online Protection, and email and collaboration security in general, so come prepared!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The AMA will take place Thursday, May 27, 2021, from 9:00-10:00am Pacific Time. We hope to see you there!</P> <P>&nbsp;</P> <P>Use the link below to add a reminder to your calendar and to join the discussion.</P> <P><A href="#" target="_blank" rel="noopener">https://aka.ms/ama/DefenderO365 </A>&nbsp;</P> Thu, 20 May 2021 16:06:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/join-us-for-an-ama/ba-p/2370457 Giulian Garruba 2021-05-20T16:06:09Z Mastering Configuration in Defender for Office 365 - Part Two https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-two/ba-p/2307134 <P><EM>This blog is part two of a three-part series detailing the journey we’re on to simplify the configuration of threat protection capabilities in Office 365 to enable best-in class protection for our customers.</EM></P> <P>&nbsp;</P> <P>In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-one/ba-p/2300064" target="_blank" rel="noopener">previous blog</A> in this series, we described how we have made it easier for customers to understand configurations gaps in their environment with recently launched features including Preset Security Policies, Configuration Analyzer, and Override Alerts. In this blog, we’ll take a closer look at additional capabilities we are enabling in the product as we continue forward on our journey to block malicious emails from being delivered to end users.</P> <P>&nbsp;</P> <PRE>Note: This blog has been updated to reflect changes to release dates. </PRE> <H2>&nbsp;</H2> <H2>Secure by Default: Tackling the Legacy Override Problem</H2> <P>One of the challenges we are addressing is the legacy override problem. As we covered in the first blog, legacy overrides are tenant level or user level configuration that instruct Office 365 to deliver mail even when the system has determined that the message is suspicious or contains malicious content. As a result of these aging and overly permissive overrides, we get poorly protected pockets with the organization and enable malicious emails to be delivered to end users.</P> <P>&nbsp;</P> <P>To combat this, we here at Microsoft believe it’s critical to keep our customers “secure by default”. We have determined that legacy overrides such as allowed sender and allowed domain lists in anti-spam policies and Safe Senders in Outlook tend to be too broad and cause more harm than good. As a security service, we believe it’s imperative that we act on your behalf to prevent your users from being compromised. <STRONG>That means these legacy overrides are no longer honored for email messages we believe are malicious</STRONG>. We already apply this approach with malware messages and now we are extending it to messages with high confidence phish verdicts. Our data also indicates that the false positive rate (good messages marked as bad) for high confidence phishing messages is extremely low, adding to our conviction about this approach.</P> <P>&nbsp;</P> <P>This feels like a critical step, given how dangerous and voluminous phishing messages have become. To learn more about the current threat landscape, please check out our annual security intelligence report, the <A href="#" target="_blank" rel="noopener">Microsoft Digital Defense Report</A>.</P> <P>&nbsp;</P> <H2>Ensuring that users cannot interact with malicious emails</H2> <P>As part of our secure by default focus, we’ve also taken additional steps to eliminate the risk of email borne threats. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. These messages will be delivered to quarantine, not the junk folder. (In the junk folder, there is always the risk that the user might inadvertently release them to the inbox).</P> <P>&nbsp;</P> <P>Only admins can manage malware or high confidence phish messages that are quarantined, because our data indicates that a user is 30 times more likely to click a malicious link in messages in the junk email folder versus quarantine.</P> <P>&nbsp;</P> <H2>Rolling out these secure by default changes</H2> <P>We’ve taken a very deliberate approach to rolling out these changes in phases to ensure customers are not surprised and there are no negative side effects. We began to rollout Secure by Default for high confidence phishing messages by the override type starting in December of last year.</P> <P>Today, we’re at a point in our Secure by Default journey where the following overrides are not honored for malicious emails (malware or high confidence phish emails):</P> <P>&nbsp;</P> <UL> <LI>Allowed sender lists or allowed domain lists (anti-spam policies)</LI> <LI>Outlook Safe Senders</LI> <LI>IP Allow List (connection filtering)</LI> </UL> <P>&nbsp;</P> <P>In addition, all malicious emails are delivered to quarantine by default.</P> <P>Learn more about how we are keeping customers secure by visiting our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <H2>The Next Phase of Secure by Default rollout – Tackling transport rules</H2> <P>In August, we will extend Secure by Default to cover high confidence phishing messages for the remaining legacy override type, Exchange mail flow rules (also known as transport rules or ETRs).</P> <P>&nbsp;</P> <P>ETRs represent roughly 60% of the high confidence phish message override volume we see, making this phase essential in achieving our Secure by Default goal for customers. For more on ETRs, check out our <A href="#" target="_blank" rel="noopener">documentation on mail flow rules</A>.</P> <P>&nbsp;</P> <P>While ETRs represent a large problem space, it is complicated by the fact that customers and vendors have come to rely on it as a way to achieve two specific scenarios where the ‘override’ of malicious messages is quite deliberate and intentional.</P> <P>&nbsp;</P> <OL> <LI>Phish simulation campaigns: These are messages that Defender for Office 365 routinely detects as being malicious, so customers put ETR rules in place to direct the system to not block delivery of these messages to end users.</LI> <LI>Security Operations mailboxes: These are special mailboxes customers setup to support the ability for end users to report malicious emails to SecOps teams.</LI> </OL> <P>In both these cases, customers do legitimately want the malicious emails delivered to achieve a very specific business goal.</P> <P>&nbsp;</P> <P>So, in our effort to eliminate the unintentional ETR overrides of malicious emails, we needed to first make sure there was a safe way for customers to achieve the above two goals without having to rely on ETRs as a blunt instrument.</P> <P>&nbsp;</P> <H2>Introducing Advanced Delivery for Phishing Simulations and Security Operations Mailboxes</H2> <P>As we covered above, there are special scenarios where security teams may want to explicitly direct that high confidence phish are delivered.</P> <P>&nbsp;</P> <UL> <LI>Third-party phish simulations</LI> <LI>Security operations mailbox</LI> </UL> <P>&nbsp;</P> <P>Customers have asked us for a method to explicitly configure message delivery for these scenarios and for the ability to view and filter these messages across our admin experiences. In July, we will launch the new Advanced Delivery capability for these scenarios, providing a method for security admins to explicitly configure for these in-product.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phishsim2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276863i7CE5E8AFACFDE751/image-size/large?v=v2&amp;px=999" role="button" title="phishsim2.png" alt="Figure 1: Configuring Third-Party Phishing Simulation Campaigns with Advanced Delivery." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: Configuring Third-Party Phishing Simulation Campaigns with Advanced Delivery.</span></span></P> <P>&nbsp;</P> <P>With Advanced Delivery, we will ensure messages configured as part of these scenarios are handled correctly across the product. The protection filters will respect these configurations and not block these messages. And we will also show off these messages with the appropriate annotations in all of the reporting, investigation and security experiences in the product, so security teams and admins are not confused about the true nature of these messages.</P> <P>&nbsp;</P> <P>Since these do not represent a real threat to your organization, we will, for example, not flag the messages as malicious and inadvertently remove them from your inbox, and we’ll skip things like triggering alerts, detonation, and automated investigations. However, admins will have the ability to filter, analyze and understand messages delivered due to these special scenarios.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="secops mbx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276862i66A06173C47A4684/image-size/large?v=v2&amp;px=999" role="button" title="secops mbx.png" alt="Figure 2: Configuring Security Operations Mailboxes with Advanced Delivery." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: Configuring Security Operations Mailboxes with Advanced Delivery.</span></span></P> <P>&nbsp;</P> <P>It will be important for customers who are utilizing ETRs to configure third-party party phishing simulation campaigns or delivery for security operation mailboxes today to start configuring these with the new Advanced Delivery policy when the feature is launched in July.</P> <P>After the last phase of Secure by Default is enabled in August, Defender for Office 365 will no longer deliver high confidence phish, regardless of any explicit ETRs.</P> <P>&nbsp;</P> <P>To learn more about the new advanced delivery policy, <A href="#" target="_blank" rel="noopener">learn more on Microsoft Docs.</A></P> <P>&nbsp;</P> <H2>Making it easy for customers</H2> <P>This new way of handling phishing simulations from 3<SUP>rd</SUP> party vendors and security operations mailboxes is cleaner and offers a great deal of predictability for security teams. We’ve seen numerous occasions where security admins and SecOps members have been stirred into action inadvertently because of lack of clarity in this regard. This new capability above eliminates all that confusion.</P> <P>&nbsp;</P> <P>Most significantly, this feature makes it easier for security and messaging admins to rest assured that their ETR rules cannot impact the protection of their users, and prevents them from having to manually inspect all of their ETR rules (a daunting task) to guarantee that.</P> <P>&nbsp;</P> <H2>Stay tuned...</H2> <P>We covered here additional changes we’ve made to help customers understand configuration gaps and the capabilities we’ve launched to eliminate the legacy override problem. In the next blog, we will share details about additional features we are building to further eliminate the configuration gap problem in the case where customers may be unaware of security policy features available to them and have not turned these on.</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> Thu, 12 Aug 2021 17:59:49 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-two/ba-p/2307134 Sundeep_Saini 2021-08-12T17:59:49Z Mastering Configuration in Defender for Office 365 - Part One https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-one/ba-p/2300064 <P><EM>This blog is part one of a three-part series detailing the journey we’re on to simplify configuration of threat protection capabilities in Office 365 to enable best-in class protection for our customers. </EM></P> <P>&nbsp;</P> <P>Effective security is a never-ending battle to achieve balance between security and productivity. If we apply too many security controls to an environment, we limit the ability of its users to function efficiently. And if we err on the side of restraint, we do not hinder users in any way, but we leave the door open to threats. Email security is complex and ever-changing. With over 90 percent of threats surfacing through email, it’s critical that organizations are empowered to configure security tools in a way that works for their environment.</P> <P>&nbsp;</P> <H2>Configuration is key</H2> <P>We’re committed to offering Office 365 customers the best email protection by continually focusing on improving the effectiveness of our solutions both within Exchange Online Protection (EOP) as well as Defender for Office 365. EOP has a rich legacy of policy granularity and customizations that help customers meet their unique needs. As we’ve built and innovated on Microsoft Defender for Office 365, we have applied those same principles to the new advanced protection capabilities we offered as part of Defender for Office 365, while still respecting many of the EOP settings.</P> <P>&nbsp;</P> <P>This deeply customizable protection stack within Office 365 has allowed customers over the years to implement policies and rules that fulfill an endless list of requirements. The drawback here, however, is that as customizations are added, they require regular review, upkeep, modifications, and even removal over time. In the absence of that continued focus, there is a high risk of creating an overall reduced state of protection. &nbsp;And while that might sound counter-intuitive, we see this very often. Here are some examples of how these configurations can inadvertently get out of hand:</P> <P>&nbsp;</P> <UL> <LI>An organization in Europe had configured 198 domains to be allowed to bypass our filters</LI> <LI>A firm in India had over 900 URLs stipulated to bypass by our detonation service per week</LI> <LI>An enterprise in Asia had over 50,000 known phishing URLs configured to bypass our filters</LI> </UL> <P>&nbsp;</P> <P>In each of these cases, the result was an increase in phishing campaigns making their way to end users. And these are just a few examples of what we see as a widespread problem – custom policies and configurations put in place with perhaps the best of intentions but without considering the immediate or long-term security impact of creating them or keeping them in place permanently.</P> <P>&nbsp;</P> <P>Across Office 365, we estimate that 20% of phishing mails are delivered to user mailboxes as a result of poorly configured (often legacy) policies that haven’t been revisited for a long time. It was clear that we needed to help customers through this. It wasn’t sufficient that we educate customers of the problem, we had to actively help with getting customers to a more secure state. That started a series of efforts for the past many months that have resulted in capabilities, tools and changes in the product that we’ll walk you through in this blog series. But before we get into it, it might help to get a better appreciation for how the problem arises in the first place.</P> <P>&nbsp;</P> <H2>How did we get here?</H2> <P>The natural question to ask is, how did we arrive at a place where customer configuration could be a problem?</P> <P>&nbsp;</P> <H3>Historical settings can age</H3> <P>In some ways, Exchange Online represents the final frontier. The promise of the cloud is a world where upgrades to Exchange no longer occur every few years. Over the lifespan of Exchange, many customers have migrated with existing mail flow configurations and transport rules from Exchange 2010, to Exchange 2013, and ultimately ending up with Exchange Online in Office 365. Many of our customers reading this may have relied on Exchange versions long before Exchange 2010!</P> <P>&nbsp;</P> <P>And these configurations and rules may have been implemented at a time where the worst thing that could happen as a result of an overly permissive policy was a spam email getting through. All of that has changed over the past few years.</P> <P>&nbsp;</P> <H3>New attack scenarios</H3> <P>Just as technology has evolved, so have attackers. A lot has changed since we first launched our advanced email security solution in 2015. Since then, email borne attacks have been increasing exponentially both in volumes and complexity. We’ve seen phishing evolve to become only the entry point for much more sophisticated attacks, like <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">business email compromise</A>. We’ve seen attackers pivot away from malware in favor of attacks that help them establish persistence through account compromise and external forwarding. We know that attackers are savvy cybercriminals that will continue to evolve their techniques to take advantage of email users. &nbsp;And one common path they look to exploit are these aging and overly permissive controls or poorly protected pockets within the organization.</P> <P>&nbsp;</P> <H3>New security controls</H3> <P>As the threat landscape evolves, so do our protections. Microsoft Defender for Office 365 employs a <A href="#" target="_blank" rel="noopener">multi-layered protection stack</A> that is always being updated to meet the needs of our customers. As we introduce new capabilities and make improvements to existing ones, it’s important that our customers are able to take advantage of these capabilities. That sometimes requires frequent evaluation of settings to ensure the latest protections are turned on. Failing that discipline, it’s possible that the latest protections are not being applied to all users in the organization.</P> <P>&nbsp;</P> <P>Naturally, these three challenges signify the importance of secure posture. It’s more important than ever that configuring protection against threats is easy to achieve and maintain.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-04-27 17_22_37-PowerPoint Slide Show - Filtering Stack FY21.pptx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276145iA4794E96F73E995F/image-size/large?v=v2&amp;px=999" role="button" title="2021-04-27 17_22_37-PowerPoint Slide Show - Filtering Stack FY21.pptx.png" alt="Figure 1: The new and updated layers of the Defender for Office 365 protection stack" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: The new and updated layers of the Defender for Office 365 protection stack</span></span></P> <P>&nbsp;</P> <H2>So how can we solve this problem?</H2> <P>Over the past many months, we’ve been on an aggressive journey to eliminate misconfigurations across Office 365 – to give customers the right tools to achieve secure posture simply and maintain these configurations over time. There are two broad categories of focus:</P> <P>&nbsp;</P> <H4>Eliminating overly permissive configurations</H4> <P>First, it’s critical that these (often) legacy settings or other inadvertent rules and policies don’t come in the way of us being able to keep users protected.</P> <P>&nbsp;</P> <H4>Preventing inadvertent gaps in protection coverage</H4> <P>Second, we want to make sure that organizations can easily protect all their users with the very best of protections that we offer as and when we make them available. This is critical in a fast-changing threat landscape where we’re constantly innovating to ensure users are protected.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As we’ve approached tackling both classes of problems, we’ve applied the following principles:</P> <OL> <LI>Give customers the awareness and tools to get secure</LI> <LI>Actively help customers ‘get to secure’ through changes in the product</LI> <LI>Help customers with the right tools/guardrails to stay secure.</LI> </OL> <P>&nbsp;</P> <P>Through this blog series we’ll show how we’re applying all three principles to help customers.</P> <P>&nbsp;</P> <H2>What we have accomplished so far</H2> <P>We’ve been hard at work over the last year to achieve these goals of raising awareness on configuration gaps and preventing these gaps from inhibiting effective threat protection. I want to share with you some of the enhancements we’ve released.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><SPAN>Preset Security Policies</SPAN></H3> <P>In order to help customers understand the impact of misconfigurations, we needed to do something fundamental – we had to establish what the ideal configuration looked like. Last year we released preset security policies for Exchange Online Protection and Defender for Office 365. These policies provide a simplified method to apply all of the recommended spam, malware, and phishing policies to users across your organization. Since different organizations have different security needs, we released these presets in multiple variations, and allow customers to apply our <A href="#" target="_blank" rel="noopener">standard</A> or our <A href="#" target="_blank" rel="noopener">strict</A> presets to their users as they see fit.</P> <P>&nbsp;</P> <P>We’ve seen tremendous adoption of preset security policies since they launched in 2020, with over 18,000 tenants enabling a preset policy in their environment. Preset security policies not only give customers a choice, but they also help them stay up to speed with changing recommendations as the threat landscape evolves. To learn more about preset security policies, check out our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-04-27 17_20_22-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276142i16E1319BDFEFEC44/image-size/large?v=v2&amp;px=999" role="button" title="2021-04-27 17_20_22-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" alt="Figure 2: Preset policies can be applied to users, groups, or domains." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: Preset policies can be applied to users, groups, or domains.</span></span></P> <P>&nbsp;</P> <H3><SPAN>Configuration Analyzer</SPAN></H3> <P>Once we’d established the ideal configuration based on our own recommendations, we needed to give customers the ability to identify the instances where their configurations deviate from our recommended settings, and a way to adopt these recommendations easily.</P> <P>&nbsp;</P> <P>In 2019, we launched ORCA, the <A href="#" target="_blank" rel="noopener">Office 365 Recommended Configuration Analyzer</A>. ORCA gives customers a programmatic way to compare their current configuration settings against recommendations via PowerShell. As a result of the overwhelming success of ORCA, last year we built Configuration Analyzer right into the product. Customers can now view policy discrepancies right from within the admin portal, and can even choose to view recommended adjustments to reach our standard or our strict recommendations.</P> <P>&nbsp;</P> <P>We’ve seen incredible adoption of the configuration analyzer as well, with 290,000 policy changes made across more than 26,000 tenants since we launched the capability last year! With a few clicks, policies can be updated to meet the recommended settings, and as a result, it’s never been easier to keep email security configurations up to date. Learn more about configuration analyzer <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-04-27 17_21_21-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276143i25EB3644B26B8EA0/image-size/large?v=v2&amp;px=999" role="button" title="2021-04-27 17_21_21-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" alt="Figure 3: Configuration Analyzer shows policies that do not meet our recommended settings." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: Configuration Analyzer shows policies that do not meet our recommended settings.</span></span></P> <P>&nbsp;</P> <H3><SPAN>Overrides Reports and Alerts</SPAN></H3> <P>You’ll hear us refer to overrides frequently throughout this series. We define overrides as tenant level or user level configurations that instruct Office 365 to deliver mail even when the system has determined that the message is suspicious or contains malicious content. Examples of overrides could be an Exchange transport rule that bypasses filtering for a specific range of IP addresses, or a user level policy like an allowed sender or domain at the mailbox level.</P> <P>&nbsp;</P> <P>The thing to understand about overrides is that they represent scenarios where policies are properly configured, but other settings have neutralized their effect. It’s important that we allow organizations to customize their Office 365 environment to meet their needs, but that doesn’t mean we feel comfortable allowing malicious content like malware or phish to land in the inbox of users.</P> <P>&nbsp;</P> <P>We’ve added a view to the Threat protection status report that allows you to view overrides across your environment. By filtering the report to view data by Message Override, you can view overrides over time by type of override, like Exchange transport rule or user safe sender, and you can dig deeper in the details table to identify the causes of these overrides.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-04-27 17_21_56-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/276144iE62EDBC430A33E1A/image-size/large?v=v2&amp;px=999" role="button" title="2021-04-27 17_21_56-PowerPoint Slide Show - Config_video_slides_v3.pptx.png" alt="Figure 4: The Threat protection status report shows overrides by type and date" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 4: The Threat protection status report shows overrides by type and date</span></span></P> <P>&nbsp;</P> <H2>What comes next?</H2> <P>We’ve shared in this blog the steps we’ve taken to shed light on configuration gaps, and to help customers understand the impact configurations have on their environment. In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-two/ba-p/2307134" target="_blank" rel="noopener">next blog</A>, we will share details about the capabilities we are building to eliminate the legacy override problem, and what you can do to minimize the impact these overrides have on security posture.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> Thu, 12 Aug 2021 18:00:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-one/ba-p/2300064 Sundeep_Saini 2021-08-12T18:00:31Z Introducing the Email Entity Page in Microsoft Defender for Office 365! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/introducing-the-email-entity-page-in-microsoft-defender-for/ba-p/2275420 <P>Today I wanted to share with you some exciting new capabilities that are now available to help Microsoft Defender for Office 365 and Microsoft 365 Defender customers investigate emails.</P> <P>&nbsp;</P> <H1>Investigating email threats is now easier than ever!</H1> <P>We know that you, the security teams, spend a lot of time diving deep into alerts, hunting threats, identifying malicious indicators, and taking remediation actions. You go through multiple workflows to take the right measures to protect your organization. These workflows involving email borne threats typically have a few steps in common – all involving analyzing an email in question and any related emails – to answer questions like: Why did the system call an email malicious? Why did an email get blocked (or delivered)? How many users (and which ones) received these emails? What actions have already been taken on these emails? And a lot more.</P> <P>&nbsp;</P> <P>Answering these questions often takes time and effort. And we consistently hear how much you crave ever-increasing efficiency in the tools you use, so the effort and time involved in responding to alerts and threats is reduced.</P> <P>&nbsp;</P> <P>That's why we’re excited to introduce the new Email Entity page in Microsoft Defender for Office 365. A simple, yet rich experience that offers a single pane of glass view to answer all the questions above, greatly amplifying the efficiency with which you can investigate and respond to threats.</P> <P>&nbsp;</P> <H1>Introducing the new Email Entity page</H1> <P>The new email entity page brings a comprehensive experience that provides an exhaustive view of details critical to investigation. The email entity page gives a 360-degree view of an email in one page, and helps security analysts save time and effort, leading to more effective threat protection.</P> <P>Curious why an email was delivered despite being marked as malicious? Or what the latest location of the email is? What are the rich set of details for a URL or file that was detonated? Was it sent to a priority account? The email entity page brings you the answer to these questions, and the details you need to investigate and analyze an email – overrides, exchange transport rules, latest delivery location, detonation details, tags and a lot more.</P> <P>&nbsp;</P> <P>The email page has information and capabilities for analysts to dig deeper into intricate email details, and headers, look at email preview or email download. The email page also builds on our promise to integrate Defender for Office 365 tightly with other Microsoft 365 Defender experiences like hunting, alerts, investigations and more.</P> <P>&nbsp;</P> <H2><FONT size="6">What's exciting about the Email Entity page?</FONT></H2> <P>We are sure the single page view is appealing, but that is not it. We bring a lot more details and capabilities to the new email entity page.</P> <P>&nbsp;</P> <P>Each tab presents you with information about the email. The timeline tab has a series of events which took place on email by system, admin or user.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Timeline.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273218i03479B28172F85AA/image-size/large?v=v2&amp;px=999" role="button" title="Timeline.png" alt="Timeline.png" /></span></P> <P><FONT size="2"><EM> Figure 1:&nbsp;The timeline tab has a series of events which took place on email by system, admin or user.</EM></FONT></P> <P>&nbsp;</P> <P>The analysis tab shows pre and post-delivery fields about email, in addition to the headers presented in the same tab, helpful for a side-by-side analysis.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Analysis.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273215iF6840526C5DB856A/image-size/large?v=v2&amp;px=999" role="button" title="Analysis.png" alt="Analysis.png" /></span></P> <P><FONT size="2"><EM>Figure 2: The analysis tab shows pre and post-delivery fields about email, in addition to the email headers</EM></FONT></P> <P>&nbsp;</P> <P>The attachment and URL tabs present detailed information about attachments and URLs present in the email, along with detonation details in case a detonation occurs (shown in the section later on detonation details).</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Lastly, the similar emails tab shows emails found similar to the email. Similar emails are found using the body fingerprint i.e. the cluster ID.</P> <P>&nbsp;</P> <P>&nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Similar emails.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273219i262A9ABCA8237CD3/image-size/large?v=v2&amp;px=999" role="button" title="Similar emails.png" alt="Similar emails.png" /></span></P> <P><FONT size="2"><EM>Figure 3: The similar emails tab shows emails found similar to the email, using cluster ID</EM></FONT><BR /><BR /></P> <P>The email entity page not only has enriched details, but also new capabilities to help the security operations team investigate successfully, like email preview and detonation details.&nbsp; &nbsp;</P> <P>&nbsp;</P> <H2>Email preview for cloud mailboxes</H2> <P>We now provide full previews of emails found in cloud mailboxes. No need to download a copy of a malicious message to understand what your users saw – you can now do this with the click of a button from the safety of the admin center.</P> <P>&nbsp;</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Analysis with preview.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273216iD16406C425D8C94C/image-size/large?v=v2&amp;px=999" role="button" title="Analysis with preview.png" alt="Analysis with preview.png" /></span><BR /><FONT size="2"><EM>Figure 4: Email preview&nbsp;provides full previews of emails found in cloud mailboxes</EM></FONT></P> <H2>&nbsp;</H2> <H2>Exposing details for detonated URLs and attachments</H2> <P>With the email entity page, we have greatly enhanced the level of details we present about the observations we make in the detonation chamber for entities which get detonated. When a URL or file present in an email is found malicious during detonation, we will present the information to help you understand the full scope of related threats. Detonation details reveal information like the full detonation chain, a detonation summary, a screenshot and observed behavior details. This information can help security teams understand why we reached a malicious verdict for a URL or file following a detonation.</P> <P>&nbsp;</P> <P>For file detonation cases (you can filter by detection technology in Threat Explorer),&nbsp;the <STRONG>Attachments&nbsp;tab&nbsp;</STRONG>shows&nbsp;a list of&nbsp;attachments&nbsp;and their respective threats. Clicking on the malicious attachment&nbsp;opens the detonation details flyout for the detonated attachments. For URL detonations, the&nbsp;<STRONG>URL&nbsp;tab</STRONG> shows&nbsp;a list of&nbsp;URLs&nbsp;and the corresponding threats. Clicking on the malicious URL will&nbsp;open the detonation details flyout&nbsp;for detonated URLs.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Detonation.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273217i101B6B6690E26192/image-size/large?v=v2&amp;px=999" role="button" title="Detonation.png" alt="Detonation.png" /></span></P> <P><EM><FONT size="2"> Figure 5: Detonation details shows additional details discovered during detonation of links and files</FONT></EM></P> <H1>&nbsp;</H1> <H1>How can I get started with this new experience?</H1> <P>If you have Microsoft Defender for Office 365 or Microsoft 365 Defender, you can take advantage of this new experience today. When hunting for email-based threats, natively integrated into Explorer, you may now choose to navigate to the new email entity page. You can do the same with alerts experience, across both the security and protection portals at security.microsoft.com and protection.office.com respectively.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Learn more</A> about the email entity page on Microsoft Docs, and check out a video overview of these capabilities <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Defender for Office 365 forum.</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 12 Aug 2021 18:00:52 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/introducing-the-email-entity-page-in-microsoft-defender-for/ba-p/2275420 shubhanshijain 2021-08-12T18:00:52Z Become a Microsoft Defender for Office 365 Ninja! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/become-a-microsoft-defender-for-office-365-ninja/ba-p/2187392 <DIV class="lia-message-body-wrapper lia-component-message-view-widget-body"> <DIV id="bodyDisplay" class="lia-message-body"> <DIV class="lia-message-body-content"> <PRE><STRONG>If you've already completed the training, you can focus on the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-defender-for-office-365-ninja-training-september-2021/ba-p/2685081" target="_blank" rel="noopener">latest updates</A> (September 2021 update).</STRONG></PRE> <P>&nbsp;</P> <P><SPAN>Do you want to become a Microsoft Defender for Office 365 ninja? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Email Security" teams.&nbsp;The content is structured into three different knowledge levels (Fundamentals, Intermediate, and Advanced) with multiple modules per level.&nbsp;Some of the topics are relevant for SecOps as well as for Email Security teams.&nbsp;This training will be updated on a regular basis to ensure you have access to the most current information available.</SPAN></P> <P>&nbsp;</P> <DIV class="MessageSubject"> <DIV class="MessageSubject"><SPAN style="font-family: inherit;"><STRONG>Short Link:&nbsp;&nbsp;</STRONG><A href="#" target="_blank" rel="noopener noreferrer"><STRONG>aka.ms/MDONinja</STRONG></A></SPAN></DIV> </DIV> <DIV class="MessageSubject">&nbsp;</DIV> <DIV class="MessageSubject"><SPAN style="font-family: inherit;"><STRONG>NEW: </STRONG>After each level, we will offer you a&nbsp;</SPAN><STRONG style="font-family: inherit;">knowledge check&nbsp;</STRONG><SPAN style="font-family: inherit;">based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun&nbsp;</SPAN><STRONG style="font-family: inherit;">certificate</STRONG><SPAN style="font-family: inherit;">&nbsp;issued at the end of the training! <STRONG>Disclaimer:&nbsp;</STRONG></SPAN><STRONG style="font-family: inherit;">This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.</STRONG></DIV> <DIV class="MessageSubject">&nbsp;</DIV> <DIV class="MessageSubject"><STRONG style="font-family: inherit;"><FONT color="#000000"><STRONG>Note:</STRONG><SPAN>&nbsp;</SPAN>Threat protection product names from Microsoft have recently changed. Read more about this and other updates&nbsp;<STRONG><A href="#" target="_blank" rel="noopener noreferrer">here</A>.&nbsp;</STRONG></FONT></STRONG></DIV> <DIV class="MessageSubject"> <DIV class="lia-message-subject-wrapper lia-component-subject lia-component-message-view-widget-subject-with-options"> <DIV class="MessageSubject">&nbsp;</DIV> </DIV> <DIV class="lia-message-body-wrapper lia-component-message-view-widget-body"> <DIV id="bodyDisplay" class="lia-message-body"> <DIV class="lia-message-body-content"> <UL> <LI> <P><FONT color="#000000">Microsoft 365 Defender (previously Microsoft Threat Protection)</FONT></P> </LI> <LI> <P><FONT color="#000000">Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)</FONT></P> </LI> <LI> <P><FONT color="#000000">Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)</FONT></P> </LI> <LI> <P><FONT color="#000000">Microsoft Defender for Identity (previously Azure Advanced Threat Protection)</FONT></P> </LI> </UL> </DIV> </DIV> </DIV> </DIV> <DIV class="MessageSubject"> <P><STRONG><FONT color="#003366">Please let us know what you think about this training here:&nbsp;</FONT><A href="#" target="_blank" rel="noopener">https://aka.ms/MDONinjasurvey</A></STRONG></P> <P>&nbsp;</P> <P>P.S. I wanted to give my colleague,&nbsp;<LI-USER uid="63582"></LI-USER>&nbsp;a big thank you for laying the groundwork for Ninja Training and for all of her help, along with <LI-USER uid="194115"></LI-USER> &amp;&nbsp;<LI-USER uid="68654"></LI-USER>! Thank you!</P> <P>&nbsp;</P> <P>_____________________________________________________________________________________</P> <P>&nbsp;</P> </DIV> <P><FONT size="4"><U><STRONG>Table of Contents</STRONG></U></FONT></P> <P data-unlink="true"><STRONG><FONT size="4">Email Security - Fundamentals</FONT> </STRONG></P> <P data-unlink="true"><FONT size="3"><EM>(Deployment / Migration)&nbsp;</EM></FONT></P> <P data-unlink="true"><FONT size="3"><SPAN>Module 1. Technical overview&nbsp;</SPAN></FONT></P> <P data-unlink="true"><FONT size="3"><SPAN>Module 2. Getting started&nbsp;</SPAN></FONT></P> <P data-unlink="true"><FONT size="3"><EM>(Prevention &amp; Detection)&nbsp;</EM></FONT></P> <P data-unlink="true"><FONT size="3"><SPAN>Module 3. Configuration (Part I)&nbsp;</SPAN></FONT></P> <P data-unlink="true"><FONT size="3"><SPAN>Module 4. Protection Feature</SPAN></FONT></P> <P data-unlink="true"><EM>(Awareness)&nbsp;</EM></P> <P data-unlink="true"><SPAN>Module5. General Awareness&nbsp;</SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN><STRONG><FONT size="4">Email Security - Intermediate</FONT></STRONG></SPAN></P> <P data-unlink="true"><SPAN><FONT size="3"><EM>(Prevention &amp; Detection)</EM></FONT></SPAN></P> <P data-unlink="true"><FONT size="3">Module 1.&nbsp;Configuration (Part II)&nbsp;</FONT></P> <P data-unlink="true"><SPAN>Module 2. Alert Management&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 3. Mail flow&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 4. Zero Hour Auto-Purge (ZAP)&nbsp;</SPAN></P> <P data-unlink="true"><EM>(Investigation &amp; Hunting)&nbsp;</EM></P> <P data-unlink="true"><SPAN>Module 5. Investigating Alerts&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 6. Advanced hunting&nbsp;(overview)</SPAN></P> <P data-unlink="true"><SPAN>Module 7. Automated Investigation and Remediation (AIR)&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 8. Threat Insights&nbsp;</SPAN></P> <P data-unlink="true"><EM>(Response &amp; Remediation)&nbsp;</EM></P> <P data-unlink="true"><SPAN>Module 9. Alert Handling&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 10. Manage Quarantined Messages&nbsp;</SPAN></P> <P><EM>(Reporting)&nbsp;</EM></P> <P><SPAN>Module 11. Reporting&nbsp;</SPAN></P> <P>&nbsp;</P> <P data-unlink="true"><SPAN><STRONG><FONT size="4">Security Operations - Advanced</FONT></STRONG></SPAN></P> <P data-unlink="true"><EM>(SOC Flows)&nbsp;</EM></P> <P data-unlink="true"><SPAN>Module 1. SIEM Integration &amp; APIs&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 2. </SPAN><SPAN>False Positive/False Negative Management Flows&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>Module 3. Automation&nbsp;</SPAN></P> <P><EM>(Investigation &amp; Hunting)</EM></P> <P>Module 4. Advanced hunting&nbsp;(Kusto training)&nbsp;</P> <P data-unlink="true"><EM>(Training)&nbsp;</EM></P> <P data-unlink="true"><SPAN>Module 5. Attack Simulation Training&nbsp;</SPAN></P> <P data-unlink="true">&nbsp;</P> <P>Supplemental Content (Tech Community links)</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE class="lia-align-left" style="height: 100px; border-style: solid; border-color: grey; width: 500px;" border="1" width="500"> <TBODY> <TR> <TD width="236px" height="38px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN><SPAN style="font-family: inherit; background-color: transparent;">Docs on Microsoft</SPAN></FONT></P> </TD> <TD width="263px" height="38px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_4-1617347525465.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269003i836FEE9D389DA8B7/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_4-1617347525465.png" alt="ang31a_4-1617347525465.png" /></span><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;Blogs on Microsoft</SPAN></FONT></P> </TD> </TR> <TR> <TD width="236px" height="30px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_1-1617658296243.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269679i3995B94BC30C9256/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_1-1617658296243.png" alt="ang31a_1-1617658296243.png" /></span>&nbsp;Product videos</FONT></P> </TD> <TD width="263px" height="30px"> <P><FONT size="3"><FONT size="4"><SPAN style="font-size: medium; font-family: inherit; background-color: transparent;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_1-1617347525462.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269000i68FE1C25B4124D3B/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_1-1617347525462.png" alt="ang31a_1-1617347525462.png" /></span>&nbsp;Webcast recordings</SPAN></FONT></FONT></P> </TD> </TR> <TR> <TD width="236px" height="34px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_7-1617347713732.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269006i11B5079E964AA346/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_7-1617347713732.png" alt="ang31a_7-1617347713732.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Tech Community</SPAN></FONT></P> </TD> <TD width="263px" height="34px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_6-1617347525467.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269005i3C97D8C5772930D5/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_6-1617347525467.png" alt="ang31a_6-1617347525467.png" /></span><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;Interactive guides</SPAN></FONT></P> </TD> </TR> <TR> <TD width="236px" height="36px"> <P><FONT size="3">⤴ External</FONT></P> </TD> <TD width="263px" height="36px"> <P><FONT size="3"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_8-1617347728864.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269007i88B592DD2F6E1E9B/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_8-1617347728864.png" alt="ang31a_8-1617347728864.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">GitHub</SPAN></FONT></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2 id="h_46633397651617404610007" data-unlink="true"><FONT size="5"><FONT size="6"><STRONG>Email Security - Fundamentals </STRONG></FONT></FONT></H2> <P data-unlink="true"><FONT size="5"><EM>(Deployment / Migration)&nbsp;</EM></FONT></P> <P data-unlink="true"><FONT size="5"><STRONG>Module 1. Technical overview&nbsp;</STRONG></FONT></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617351141405.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269016iA33153686E201D1F/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617351141405.png" alt="ang31a_0-1617351141405.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Understanding where Microsoft Defender for Office 365 fits in the Microsoft 365 Security Center</A> </SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_1-1617351178694.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269017i26E611132A166E43/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_1-1617351178694.png" alt="ang31a_1-1617351178694.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">What is Microsoft Defender for Office 365?</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_4-1617351270324.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269021i1ED3AEA38ACFC87B/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_4-1617351270324.png" alt="ang31a_4-1617351270324.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/office-365-atp-is-now-microsoft-defender-for-office-365/ba-p/1696529" target="_blank" rel="noopener">Introducing Microsoft Defender for Office 365</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_2-1617351188387.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269018i80FCE14581A7E939/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_2-1617351188387.png" alt="ang31a_2-1617351188387.png" /></span><A href="#" target="_self">&nbsp;</A><FONT size="4"><A href="#" target="_blank" rel="noopener">Secure by default in Office 365</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617351198034.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269019iA86573CDB69EEEBE/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617351198034.png" alt="ang31a_3-1617351198034.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">The unified Microsoft 365 security center overview</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_6-1617347525467.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269005i3C97D8C5772930D5/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_6-1617347525467.png" alt="ang31a_6-1617347525467.png" /></span><A href="#" target="_blank" rel="noopener">&nbsp;Interactive guide to Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_5-1617351278151.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269022i367343B5C2E8B274/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_5-1617351278151.png" alt="ang31a_5-1617351278151.png" /></span>&nbsp;<FONT size="4"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/get-the-most-out-of-office-365-atp-in-the-shift-to-remote-work/ba-p/1350692" target="_blank" rel="noopener">Get the most out of Office 365 ATP (Microsoft Defender for Office 365) in the shift to remote work</A>&nbsp;</FONT><FONT size="5"><BR /></FONT></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 2. Getting started&nbsp;</FONT></STRONG></P> <UL> <LI><FONT size="4"><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 0px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" width="0" height="0" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span></FONT></FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_45-1617353275430.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269081iA59DA587CDC54DAF/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_45-1617353275430.png" alt="ang31a_45-1617353275430.png" /></span><FONT size="4"><A href="#" target="_blank" rel="noopener">&nbsp;Evaluate Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Configuration analyzer for protection policies in EOP and Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_8-1617351609984.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269028iBB3CBC1870F30741/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_8-1617351609984.png" alt="ang31a_8-1617351609984.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">ORCA (O<SPAN>ffice 365 Advanced Threat Protection&nbsp;</SPAN>R<SPAN>ecommended&nbsp;</SPAN>C<SPAN>onfiguration&nbsp;</SPAN>A</A><SPAN><A href="#" target="_self">nalyzer)</A></SPAN></FONT></LI> <LI><FONT size="4">⤴ <A href="#" target="_blank" rel="noopener">Reviewing your configuration with ORCA</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_7-1617351565233.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269027i41904D5352521E20/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_7-1617351565233.png" alt="ang31a_7-1617351565233.png" /></span>&nbsp;<FONT size="4"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/enhanced-filtering-for-connectors-supporting-hybrid-mail-routing/ba-p/1750045" target="_blank" rel="noopener">Enhanced Filtering for Connectors: Supporting hybrid mail routing configurations in Office 365</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Threat Explorer and Real-time detections</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><EM><FONT size="5">(Prevention &amp; Detection)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 3. Configuration (Part I)</FONT></STRONG></P> <UL> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Mastering Configuration in Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Preset security policies in Exchange Online Protection and Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Recommended settings for Exchange Online Protection and Microsoft Defender for Office 365 security</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Protect against threats</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_1-1617352345172.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269035iCC9C1F08C12CF45B/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_1-1617352345172.png" alt="ang31a_1-1617352345172.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Report messages and files to Microsoft</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_2-1617352349880.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269036i9A1F1C325ADF3E07/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_2-1617352349880.png" alt="ang31a_2-1617352349880.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">User submissions policies (add-in for end users)</A>&nbsp;</FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617352355790.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269037i6EBD8FA59B041504/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617352355790.png" alt="ang31a_3-1617352355790.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft</A></FONT></LI> </UL> <P><FONT size="4"><STRONG><FONT size="5">Module 4. Protection Feature</FONT></STRONG></FONT></P> <UL> <LI><FONT size="4"><STRONG><FONT size="5"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;</FONT></STRONG><A title="Protect against malicious links with Safe Links in Microsoft Defender for Office 365" href="#" target="_self">Protect against malicious links with Safe Links in Microsoft Defender for Office 365</A></FONT></LI> </UL> <P data-unlink="true"><EM><FONT size="5">(Awareness)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 5. General Awareness</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_27-1617352664212.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269061i156EAA507B10B1B5/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_27-1617352664212.png" alt="ang31a_27-1617352664212.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Protecting against coronavirus themed phishing attacks</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_26-1617352661169.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269060iB2FCB3D0E45A7820/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_26-1617352661169.png" alt="ang31a_26-1617352661169.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095" target="_blank" rel="noopener">New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks</A>&nbsp;</SPAN></LI> <LI><SPAN style="font-family: inherit;"><FONT size="4"><SPAN style="font-size: large;"><FONT color="#999999"><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269199iB6DF33036A5F5D0E/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Safety tips in email messages</A></FONT></SPAN></FONT></SPAN></LI> </UL> <P data-unlink="true">&nbsp;</P> <P><FONT size="5"><STRONG>&gt;Ready for the&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Fundamentals Knowledge Check?</A></FONT></P> <P data-unlink="true">&nbsp;____________________________________________________________________________________________</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="6"><STRONG>Email Security - Intermediate</STRONG></FONT></P> <P data-unlink="true"><FONT size="5"><EM>(Prevention &amp; Detection)&nbsp;</EM></FONT></P> <P data-unlink="true"><FONT size="5"><STRONG>Module 1. Configuration (Part II)</STRONG></FONT></P> <UL> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Email authentication (SPF, DMARC, DKIM)</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Configure outbound spam filtering</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_3-1617347525464.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269002i4A526736C95EBBCC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_3-1617347525464.png" alt="ang31a_3-1617347525464.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 2. Alert Management</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_4-1617352382707.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269038iBFCA42369766723C/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_4-1617352382707.png" alt="ang31a_4-1617352382707.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Managing Alerts: Alert policies in the Security &amp; Compliance Center</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A title="Managing alerts in Microsoft Defender for Office 365" href="#" target="_self">Managing alerts in Microsoft Defender for Office 365</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_44-1617353129245.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269078i41506C6B333A3D13/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_44-1617353129245.png" alt="ang31a_44-1617353129245.png" /></span><FONT size="4"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385?search-action-id=282055803311&amp;search-result-uid=1696385" target="_blank" rel="noopener">&nbsp;Announcing Priority Account Protection in Defender for Office 365</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A title="Protect your most visible and most targeted user with Microsoft Defender for 365" href="#" target="_self">Protect your most visible and most targeted user with Microsoft Defender for 365</A></FONT></LI> </UL> <P><FONT size="4">&nbsp;</FONT><STRONG style="font-family: inherit;"><FONT size="5">Module 3. Mail flow</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_5-1617352399419.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269039i59CF018D5A9F9047/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_5-1617352399419.png" alt="ang31a_5-1617352399419.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Outbound spam protection in Exchange Online Protection</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_6-1617352403539.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269040i174921297577B3B7/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_6-1617352403539.png" alt="ang31a_6-1617352403539.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Mail flow insights in the Security &amp; Compliance Center</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_7-1617352408443.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269041i20DA0965444FE80E/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_7-1617352408443.png" alt="ang31a_7-1617352408443.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Mail flow rules (transport rules) in standalone Exchange Online Protection</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_8-1617352412484.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269042iB0C7AB3E4F8B98D8/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_8-1617352412484.png" alt="ang31a_8-1617352412484.png" /></span><SPAN style="font-size: large;">&nbsp;<A href="#" target="_blank" rel="noopener">Message trace in the Security &amp; Compliance Center&nbsp;</A></SPAN></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 4. Zero-Hour Auto Purge</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_9-1617352416167.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269043i629E6656573AE1D9/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_9-1617352416167.png" alt="ang31a_9-1617352416167.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Zero-Hour Auto Purge (ZAP) in Exchange Online</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_0-1629413531248.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/304558i2F0CBDD46F6F461F/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_0-1629413531248.png" alt="CTang885_0-1629413531248.png" /></span>&nbsp;<A title="Zero-Hour Auto Purge (ZAP in Microsoft Defender for Office 365" href="#" target="_self"><FONT size="4">Zero-Hour Auto Purge (ZAP) in Microsoft Defender for Office 365</FONT></A></LI> </UL> <P><EM style="font-family: inherit;"><FONT size="5">(Investigation &amp; Hunting)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 5. Investigating Alerts</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_43-1617353081231.png" style="width: 0px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269077i3084C61CDA7DE625/image-size/small?v=v2&amp;px=200" width="0" height="0" role="button" title="ang31a_43-1617353081231.png" alt="ang31a_43-1617353081231.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Get more out of Microsoft Defender for Office 365 with Microsoft 365 Defender</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_40-1617353042194.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269074i4038DC2DC9C4E094/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_40-1617353042194.png" alt="ang31a_40-1617353042194.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/investigating-alerts-in-defender-for-office-365/ba-p/1824188?search-action-id=282057530248&amp;search-result-uid=1824188" target="_blank" rel="noopener">Investigating alerts</A>&nbsp;</SPAN></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A title="Incident correlation with Microsoft Defender for Office 365" href="#" target="_self">Incident correlation with Microsoft Defender for Office 365</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_41-1617353045041.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269075iB3DD1576480FFC45/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_41-1617353045041.png" alt="ang31a_41-1617353045041.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-office-365-investigation-improvements/ba-p/1947236" target="_blank" rel="noopener">Microsoft Defender for Office 365 investigation improvements coming soon</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_42-1617353046508.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269076i76CC5F15F77BFCB4/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_42-1617353046508.png" alt="ang31a_42-1617353046508.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">Investigate malicious email that was delivered in Office 365</A>&nbsp;</SPAN></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 6. Advanced Hunting (overview)</FONT></STRONG></P> <UL> <LI><SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener"><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;Microsoft&nbsp;</FONT>Defender for Office 365 gets even better with Incidents and Advanced Hunting</A>&nbsp;</SPAN></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span><A href="#" target="_blank" rel="noopener">&nbsp;Hunting in&nbsp;Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 7. Automated Investigation and Remediation</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_10-1617352434958.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269044iCD4EF22A6758541D/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_10-1617352434958.png" alt="ang31a_10-1617352434958.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">AIR Overview: Automated investigation and response (AIR) in Microsoft Defender for Office 365</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_11-1617352453634.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269045i08F79AF368A17685/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_11-1617352453634.png" alt="ang31a_11-1617352453634.png" /></span><SPAN style="font-size: large;">&nbsp;<A href="#" target="_blank" rel="noopener">How automated investigation and response works in Microsoft Defender for Office 365</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_12-1617352459908.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269046iAD58E7F826A75BF1/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_12-1617352459908.png" alt="ang31a_12-1617352459908.png" /></span><SPAN style="font-size: large;">&nbsp;<A href="#" target="_blank" rel="noopener">Details and results of an automated investigation in Microsoft 365</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_35-1617352848058.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269069i532E47321979637C/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_35-1617352848058.png" alt="ang31a_35-1617352848058.png" /></span><FONT size="4" style="font-family: inherit;">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/self-healing-in-microsoft-365-defender/ba-p/1729527?search-action-id=282057530248&amp;search-result-uid=1729527" target="_blank" rel="noopener">Self-healing in Microsoft 365 Defende</A></FONT><SPAN style="font-family: inherit;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/self-healing-in-microsoft-365-defender/ba-p/1729527?search-action-id=282057530248&amp;search-result-uid=1729527" target="_self">r</A>&nbsp;</SPAN></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 8. Threat Insights</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_13-1617352470499.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269047i51529C47303BDB28/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_13-1617352470499.png" alt="ang31a_13-1617352470499.png" /></span><SPAN style="font-size: large;">&nbsp;<A href="#" target="_blank" rel="noopener">Walkthrough - Spoof intelligence insight in Microsoft Defender for Office 365</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_34-1617352818480.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269068i7F006F75D01E189D/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_34-1617352818480.png" alt="ang31a_34-1617352818480.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">Business Email: Uncompromised – Part One</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_33-1617352816062.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269067i42E792817A3021EC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_33-1617352816062.png" alt="ang31a_33-1617352816062.png" /></span><SPAN style="font-size: large;">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246" target="_blank" rel="noopener">Business Email: Uncompromised – Part Two</A>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_32-1617352813895.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269066i1461776923B099F4/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_32-1617352813895.png" alt="ang31a_32-1617352813895.png" /></span><FONT size="4">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-three/ba-p/2247693" target="_blank" rel="noopener">Business Email: Uncompromised – Part Three</A>&nbsp;</FONT></LI> <LI><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How to prevent business email compromise using Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><EM><FONT size="5">(Response &amp; Remediation)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 9. Alert handling</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_14-1617352485633.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269048i0AEB0674BA95259E/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_14-1617352485633.png" alt="ang31a_14-1617352485633.png" /></span><SPAN style="font-family: inherit;">&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Remediation actions in Microsoft Defender for Office 365</A>&nbsp;</FONT></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_15-1617352489083.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269049i9E00058097FF8917/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_15-1617352489083.png" alt="ang31a_15-1617352489083.png" /></span><FONT size="4"><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Review and manage remediation actions in Office 365</A></SPAN></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span><FONT size="4">&nbsp;<A href="#" target="_blank" rel="noopener">Quickly identify compromised users and sophisticated campaigns</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<FONT size="4"><A title="Campaign Views in Microsoft Defender for Office 365" href="#" target="_self">Campaign Views in Microsoft Defender for Office 365</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617657164976.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269673i20A1D997793930A9/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617657164976.png" alt="ang31a_0-1617657164976.png" /></span>&nbsp;<FONT size="4"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/announcing-ga-of-o365-atp-campaign-views-and-compromised-user/ba-p/1186245" target="_blank" rel="noopener">Announcing Campaign Views and Compromised User Detection and Response</A></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Detect and respond to compromise in Microsoft Defender for Office 365</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 10. Manage quarantined messages</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_16-1617352498150.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269050iA2E630224587D983/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_16-1617352498150.png" alt="ang31a_16-1617352498150.png" /></span><FONT size="4"><SPAN style="font-family: inherit;">&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">Manage quarantined messages and files as an administrator</A>&nbsp;</FONT></SPAN></FONT></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Managing the user quarantine in Microsoft Defender for Office 365</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Manage the admin quarantine in Microsoft Defender for Office 365&nbsp;</A> &nbsp; &nbsp; &nbsp;&nbsp;</LI> </UL> <P>&nbsp;&nbsp;</P> <P><EM style="font-size: x-large; font-family: inherit;">(Reporting)&nbsp;</EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 11. Reports / Custom Reporting</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_21-1617352539972.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269055iD55FF30496007CC5/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_21-1617352539972.png" alt="ang31a_21-1617352539972.png" /></span><SPAN style="font-family: inherit;">&nbsp;<FONT size="4">&nbsp;<A href="#" target="_blank" rel="noopener">Smart reports and insights in the Security &amp; Compliance Center</A></FONT></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_22-1617352545083.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269056iE8AFF6BDA65DD051/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_22-1617352545083.png" alt="ang31a_22-1617352545083.png" /></span>&nbsp;&nbsp;<FONT size="4"><A href="#" target="_blank" rel="noopener">View Defender for Office 365 reports in the Reports dashboard in the Security &amp; Compliance Center</A></FONT></LI> </UL> <P data-unlink="true">&nbsp;</P> <P><FONT size="5"><STRONG>&gt;Ready for the&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Intermediate Knowledge Check?</A></FONT></P> <P data-unlink="true">&nbsp;____________________________________________________________________________________________</P> <P data-unlink="true"><FONT size="6"><STRONG>Security Operations - Advanced</STRONG></FONT></P> <P data-unlink="true"><EM><FONT size="5">(SOC Flows)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 1. SIEM Integration &amp; APIs</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_31-1617352731401.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269065i4009A21628B4B44A/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_31-1617352731401.png" alt="ang31a_31-1617352731401.png" /></span>&nbsp;<SPAN style="font-family: inherit;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/say-hello-to-the-new-microsoft-threat-protection-apis/ba-p/1669234" target="_blank" rel="noopener">Say hello to the new Microsoft Threat Protection APIs!</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_30-1617352727795.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269064iED308881F1F0D677/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_30-1617352727795.png" alt="ang31a_30-1617352727795.png" /></span>&nbsp;<SPAN style="font-family: inherit;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2102893" target="_blank" rel="noopener">Best practices for leveraging Microsoft 365 Defender API's - Episode One</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_29-1617352724095.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269063i32E7AA0CF549E51F/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_29-1617352724095.png" alt="ang31a_29-1617352724095.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820" target="_blank" rel="noopener">Best practices for leveraging Microsoft 365 Defender API's - Episode Two</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_28-1617352718962.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269062i62C35B8A471F76E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_28-1617352718962.png" alt="ang31a_28-1617352718962.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/improve-the-effectiveness-of-your-soc-with-office-365-atp-and/ba-p/1525185" target="_blank" rel="noopener">Improve the Effectiveness of your SOC with Office 365 ATP and the O365 Management API</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_17-1617352507370.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269051i9C97A720E0D17972/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_17-1617352507370.png" alt="ang31a_17-1617352507370.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Custom or third-party reporting solutions for Microsoft Defender for Office 365</A></SPAN></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 2. False Positive / False Negative Management Flows</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_18-1617352512593.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269052i1E5E2B18979E5907/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_18-1617352512593.png" alt="ang31a_18-1617352512593.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Manually submit messages to Microsoft for analysis (FP/FN submission)</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_19-1617352519515.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269053i139626BC0B33985E/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_19-1617352519515.png" alt="ang31a_19-1617352519515.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Handle FPs/FNs: How to report false positives/negatives in automated investigation and response capabilities</A>&nbsp;</SPAN></LI> </UL> <P data-unlink="true"><STRONG><FONT size="5">Module 3. Automation</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_0-1617347525460.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268999iC147F6009B3969E3/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_0-1617347525460.png" alt="ang31a_0-1617347525460.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Use Office Advanced Threat Protection automation for efficient IR</A>&nbsp;</LI> </UL> <P data-unlink="true"><EM><FONT size="5">(Investigation &amp; Hunting)&nbsp;</FONT></EM></P> <P data-unlink="true"><STRONG><FONT size="5">Module 4. Advanced Hunting (Kusto training)</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_38-1617352909333.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269072i498BBF6E83FBC036/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_38-1617352909333.png" alt="ang31a_38-1617352909333.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">KQL part 1 of 3:&nbsp;Learn the KQL you need (part of Azure Sentinel webinar series)</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_37-1617352908467.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269071iABCACA7D7B12CC16/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_37-1617352908467.png" alt="ang31a_37-1617352908467.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">KQL part 2 of 3:&nbsp;KQL hands-on lab exercises (part of Azure Sentinel webinar series)</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_36-1617352906859.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269070iEB7901DAFA4293BC/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_36-1617352906859.png" alt="ang31a_36-1617352906859.png" /></span>&nbsp;<SPAN style="font-size: large;"><A href="#" target="_blank" rel="noopener">KQL part 3 of 3: Optimizing KQL queries (part of Azure Sentinel webinar series)</A> </SPAN></LI> <LI><FONT size="4"><SPAN>⤴&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Pluralsight KQL training</A>&nbsp;</FONT></LI> </UL> <P data-unlink="true"><FONT size="5"><EM>(Training)&nbsp;</EM></FONT></P> <P data-unlink="true"><STRONG><FONT size="5">Module 5. Attack Simulation Training</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_25-1617352654998.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269059iC7140F749EF0A70C/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_25-1617352654998.png" alt="ang31a_25-1617352654998.png" /></span>&nbsp;<SPAN style="font-family: inherit;"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/attack-simulation-training-in-microsoft-defender-for-office-365/ba-p/2037291?search-action-id=282058475525&amp;search-result-uid=2037291" target="_blank" rel="noopener">Attack simulation training in Microsoft Defender for Office 365 now Generally Available</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_20-1617352531871.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269054i7F8495B5917819F6/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_20-1617352531871.png" alt="ang31a_20-1617352531871.png" /></span><SPAN style="font-family: inherit;">&nbsp;<A href="#" target="_blank" rel="noopener">Get started using Attack Simulation Training in Microsoft Defender for Office 365</A></SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_0-1631571444072.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310167i867DE1595AA9E740/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_0-1631571444072.png" alt="CTang885_0-1631571444072.png" /></span><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-one/ba-p/2412854" target="_blank" rel="noopener">&nbsp;Setting up a New Phish Simulation Program - Part One</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CTang885_1-1631571642488.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310168i0B596A2A0BB913FB/image-size/small?v=v2&amp;px=200" role="button" title="CTang885_1-1631571642488.png" alt="CTang885_1-1631571642488.png" /></span><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-two/ba-p/2432167" target="_self">&nbsp;Setting up a New Phish Simulation Program - Part Two</A></LI> </UL> <P>&nbsp;</P> <P><FONT size="5"><STRONG>&gt;Ready for the&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Experts Knowledge Check?</A></FONT></P> <P>&nbsp;____________________________________________________________________________________________</P> <P data-unlink="true"><STRONG><FONT size="5">Supplemental Content</FONT></STRONG></P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_24-1617352597049.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269058iAA93AB5AEC792884/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_24-1617352597049.png" alt="ang31a_24-1617352597049.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/bg-p/MicrosoftDefenderforOffice365Blog#footerContent" target="_blank" rel="noopener"><SPAN style="font-family: inherit;">Microsoft Defender for Office 365 - Microsoft Tech Community</SPAN></A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ang31a_23-1617352593341.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269057iF91D8C51FD464308/image-size/small?v=v2&amp;px=200" role="button" title="ang31a_23-1617352593341.png" alt="ang31a_23-1617352593341.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/bg-p/MicrosoftSecurityandCompliance" target="_blank" rel="noopener"><SPAN style="font-family: inherit;">Microsoft Security and Compliance - Microsoft Tech Community</SPAN></A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Office 365 - Homepage</A></LI> </UL> <P>&nbsp;</P> <P>Once you’ve finished the training and the knowledge checks, please&nbsp;<STRONG><A href="#" target="_blank" rel="noopener">click here</A>&nbsp;to request your certificate. </STRONG>You'll see it in your inbox within 3-5 business days.</P> <P>&nbsp;</P> <P><STRONG><FONT color="#003366">Please let us know what you think about this training here:&nbsp;</FONT><A href="#" target="_blank" rel="noopener">https://aka.ms/MDONinjasurvey</A></STRONG></P> <P>&nbsp;</P> <P><STRONG>Interested in other ninja trainings? There are also ninja trainings for:&nbsp;</STRONG></P> <P><STRONG>Microsoft Defender for Endpoint (MDE) -&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/become-a-microsoft-defender-for-endpoint-ninja/ba-p/1515647#_Toc45281245" target="_self">http://aka.ms/mdeninja</A>&nbsp;</STRONG></P> <P><STRONG>Microsoft Cloud App Security (MCAS) -&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/mcasninja</A>&nbsp;</STRONG></P> <P><STRONG>Microsoft Defender for Identity (MDI) - <A href="#" target="_blank" rel="noopener noreferrer">http://aka.ms/mdininja</A></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P data-unlink="true">Follow us on LinkedIn as #DefenderForOffice365. Bookmark the <A href="#" target="_blank" rel="noopener nofollow noreferrer">Security blog</A> to keep up with expert coverage on security matters. Also, follow <A href="#" target="_blank" rel="noopener nofollow noreferrer">@MSFTSecurity</A>&nbsp;on Twitter and&nbsp;<A href="#" target="_blank" rel="noopener nofollow noreferrer">Microsoft Security</A>&nbsp;on LinkedIn for the latest news and updates on cybersecurity.&nbsp;</P> </DIV> </DIV> </DIV> Mon, 13 Sep 2021 23:00:23 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/become-a-microsoft-defender-for-office-365-ninja/ba-p/2187392 ang31a 2021-09-13T23:00:23Z Business Email: Uncompromised - Part Three https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-three/ba-p/2247693 <P><EM>This blog is part three of a three-part series focused on business email compromise.</EM></P> <P>&nbsp;</P> <P>In the previous two blogs in this series, we detailed the evolution of business email compromise attacks and how Microsoft Defender for Office 365 employs multiple native capabilities to help customers prevent these attacks. In <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">Part One</A>, we covered some of the most common tactics used in business email compromise attacks, and in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246" target="_blank" rel="noopener">Part Two</A>, we dove a little deeper into the more advanced attacks. The BEC protections offered by Microsoft Defender for Office 365, as referenced in the previous two blogs have been helping keep Defender for Office 365 customers secure across a number of different dimensions. However, to fully appreciate and understand the unique capabilities Microsoft offers, we need to take a step back.</P> <P>&nbsp;</P> <H2>Unparalleled scale</H2> <P>When we talk to customers about Microsoft Defender for Office 365, we always mention not only the size of our service, but the volume of data points we generate and collect throughout Microsoft. These things together help us <A href="#" target="_blank" rel="noopener">responsibly</A> build industry-leading AI and automation. Here are a few datapoints that can help put this into perspective:</P> <UL> <LI>Every month, our detonation systems detect close to 2 million <EM>distinct</EM> URL-based payloads that attackers create to orchestrate credential phishing campaigns. Each month, our systems block over 100 million phishing emails that contain these malicious URLs.</LI> <LI>Every month, we detect and block close to 40 million emails that attempt to leverage domain spoofing, user impersonation, or domain impersonation – techniques that are widely utilized in business email compromise attacks.</LI> <LI>Clicking further into domain spoofing data, we observe that the <EM>majority</EM> of domains that send mail into Office 365 do not have a valid DMARC enforcement. That leaves them open to spoofing and that is why the Spoof Intelligence capability (as discussed in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">Part One</A>) adds such a strong defense layer.</LI> <LI>In the last quarter, we rolled out new options in the outbound spam policy that have helped customers disable automated forwarding rules across 90% of Office 365 email accounts to further disrupt BEC attack chains.</LI> <LI>Additionally, our compromise detection systems are now flagging <EM>thousands</EM> of potentially compromised accounts and suspicious forwarding events. As we covered in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246" target="_blank" rel="noopener">second blog</A>, account compromise is a tactic used frequently in multi-stage BEC attacks. <A href="#" target="_blank" rel="noopener">Learn more</A> about how Defender for Office 365 automatically investigates compromised user accounts.</LI> <LI>Just in the last quarter, we have seen many customers implement “first-contact safety tips”, which have generated over 100 million phishing awareness moments. <A href="#" target="_blank" rel="noopener">Learn more</A> about first-contact safety tips.</LI> </UL> <DIV id="tinyMceEditorGiulian Garruba_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BEC3_1.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268723i8A45A9C61517B04C/image-size/large?v=v2&amp;px=999" role="button" title="BEC3_1.png" alt="Figure 1: BEC by the numbers" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: BEC by the numbers</span></span></P> <P>&nbsp;</P> <H2>Artificial intelligence meets human intelligence</H2> <P>At Microsoft, we’re deeply focused on simplifying security for our customers, and we heed our own advice. We build security automation solutions that eliminate the noise and allow security teams to focus on the more important things. Our detection systems are being constantly updated through automated intelligence harnessed through trillions of signals, and this helps us focus our human intelligence on diving deep into the things that help improve customer protection. Our Microsoft 365 Defender Threat Research team leverages these signals to track <A href="#" target="_blank" rel="noopener">actors</A>, <A href="#" target="_blank" rel="noopener">infrastructure</A>, and <A href="#" target="_blank" rel="noopener">techniques</A> used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.</P> <P>&nbsp;</P> <H2>Leading the fight against cybercrime</H2> <P>Outside of the product, we also partner closely with the Digital Crimes Unit at Microsoft to take the fight to criminal networks. Microsoft’s Digital Crimes Unit (DCU) is recognized for its global leadership in using legal and technical measures to disrupt cybercrime, <A href="#" target="_blank" rel="noopener">including attacks like BEC.</A> By targeting the malicious technical infrastructure used to launch cyberattacks, DCU diminishes the capability of cybercriminals to engage in nefarious activity. In 2020, DCU directed the removal of 744,980 phishing URLs and recovered 6,633 phish kits which resulted in the closure of 3,546 malicious email accounts used to collect stolen customer credentials obtained through successful phishing attacks.</P> <DIV id="tinyMceEditorGiulian Garruba_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BEC3_2.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268722i2EC234A14EA896C8/image-size/large?v=v2&amp;px=999" role="button" title="BEC3_2.png" alt="Figure 2: DCU by the numbers" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: DCU by the numbers</span></span></P> <P>&nbsp;</P> <P>To disrupt cybercriminals taking advantage of the COVID-19 pandemic to deceive victims, in mid-2020, the Digital Crimes Unit took legal action in partnership with law enforcement to help stop phishing campaigns using COVID-19 lures. Additionally, with the help of our unique civil case against COVID-19-themed attacks, DCU obtained a court order that proactively disabled malicious domains owned by criminals. Read more about this <A href="#" target="_self">here</A>.&nbsp;</P> <P>&nbsp;</P> <P>The DCU continues to leverage its expertise and unique view into online criminal networks to uncover evidence that informs criminal referrals to appropriate law enforcement agencies around the world who are prioritizing BEC because it is one of the costliest cybercrime attacks in the world today. In fact, since launching this blog series, the FBI <A href="#" target="_blank" rel="noopener">released their 2020 Internet Crimes Report</A>, which contains updated statistics on BEC related losses.</P> <P>&nbsp;</P> <P>To learn more about DCU, take a look at a <A href="#" target="_self">collection of articles here</A>. You can also check out a <A href="#" target="_blank" rel="noopener">recent episode</A> of our Security Unlocked podcast where Peter Anaman, a Director and Principal Investigator for DCU, discusses what it’s like to investigate these BEC attacks.</P> <P>&nbsp;</P> <H2>Reducing the threat of business email compromise</H2> <P>We’ve covered quite a bit of content in this series and it feels only appropriate that we summarize the most important things that you can do to prevent BEC attacks in your environment. We’ve compiled these recommendations from a variety of sources, including industry analysts. The good news is that with Microsoft Defender for Office 365, you can now have <STRONG>one</STRONG> integrated solution that helps you easily adopt these recommendations.</P> <P>&nbsp;</P> <H3>Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection</H3> <P>In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246" target="_blank" rel="noopener">second blog in this series</A> we covered the new ways in which attackers are orchestrating these dangerous attacks that <EM>are becoming increasingly difficult to detect with</EM> <EM>legacy email gateways or point solutions</EM>. Defender for Office 365 provides a modern, end to end, compliant protection stack that protects against advanced credential phishing, business email compromise detection, internal email filtering, suspicious forwarding detection, and account compromise detection. With Microsoft Defender for Office 365, you can detect these threats in your Office 365 environment without sending data out of your tenant, making it one of the simplest and most compliant ways to protect Office 365.</P> <P>&nbsp;</P> <H3>Complement email security with user awareness &amp; training</H3> <P>With attacks evolving every day, it’s critical that we not only build tools to prevent attacks, but also that we train users to spot suspicious messages or indicators of malicious intent. The most effective way to train your users is to emulate real threats with intelligent simulations and engage employees in defending the organization through targeted training. With Defender for Office 365 we now provide rich, native, user awareness and training tools for your entire organization. Learn more about <A href="#" target="_blank" rel="noopener">Attack simulation training</A> in Defender for Office 365.</P> <P>&nbsp;</P> <H3>Implement MFA to prevent account takeover and disable legacy authentication</H3> <P>Multi-factor authentication (MFA) is one of the most effective steps you can take towards preventing account compromise. As we discussed previously, new BEC attacks often rely on compromising email accounts to propagate the attack. By <A href="#" target="_blank" rel="noopener">Setting up multi-factor authentication in Microsoft 365</A> and implementing <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414" target="_blank" rel="noopener">security defaults</A> you can eliminate 99.9% of account compromise attempts.</P> <P>&nbsp;</P> <H3>Review your protections against domain spoofing</H3> <P>As we shared earlier, the majority of domains that send email to Office 365 have not properly configured DMARC. Leverage <A href="#" target="_blank" rel="noopener">Spoof Intelligence</A> in Defender for Office 365 to protect your users from threats that spoof domains that haven’t configured DMARC. Additionally, take the necessary steps to make sure your own domains are properly configured so that they aren’t spoofed. You can implement DMARC gradually without impacting the rest of your mail flow. <A href="#" target="_blank" rel="noopener">Configure DMARC in Microsoft 365</A>.</P> <P>&nbsp;</P> <H3>Implement procedures to authenticate requests for financial or data transactions and move high-risk transactions to more authenticated systems</H3> <P>We use email and collaboration tools to perform a wide variety of tasks, and sharing financial data doesn’t need to be one of them. To minimize the risk of accidental sharing of sensitive information like routing numbers or credit card information, consider using <A href="#" target="_blank" rel="noopener">Data Loss Prevention</A> policies in Office 365. Additionally, consider, establishing a process that moves these transactions to a different system – one designed specifically for this purpose.</P> <H2>&nbsp;</H2> <H1>Closing thoughts</H1> <P>At Microsoft, we embrace our responsibility to create a safer world that enables organizations to digitally transform. We’ve put this blog series together with the goal of reminding customers not only of the significance of BEC, but the wide variety of prevention mechanisms available to them. If you’re looking for a comprehensive solution to protect your organization against costly BEC attacks, look no further than Microsoft Defender for Office 365.</P> <P>&nbsp;</P> <P>Day in and day out, we relentlessly strive to enhance our security protections to stop evolving threats. We are committed to getting our customers secure – and helping them stay secure.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum.</A></P> <P>&nbsp;</P> Thu, 12 Aug 2021 18:04:15 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-three/ba-p/2247693 Giulian Garruba 2021-08-12T18:04:15Z New Home for Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/new-home-for-microsoft-defender-for-office-365/ba-p/2176179 <P>At Ignite in September we <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/office-365-atp-is-now-microsoft-defender-for-office-365/ba-p/1696529" target="_blank" rel="noopener">announced</A> Microsoft 365 Defender, a unified XDR security solution for identities, endpoints, cloud apps, email and collaboration. Since then, we’ve seen tremendous results, with customers taking advantage of deep integrations that modernize security operations and prioritize actionable insights across their enterprise assets. In fact, in one case we saw consolidation from 1,000 alerts to just 40 high-priority incidents. Built-in self-healing technology has fully automated remediation tasks in action in more than 70% of the time and helps defenders to focus on other tasks that better leverage their knowledge and expertise.</P> <P>&nbsp;</P> <H2>Announcing public preview of the unified security portal</H2> <P>We’re incredibly excited about this unified approach to threat protection, and today we <A href="#" target="_blank" rel="noopener">announced</A> the public preview of the new Microsoft 365 Defender and the unified security portal, which now includes Microsoft Defender for Office 365. This is an important milestone in our journey to provide consolidated security tools that deliver intelligent and integrated security across domains. <U></U></P> <DIV id="tinyMceEditorGiulian Garruba_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure1.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259433iB06559F76890F076/image-size/large?v=v2&amp;px=999" role="button" title="figure1.png" alt="Figure 1: The new Microsoft 365 Defender portal" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: The new Microsoft 365 Defender portal</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Customers are now able to use the unified portal to manage security operations across Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. This new portal is available at <A href="https://gorovian.000webhostapp.com/?exam=security.microsoft.com" target="_blank" rel="noopener">security.microsoft.com</A>, and it contains all the Defender for Office 365 capabilities you use today, with the addition of some new features as well.</P> <H2>&nbsp;</H2> <H2>What's new in the Security portal?</H2> <P>In the new converged portal, we are surfacing the same great experiences you know from Defender for Office 365 and incorporating new experiences for cross-workload detection and response to security incidents. These new capabilities can only be found in the new Microsoft 365 Defender portal, and they allow security teams to investigate and hunt in one centralized location, harnessing the power of correlation of signals across products.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Microsoft 365 Defender and the unified portal introduce new and exciting capabilities such as:</P> <UL> <LI><STRONG>Incidents</STRONG> – a unified investigation page that correlates multiple alerts into a single incident, including details on triggering alerts, impacted assets, and deep-dive details across your endpoints, identities, cloud apps, and Office 365 environment. Learn more about incidents in Microsoft 365 Defender <A href="#" target="_blank" rel="noopener">here</A>.</LI> <LI><STRONG>Threat Analytics</STRONG> – detailed in-product threat intelligence reports providing in-depth analysis and context around the real-world threats tracked by Microsoft experts. Each report shows where and how your organization may be affected through incidents and alerts and provides recommendations to mitigate and prevent these threats. Learn more about Threat analytics in Microsoft 365 Defender <A href="#" target="_blank" rel="noopener">here</A>.</LI> <LI><STRONG>Email investigation page</STRONG> – A comprehensive view that surfaces a variety of insights and contextual data for each email, helping security teams investigate emails from a single view. Learn more about the email entity page in Microsoft 365 Defender <A href="#" target="_blank" rel="noopener">here</A>. &nbsp;&nbsp;</LI> <LI><STRONG>Learning Hub</STRONG> - a collection of educational resources to help you get started, including things like blogs, how-to videos, interactive guides, and official product documentation.</LI> </UL> <DIV id="tinyMceEditorGiulian Garruba_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture2.png" style="width: 644px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259434i9AA438CFCE14C49F/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Figure 2: The new email investigation page in the Microsoft 365 security center" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: The new email investigation page in the Microsoft 365 security center</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In addition, the new security portal provides advanced tools for post-breach investigation, like:</P> <UL> <LI>Unified alerts queue and a new alert details page – a new look for alerts that provides a simple to use experience for alert analysis, surfaces more details on each alert, and provides a drill down to continue with a detailed investigation in Threat Explorer</LI> <LI>Advanced Hunting – a tool for examination of data using custom queries</LI> <LI>Automated Incident Remediation - capabilities that save SecOps teams valuable time by leveraging AI-powered automatic remediation capabilities to ensure all impacted assets related to an incident are automatically remediated where possible</LI> <LI>Action Center – A centralized view of actions pending approval</LI> </UL> <P>&nbsp;</P> <H2>What about the existing capabilities?</H2> <P>While the portal has changed from <A href="#" target="_blank" rel="noopener">protection.office.com</A> to <A href="#" target="_blank" rel="noopener">security.microsoft.com</A>, what has not changed is our mission to offer customers comprehensive protection of Office 365 against advanced threats.</P> <DIV id="tinyMceEditorGiulian Garruba_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture3.png" style="width: 435px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259435i1C53120B542122B6/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Figure 3: Our comprehensive approach to securing Office 365" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: Our comprehensive approach to securing Office 365</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The new security portal also contains all the capabilities and dashboards your security teams use today in Defender for Office 365. These features have moved into the new security center and can be found in the Email &amp; collaboration section of the navigation pane. Capabilities like Threat Explorer, Submissions, Quarantine, Reports, and policy creation and setting options have all been ported over. Customers will see the features that correspond to their Defender for Office 365 or E5 subscription.</P> <P>&nbsp;</P> <P>If you have questions regarding the transition, check out <A href="#" target="_blank" rel="noopener">our documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Next steps</H2> <P>We’re incredibly excited about this update, and hope you’ll take the time to familiarize yourself with the new security home, learn all about the new capabilities, and locate your previously used tools. You can update your workflows to use the new unified portal at <A href="https://gorovian.000webhostapp.com/?exam=security.microsoft.com" target="_blank" rel="noopener">security.microsoft.com</A>. As we move forward towards general availability, the protection.office.com portal will be phased out.</P> <P>&nbsp;</P> <P>Check out <A href="#" target="_blank" rel="noopener">this video</A> for a quick summary of some of the new capabilities for Defender for Office 365 customers.</P> <P>&nbsp;</P> <P>Are you a Microsoft Defender for Endpoint customer? Learn more about how this transition affects Defender for Endpoint <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092" target="_self">here</A>.</P> <P>&nbsp;</P> <H2>Get involved!</H2> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> <P>&nbsp;</P> Thu, 12 Aug 2021 18:04:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/new-home-for-microsoft-defender-for-office-365/ba-p/2176179 Giulian Garruba 2021-08-12T18:04:40Z Business Email: Uncompromised – Part Two https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246 <P><EM>This blog is part two of a three-part series focused on business email compromise.</EM></P> <P>&nbsp;</P> <P data-unlink="true">In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">previous blog</A>&nbsp;in this series, we described the components of a classic (or single stage) BEC attack and showed how Microsoft Defender for Office 365 helps you protect against them. In this post, we will look at how BEC attacks have evolved and how new capabilities in Defender for Office 365 provide additional security layers to keep your organizations safe against these evolving patterns.</P> <P>&nbsp;</P> <H2>Understanding Evolving BEC Attack Patterns</H2> <P>In recent years, we have seen BEC attacks grow more complex and now involve multiple stages. Here is how they work:</P> <OL> <LI>Once the attacker has identified the target organization, they attempt to compromise the email account of the victim through techniques like credential phishing or reusing previously leaked passwords.</LI> <LI>The attacker subsequently sets up a forwarding rule on the victim’s email account. This enables the attacker to conduct reconnaissance on the target and monitor new emails from partners or vendors, typically those that involve a financial exchange.</LI> <LI>Once a transaction of interest is identified, the attacker inserts themselves in the middle of an active email conversation through the tactics we described in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900" target="_blank" rel="noopener">previous blog</A>: using either user or domain impersonation, or a domain spoofing attack. The idea is to dupe the victim into trusting the attacker (who’s posing as the trusted vendor) and taking specific actions. The attacker can carry out multiple parallel conversations posing as one entity to another.</LI> <LI>Finally, the attacker modifies the wire transfer or financial transaction details, leading the victim to process a fake invoice.</LI> </OL> <DIV id="tinyMceEditorGiulian Garruba_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258169iCBFEECD7D8BF73B9/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Figure 1: The stages of multi-stage BEC attacks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: The stages of multi-stage BEC attacks</span></span></P> <P>&nbsp;</P> <P>In recent months, we have updated Defender for Office 365 in multiple ways to help customers secure themselves against each stage of these evolving attack patterns.</P> <P>&nbsp;</P> <H2>Preventing Credential Phishing &amp; Account Compromise</H2> <P>In the stages we discussed above, the first step is typically account compromise using a tactic like credential phishing. To block credential phishing mails, Defender for Office 365 is constantly updating its multi-layered email filtering stack which includes capabilities such as Safe Links, Safe Attachments and multiple machine learning models that scan and sandbox emails, files, and URLs to detect credential harvesting sites and block them. Additionally, Safe Links provides time-of-click protection for links in emails and is integrated into Office apps like Word, Excel and PowerPoint, to block exposure to malicious sites. Safe Links capabilities are available for both mails that come from outside your organization and internal mails within your organization. Defender for Office 365 is the only solution that can provide internal email protection within the compliance boundary of Office 365. No need to journal mails to external systems or grant mailbox access to external services.</P> <P>&nbsp;</P> <P>We have also recently updated our machine learning models that detect anomalous account behavior and trigger alerts. You can <A href="#" target="_blank" rel="noopener">learn more</A> about how Defender for Office 365 identifies, automatically investigates, and remediates compromised user accounts.</P> <P>&nbsp;</P> <P>Office 365 customers that leverage Azure Active Directory for identity access management can configure <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414" target="_blank" rel="noopener">security defaults</A> that enable Multi-Factor Authentication and disable legacy authentication for your Office 365 environment. This eliminates risk of password spray and account compromise in more than 99.9% of cases.</P> <P>&nbsp;</P> <H2>External Email Forwarding in Office 365 Now Disabled by Default</H2> <P>As we move to the next step in the typical multi-stage attack, we must turn our attention to external forwarding. External forwarding allows attackers to establish persistence and learn more about their victims. We have rolled out a new option in the outbound spam policy that disables external forwarding by default. Additionally, to help our customers get to a secure posture, this policy has been retroactively applied to existing Office 365 mailboxes. This has helped disrupt any existing compromised accounts and BEC activities.</P> <P>&nbsp;</P> <P>For legitimate scenarios that require email forwarding, administrators can create custom policies and enable forwarding for select mailboxes, while keeping it disabled for the rest of their users. You can learn more about controlling external forwarding in Defender for Office 365 <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <DIV id="tinyMceEditorGiulian Garruba_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258170i08F186DA69AC7172/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Figure 2: Configure automatic forwarding in the outbound spam policy" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: Configure automatic forwarding in the outbound spam policy</span></span></P> <H2>&nbsp;</H2> <H2>New and Improved Suspicious Forwarding Alerts</H2> <P>In addition to disabling external forwarding by default, Defender for Office 365 has introduced a new alert that detects suspicious forwarding related activity. The alert can warn administrators when suspicious forwarding activity is detected and enables them to conduct further investigation, remediate the account, and prevent any suspicious wire transfer activities.</P> <DIV id="tinyMceEditorGiulian Garruba_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258171i77955D5334C65552/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Figure 3: Suspicious email forwarding activity alerts" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: Suspicious email forwarding activity alerts</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Tools to Improve User Awareness</H2> <P>Employees are an organization’s greatest asset, but they are also susceptible to falling prey to these evolving attacks. An important way to strengthen your defenses against all cyber threats is through user awareness.</P> <P>&nbsp;</P> <P>For awareness programs to be successful, they must offer intuitive learning moments for your employees. What differentiates Microsoft from all other email security vendors is our ability to natively integrate security features into the products like Outlook and Office 365 apps. This integration provides both protection and awareness for your users.</P> <P>&nbsp;</P> <H3>New Safety Tips Options</H3> <P>Defender for Office 365 already provides various <A href="#" target="_blank" rel="noopener">safety tips</A> that are shown to end users of an email to enhance user awareness. We recently launched a new safety tip that enables email users to self-detect suspicious emails based on a signal related to first time contact between a sender and recipient(s).</P> <P>&nbsp;</P> <P>If you receive an email from a sender for the first time or do not often get emails from this sender, you will see a safety tip displayed in your Outlook client as shown below to warn you that this email might be suspicious.</P> <DIV id="tinyMceEditorGiulian Garruba_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258173i5BBBD72A107A540C/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Figure 4: First contact safety tip warns users of suspicious email" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 4: First contact safety tip warns users of suspicious email</span></span></P> <P>&nbsp;</P> <P>Imagine being in the middle of an email chain with your business partner or vendor and receiving this warning message. That is a strong indicator of a potential business email compromise attempt. This capability adds an extra layer of security protection and creates awareness for users against such attacks.</P> <P>&nbsp;</P> <P>You can <A href="#" target="_blank" rel="noopener">learn more</A> about configuring first contact safety tips in your Office 365 tenant.</P> <P>&nbsp;</P> <H3>Native Link Rendering</H3> <P>Phishing trainings usually educate users to verify links in email apps by hovering over these links to reveal their destination. Many email security products rewrite these URLs, making it difficult for users to decipher the destination URL and reducing the value of the training. &nbsp;Safe Links in Defender for Office 365 goes beyond rewriting URLs and natively integrates with Outlook and Office 365 apps. Native link rendering allows users to see the destination URL when they hover over the link, but still protects them from malicious links by evaluating these links at time-of-click. This capability is unique to Defender for Office 365, and its native integrations with Office apps preserve your investments in phishing and user awareness training.</P> <P>&nbsp;</P> <H3>Attack Simulation &amp; Training</H3> <P>It's critical that your end users are trained to spot suspicious messages and the indicators we’ve discussed so far, and the most effective way to train your users is to emulate real threats with intelligent simulations. In January we announced the general availability of Attack simulation training in Microsoft Defender for Office 365. Rebuilt from the ground up, Attack simulation training enables customers to train their employees to recognize red flags that might indicate a business email compromise attack. Industry-leading training from Terranova Security caters to diverse learning styles, engaging employees in defending the organization. You can learn more about these new capabilities <A href="#" target="_blank" rel="noopener">here</A>.</P> <DIV id="tinyMceEditorGiulian Garruba_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258175i8D346F0DDD7EFAA4/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Figure 5: Attack simulation training engages employees in defending the organization" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 5: Attack simulation training engages employees in defending the organization</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Coming up in Part 3….</H2> <P>In this blog we covered several ways that Microsoft Defender for Office 365 has been updated to help prevent evolving business email compromise attacks. We encourage readers to review these new capabilities and enable them in their environments.</P> <P>&nbsp;</P> <P>In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-three/ba-p/2247693" target="_self">next post in this series</A>, we will look at the impact of these protections and the work we are doing outside the product in partnership with other security teams at Microsoft to further secure our customers. We’ll wrap up the series with best practice recommendations to ensure your organization stays protected against business email compromise attacks. Stay tuned!</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> <P>&nbsp;</P> Thu, 12 Aug 2021 18:05:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246 Giulian Garruba 2021-08-12T18:05:01Z Business Email: Uncompromised – Part One https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900 <P><EM>This blog is part one of a three-part series focused on business email compromise.</EM></P> <P>&nbsp;</P> <P>Business email compromise (BEC) is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. BEC has become a top-of-mind concern for CISOs – according to the Federal Bureau of Investigation, in 2019, BEC was the costliest type of cybercrime, accounting for 50% of all losses worldwide. Since 2016, BEC has accounted for more than 26 billion dollars in losses. Large corporations to small businesses, all have fallen victim to these attacks.</P> <P>&nbsp;</P> <P>At Microsoft <A href="#" target="_blank" rel="noopener">we have been actively working</A> to block these attacks and working to disrupt attacker networks that look to propagate such crime.&nbsp;Microsoft Defender for Office 365 provides industry leading capabilities to protect against these sorts of attacks.</P> <P>&nbsp;</P> <P>So how do these attacks work? How can organizations best protect themselves? In this blog series, we will explore the evolution of BEC attack tactics, provide a refresher on existing and new capabilities in Defender for Office 365 that help detect these attacks, and best practices that customers should follow to secure themselves against BEC attacks.</P> <P>&nbsp;</P> <H2>Anatomy of Business Email Compromise Attacks</H2> <P>The classic form of business email compromise involves targeting a set of employees through emails that seem to come from an email address that <STRONG><EM>visually looks like</EM></STRONG> someone the employee should trust. Once the trust is established, unsuspecting employees can be asked to execute fraudulent wire transfers or asked to reply with critical information. Unlike other email-based threats, these attacks do not rely on malicious files or links and instead rely on deception of trust and can be highly effective.</P> <P>&nbsp;</P> <P>Here’s an example of a BEC attack we have observed recently.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="figure1.png" style="width: 535px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257139i87305984027057FC/image-size/large?v=v2&amp;px=999" role="button" title="figure1.png" alt="Figure 1: A real-world BEC attack" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: A real-world BEC attack</span></span></P> <P>At first glance, the email appears to come from the CEO to her employee and looks like a legitimate business email request for a payment. But upon further examination we detect that the sender is not the real CEO. The attackers use different techniques to make the email address look convincing.</P> <P>&nbsp;</P> <H3>Display name or From address look-alike (user impersonation)</H3> <P>Email clients use email properties like “Display Name” and “From Address” to show the sender of the email. Attackers forge these properties to make it <EM>visually look like</EM> a real sender. When we take a closer look at the below example, we see the mail came from a look-alike email address with a slightly different spelling.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture2.png" style="width: 362px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257140i184210521DE31500/image-size/medium?v=v2&amp;px=400" role="button" title="Picture2.png" alt="Figure 2: User impersonation using a look-alike email address" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: User impersonation using a look-alike email address</span></span></P> <P>&nbsp;</P> <P>Attackers often use spelling tricks or special characters to make the email name look convincing, and detecting these large number of possible combinations through naked eye or basic regular expressions (regex) can be quite challenging.</P> <P>&nbsp;</P> <H3>Domain address look-alike (domain impersonation)</H3> <P>In this technique, the attacker forges the email domain that visually looks like the domain of the victim’s organization or like the domain of one of their business partners. For example, in the below example, the email seems to come from a domain that looks like <STRONG>contoso.com</STRONG> but is spelled with a “zero” instead of an “o”.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture3.png" style="width: 363px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257141iA0B5A1C70070D8F0/image-size/medium?v=v2&amp;px=400" role="button" title="Picture3.png" alt="Figure 3: Domain impersonation using a look-alike domain" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3: Domain impersonation using a look-alike domain</span></span></P> <P>&nbsp;</P> <H3>Exact Domain Spoofing</H3> <P>In this technique, the attacker forges the domain to look <EM>exactly</EM> like the domain of the victim’s organization or like the domain of one of their business partners. &nbsp;Since they are exactly same, they make for a more convincing attack. Email protocols rely on email authentication standards such as SPF, DKIM, and DMARC to enable domain owners to “authenticate” their mails. If the domain does not configure these settings, they can be <EM>spoofed</EM> by the attacker to make an email look legitimate but will instead come from the attacker’s email server. In the example below, when we inspect the mail, the domain that the victim sees is <STRONG>contoso.com</STRONG>, but the actual sender is different.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture4.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257142iFF49DB61558D251E/image-size/medium?v=v2&amp;px=400" role="button" title="Picture4.png" alt="Figure 4: Domain spoofing achieved through forgery" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 4: Domain spoofing achieved through forgery</span></span></P> <P>&nbsp;</P> <P>We refer to these classic attacks as single stage attacks. We see attackers leverage one or more of the above techniques to impersonate/spoof executives, business partners, IT/HR staff and more. The email content can contain a basic <A href="#" target="_blank" rel="noopener">request to purchase gift cards</A>, request HR or financial data, or request to process an invoice with updated payment details.</P> <DIV id="tinyMceEditorGiulian Garruba_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture5.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257143i7D47A1CC5385330B/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Figure 5: Single stage BEC attacks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 5: Single stage BEC attacks</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now that we have reviewed the attack techniques, let’s take a closer look at how we can protect against them.</P> <P>&nbsp;</P> <H2>User &amp; Domain Impersonation Protection in Defender for Office 365</H2> <P>Detecting user and domain impersonation <EM>at scale</EM> and in a <EM>fast-evolving</EM> attack landscape requires systems that can quickly understand relationships between senders and recipients, detect anomalies in those relationships and detect “visual similarity” across many possible combinations.</P> <P>&nbsp;</P> <H3>Configuring AI-powered and policy-based protections</H3> <P>Microsoft Defender for Office 365 does this by employing a capability called Mailbox Intelligence, an AI-powered technology that builds a communication graph of every user. Once enabled, this system continuously learns about a user’s email patterns and their communication graph. When a BEC email is received, the system automatically detects an anomaly against the user’s graph. It then runs a powerful multi-pass algorithm to detect “visual similarity” across a large combination of user and domain names.</P> <P>&nbsp;</P> <P>Security administrators can configure user, domain, and mailbox intelligence-based protection settings in the Anti-Phishing Policy within the Security Center. Once configured, these capabilities protect <EM><U>all</U></EM> users in the organization from attacks looking to impersonate <EM>any</EM> of their communication contacts. In an environment where anyone in an organization can be targeted by impersonation attacks, organizations need this capability to protect all users in the organization.</P> <DIV id="tinyMceEditorGiulian Garruba_5" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture6.2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257213i7E2F69C52892F98E/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.2.png" alt="Figure 6: Mailbox Intelligence uses AI to build a communication graph for every user" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 6: Mailbox Intelligence uses AI to build a communication graph for every user</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We introduced these capabilities in Defender for Office 365 in 2018 and we are constantly updating them based on the latest threat patterns.</P> <P>&nbsp;</P> <H3>Hunting for BEC Attacks (Coming Soon!)</H3> <P>Given the targeted nature of BEC attacks, security analysts are looking for additional ways to analyze and hunt for information about these attacks in their environment.</P> <P>&nbsp;</P> <P>To further increase the efficiency of the response of SecOps teams to impersonation-based attacks, <STRONG>we are rolling out new pivots</STRONG> in Threat Explorer to enable your security analysts to hunt for user and domain impersonation attempts in your organization. Threat Explorer helps security teams investigate and respond to threats efficiently, and these new capabilities allow analysts to dive deeper into potential BEC attacks. The new pivots will help security analysts answer questions like “Who is impersonating my CEO?”, “who is being targeted?”, “is a protected domain of my organization being impersonated?” and “are we seeing any false positives?” Admins can also configure alerts to be notified and Threat Tracker queries to quickly discover new attacks.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture7.png" style="width: 644px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257215i796B3D1B11E4A9FE/image-size/large?v=v2&amp;px=999" role="button" title="Picture7.png" alt="Figure 7: Use Threat Explorer to hunt for impersonated users" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 7: Use Threat Explorer to hunt for impersonated users</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Domain Spoofing Protection &amp; Email Authentication Checks in Defender for Office 365</H2> <P>&nbsp;</P> <H3>Preventing spoofing with email authentication standards</H3> <P>To identify spoofing attempts, email standards like SPF, DKIM, and DMARC are evaluated on every incoming message. Office 365 honors these standards for domains that have properly configured these settings. Emails that fail DMARC checks will be sent to quarantine or routed to junk mail. You can learn more about email authentication in Office 365, and its implications on spoofing <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <H3>Spoof Intelligence to prevent spoofing attacks</H3> <P>While DMARC is a useful tool in the email ecosystem, despite its value<EM>, our service-wide telemetry indicates that a large number of the domains that send email into your organization have not implemented DMARC or may not enforce it</EM>. This leaves your organization vulnerable as these domains can still be spoofed leaving the door open to business email compromise. <EM>This is important – If your partners and vendors have not enforced DMARC on their domains, their domains can be spoofed by attackers in deceptive emails to your users.</EM></P> <P>&nbsp;</P> <P>To address this challenge, Defender for Office 365 and Exchange Online Protection (EOP) use an industry-first technology called Spoof Intelligence. It uses advanced algorithms to learn about a domain’s email sending patterns and can flag anomalies. And most importantly, through this approach using Spoof Intelligence, Defender for Office 365 and EOP also extend spoofing protections to domains that might not have implemented DMARC yet.</P> <P>&nbsp;</P> <P>Both spoof protection capabilities are enabled by default and are being constantly updated to learn from latest attacks.</P> <P>&nbsp;</P> <H2>Coming up in Part 2….</H2> <P>BEC attacks can be fairly complex and look extremely convincing. And they can result in a lot of damage to organizations that don’t have the appropriate protection. In this blog, we’ve looked at one flavor of BEC attacks – single stage attacks. We have also seen how capabilities in Defender for Office 365, described above, prevent the core components of business email compromise. In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-two/ba-p/2167246" target="_self">next blog post</A>, we’ll dive into more advanced flavors of BEC attacks, and talk about the different capabilities in Microsoft Defender for Office 365 that help you prevent, detect, and respond to multi-stage BEC attacks. Stay tuned!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the <A href="#" target="_blank" rel="noopener">Defender for Office 365 forum</A>.</P> Thu, 12 Aug 2021 18:05:28 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900 Giulian Garruba 2021-08-12T18:05:28Z Investigating Alerts in Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/investigating-alerts-in-defender-for-office-365/ba-p/1824188 <P>The extensive use of collaboration tools during the COVID-19 remote work era is putting many organizations at even higher risk for phishing attacks: via business emails or video conferencing solutions. This may be a good opportunity to refresh your workflows in investigating Microsoft Defender for Office 365 alerts, which can assist in catching cyberattacks in early stages.</P> <P>&nbsp;</P> <H3><FONT size="4">What is an alert?</FONT></H3> <P>In Microsoft Defender for Office 365, we create billions of <STRONG>signals </STRONG>daily, for every phishing email we defuse. If the email was automatically blocked, deleted or neutralized in other methods – we do not create an alert for it, as no additional action is required from the security team. You can review the blocked phish or malware events in the <A href="#" target="_blank" rel="noopener">Threat Explorer</A>.</P> <P>&nbsp;</P> <P>If we detect a suspicious activity, which was not blocked before delivery due to various reasons, and we think it requires your attention, we generate an <STRONG>alert </STRONG>for it. The common reasons that malicious activities are not blocked include a misconfiguration of the product, a delayed threat intelligence signal like Zero-hour Auto Purge (ZAP), user reported phishing emails, URLs weaponized at time-of-click and more. All of these cases trigger alerts when a suspicious activity is detected, and these alerts require an investigation by the security operations team.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alerts_blog_1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229580iBB24CE7F9E13E84D/image-size/large?v=v2&amp;px=999" role="button" title="alerts_blog_1.jpg" alt="alerts_blog_1.jpg" /></span></P> <H3>&nbsp;</H3> <H3><SPAN>Alert policies</SPAN></H3> <P>Every alert is created because of an <STRONG>alert policy</STRONG>, which helps you to determine what suspicious activities you want to be notified of. For this purpose, we have created many out of the box alert policies, which generate alerts. You can enable or disable these policies, update recipients, update category, severity level and other parameters that will help your SOC with day-to-day operations while working with the alerts. For more information, see our <A href="#" target="_blank" rel="noopener">docs article</A> on alert policies.</P> <P>&nbsp;</P> <P>Customers that are interested in investigating more granular alerts can create <STRONG>custom alert policies</STRONG>, that trigger custom alerts. A custom policy can be configured to trigger for a specific attachment type, a ZAP operation, or when a specific audited operation occurs in Office 365.&nbsp; For more information on managing alerts, see <A href="#" target="_blank" rel="noopener">managing alerts</A> on docs.</P> <P>&nbsp;</P> <H3>Manual alerts investigation by the Security Operations team</H3> <P>Since every alert is a call-for-investigation by the security operations team, these teams need to determine the next step required to mitigate the threat of malicious content, or dismiss the alert. Such an investigation usually follows one of these workflows:</P> <P>&nbsp;</P> <H5>Analyze the alerts queue</H5> <P>The alerts queue allows security teams to investigate each alert, by drilling down in Threat Explorer or in Advanced Hunting, or to follow the relevant playbooks for remediation. The Microsoft 365 Defender alerts queue will provide a prioritized view of all alerts from multiple Microsoft security products: Defender for Office 365, Defender for Endpoint, Defender for Identity and Microsoft Cloud App Security. For more information on alerts in Microsoft 365 Defender, see our <A href="https://gorovian.000webhostapp.com/?exam=t5/video-hub/leverage-automated-incident-correlation-to-make-microsoft/m-p/1698838" target="_blank" rel="noopener">Ignite session</A> on leveraging automated incident correlation to make Defender for Office 365 even more efficient.</P> <P>&nbsp;</P> <P>If you are using a custom reporting or SIEM solution, you can also look to ingest information about Alerts surfaced through the <A href="#" target="_blank" rel="noopener">Office 365 Management API</A> to construct your own experience, and correlate it with additional data within your solutions.</P> <P>&nbsp;</P> <H5>Analyze incidents</H5> <P>Incidents are a set of correlated alerts from various Microsoft security products. Microsoft Research creates correlation across alerts and events, taking care of the heavy lifting for the SOC team and helping them understand the overall impact of the attack on the organization across its digital estate and assets. Incidents help customers manage fewer items in their queue. On average, customers report an 80% reduction in Office 365 cases as a result of correlation during the first month alone.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alerts_blog_2.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229581i7711937A74E07058/image-size/large?v=v2&amp;px=999" role="button" title="alerts_blog_2.jpg" alt="alerts_blog_2.jpg" /></span></P> <P>&nbsp;</P> <P>The unified portal of Microsoft 365 Defender shows the entire incident overview, based on MITRE ATT&amp;CK tactics: initial access, execution, lateral movement, and exfiltration. It also shows the timeline of the event, to provide a better understanding of the attack flow. This cross-product investigation fits into one unified view, like an email issue becoming an endpoint issue, or identity compromise resulting in cloud app resources utilization. Surfacing these incidents in a central place helps many organizations save time tackling the same attack that spreads via multiple tactics, triggering suspicious alerts by multiple products. You can learn more about Incidents in Microsoft 365 Defender in the <A href="https://gorovian.000webhostapp.com/?exam=t5/video-hub/leverage-automated-incident-correlation-to-make-microsoft/m-p/1698838" target="_blank" rel="noopener">Ignite session</A>.</P> <P><SPAN>You can also look to ingest incidents within your custom solutions through the </SPAN><A href="#" target="_blank" rel="noopener">MTP Incident API</A> <SPAN>(currently in Public preview).</SPAN></P> <P>&nbsp;</P> <H3>The prioritization challenge</H3> <P>In both of the scenarios above, most organizations still have a very high volume of alerts to analyze. Many customers choose to prioritize the alerts that involve their most visible and most targeted users. With Priority Account Protection in Defender for Office 365, security teams can prioritize alerts for Priority Accounts, and ensure that these threats are addressed, even when alert volumes are high. <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385" target="_blank" rel="noopener">Learn more about Priority Account Protection</A> to ensure these priority accounts are always protected.</P> <P>Additional prioritization methods may be based on threat Intelligence or focus on the latest or most common threats. And finally, we allow customers to add custom alerts, to identify specific threats that are relevant to the organization.</P> <P>&nbsp;</P> <H3>Automated investigation of alerts</H3> <P>Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations teams time and effort. Instead of reviewing, prioritizing, and responding to the continuous flood of incoming alerts, you can automate some of this to increase efficiency. An automated investigation can trigger a <A href="#" target="_blank" rel="noopener">security playbook</A>, depending on the incident type. Another option is for the security analyst to <A href="#" target="_blank" rel="noopener">start an automated investigation</A> using <A href="#" target="_blank" rel="noopener">Threat Explorer</A>.</P> <P>Customers that investigate alerts using a third-party SIEM solution can use the <A href="#" target="_blank" rel="noopener">Office 365 Management Activity APIs</A> for the investigation. You can follow this detailed example of an organization that uses this integration for alerts investigation from a <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/improve-the-effectiveness-of-your-soc-with-office-365-atp-and/ba-p/1525185" target="_blank" rel="noopener">recent blog post</A> on improving the effectiveness of your SOC with Defender for Office 365 and the O365 Management API. For additional information about the public APIs, see <A href="#" target="_blank" rel="noopener">our documentation</A>.</P> <P>&nbsp;</P> <H3>Malicious activity or false alarm?</H3> <P>For each alert, we provide additional information to help the security team to determine if this is indeed a malicious activity or not. We also provide governance actions to Resolve, Suppress and Notify users upon this alert, for further investigation. The decision regarding the appropriate governance action can be made after additional review of the alert details and context information in Threat Explorer or in Advanced Hunting.</P> <P>&nbsp;</P> <H3>Investigating suspicious alerts, more relevant than ever</H3> <P>In this time that many organizations are in historic rates of remote work, many customers experience an abundance of alerts that indicate suspicious activity. This can put pressure on the Security Operations teams to be more effective than ever in analyzing alerts created by Defender for Office 365. This is a good time to refresh the workflows around alerts investigation, to make sure the alerts are handled according to their real priority in the eyes of the organization. Moreover, it is a good opportunity to revise your use of the Automatic Investigation and Response (AIR) tools, to automate workflows that can reduce the manual investigation time by the Security Operations teams, and to reduce alerts which requires investigation by fully resolving some of these alerts automatically.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Defender for Office 365 forum</A><SPAN>.</SPAN></P> <P>&nbsp;</P> Thu, 12 Aug 2021 18:08:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/investigating-alerts-in-defender-for-office-365/ba-p/1824188 Marina_Kidron 2021-08-12T18:08:13Z Enhanced Filtering for Connectors: Supporting hybrid mail routing configurations in Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/enhanced-filtering-for-connectors-supporting-hybrid-mail-routing/ba-p/1750045 <H2>When it comes to mail routing, every organization has different needs</H2> <P>Across Office 365, we see various mail routing configurations, and we know that one size does not fit all. Many customers still route email through their on-premises environment before sending it to Office 365, and others leverage a third-party solution as their first hop. This can be for a variety of reasons, like compliance regulations, or to support legacy on-premises infrastructure. We understand the need to create hybrid mail routing configurations, and regardless of where these messages have been when they arrive at Office 365, our fundamental goal is to ensure that your organization and your users stay secure. &nbsp;</P> <P>&nbsp;</P> <H2>Introducing Enhanced Filtering for Connectors</H2> <P>Based on feedback from our customers, we’ve introduced capabilities to support additional configurations for mail flow. Enhanced Filtering for Connectors is designed to be used in routing scenarios where your MX record does not point to Office 365.</P> <P>&nbsp;</P> <P>Both Exchange Online Protection and Microsoft Defender for Office 365 provide capabilities that protect your users from impersonation attacks while ensuring that legitimate senders don’t get caught in our spam or phishing filters. Enhanced Filtering preserves authentication signals that were previously lost, which improves the accuracy for our filtering stack, including our heuristic clustering, anti-spoofing, and anti-phishing machine learning models when used in complex or hybrid routing scenarios. These capabilities make the detection of business email compromise attacks more effective, and equip your security teams with more information to more effectively hunt and investigate threats.&nbsp;&nbsp;</P> <P>&nbsp;</P> <H2>Take advantage of additional capabilities today</H2> <P>Getting started with Enhanced Filtering for Connectors is easy and only takes a couple clicks in the Security and Compliance Center. Once enabled, you’ll be able to get the most out of the included Anti-Phish and Anti-Spam protection, while reducing false-positives caused by authentication failures, and taking advantage of signals that were previously lost while your is organization is running in a hybrid mail routing flow. We’ve documented more details to help you get started with enhanced filtering <A href="#" target="_blank" rel="noopener">here</A>. Once configured, you can measure effectiveness by checking out the Threat Protection Status report or the Spam Detections report in the Security &amp; Compliance center in Office 365.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Why is email authentication important?</H2> <P>When email is forwarded to Office 365 via a connector from a third-party, Office 365 sees that the third-party filter is the source of the message. This breaks explicit authentication signals such as SPF, DKIM, and DMARC, which allow Office 365 verify the reputation of the sending domain. Without explicit authentication, Office 365 relies on implicit authentication to protect customers from spoofing. This isn’t a limitation of Office 365; it’s simply how SMTP works. You can learn more about explicit and implicit email authentication <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/schooling-a-sea-of-phish-part-2-enhanced-anti-spoofing/ba-p/176209" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As shown here in Figure 1, the email message adopts the sending IP of the third-party filter, arriving at Office 365 with a different sending IP address than it arrived at the third-party with.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure1.png" style="width: 551px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224467iAAE37A02000A3252/image-size/large?v=v2&amp;px=999" role="button" title="figure1.png" alt="Figure 1: Mailflow with third-party filtering" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: Mailflow with third-party filtering</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;<SPAN style="font-family: inherit;">As shown here in Figure 2, with Enhanced Filtering enabled, Office 365 can “see” the original sending IP address, through a process sometimes referred to as “skip listing”.</SPAN></P> <DIV id="tinyMceEditorGiulian Garruba_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure2.png" style="width: 551px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224470i8E032C0661B43436/image-size/large?v=v2&amp;px=999" role="button" title="figure2.png" alt="Figure 2: Mailflow with Enhanced Filtering" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2: Mailflow with Enhanced Filtering</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Enable Enhanced Filtering for Connectors today to get the most out of Office 365 security!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Defender for Office 365 forum</A><SPAN>.</SPAN></P> Thu, 12 Aug 2021 18:08:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/enhanced-filtering-for-connectors-supporting-hybrid-mail-routing/ba-p/1750045 Giulian Garruba 2021-08-12T18:08:35Z Office 365 ATP is now Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/office-365-atp-is-now-microsoft-defender-for-office-365/ba-p/1696529 <P>&nbsp;</P> <P>This morning, at Ignite, we <A href="#" target="_blank" rel="noopener">announced</A> Microsoft 365 Defender which brings the threat protection service portfolio across Microsoft 365 together under a unified brand. Microsoft 365 Defender offers powerful prevention, detection, hunting and response capabilities to threats across identities, endpoints, cloud apps, email, and documents.</P> <P>&nbsp;</P> <P>This new unified branding is a testament to our continued endeavor to integrate the different threat protection focused services across Microsoft. We’re continuing to focus on amplifying the protection for organizations and offering differentiated experiences that greatly enhance security teams’ effectiveness and efficiency.</P> <P>&nbsp;</P> <P>As part of this announcement, several products have been brought together under the Defender brand. Office 365 Advanced Threat Protection is now Microsoft Defender for Office 365.</P> <P>&nbsp;</P> <P>While the name has changed, what has not changed is Microsoft’s continued commitment to offer best-of-breed protection against attacks targeting Office 365. Our strategy to offer customers unparalleled protection on Office 365, grounded on three foundational differentiators, has not changed.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Girish_Chander_2-1600734109406.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220659i79BDDA9545741E4A/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_2-1600734109406.png" alt="Girish_Chander_2-1600734109406.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Our commitment to taking a holistic view to protecting customers on Office 365 has also not changed. Each of the categories below is a critical peg to ensuring that organizations are protected across Office 365.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Girish_Chander_3-1600734109415.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220660i6EB2DC6304706405/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_3-1600734109415.png" alt="Girish_Chander_3-1600734109415.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We will continue to innovate and offer the best protection, experiences and value to our customers. In fact, today we’re also announcing new capabilities in Defender for Office 365. Read <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/announcing-public-preview-of-priority-account-protection-in/ba-p/1696385" target="_blank" rel="noopener">my other post</A>&nbsp;this morning, introducing Priority Account Protection, to learn more about the latest enhancements to Microsoft Defender for Office 365.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Defender for Office 365 forum</A><SPAN>.</SPAN></P> Thu, 12 Aug 2021 18:08:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/office-365-atp-is-now-microsoft-defender-for-office-365/ba-p/1696529 Girish_Chander 2021-08-12T18:08:56Z Announcing Priority Account Protection in Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385 <P>Today I am incredibly excited to announce the public preview of a critical new feature in the Microsoft Defender for Office 365 portfolio - Priority Account Protection. This capability is extremely valuable in helping security teams prioritize focus on critical individuals within the organization, offer them differentiated protection and thwart costly breaches in the process.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_0-1600732327389.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220609i9E529628E2127243/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_0-1600732327389.png" alt="Girish_Chander_0-1600732327389.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Before I dive in further, I want to make sure that you did not miss the other piece of exciting news we announced today – the rebranding of Office 365 Advanced Threat Protection to Microsoft Defender for Office 365. Read more about the new Microsoft 365 Defender suite <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/office-365-advanced-threat-protection-is-now-microsoft-defender/ba-p/1696529" target="_blank" rel="noopener">here</A>.</P> <P>Now back to Priority Account Protection and why we’re so excited about it.</P> <P>&nbsp;</P> <H2>The challenge for security teams</H2> <P>It is unfortunately not surprising anymore to learn that cyberattacks are on the rise or that phishing campaigns are a preferred tool in attacker’s toolkits. Over the past few years, attackers have increasingly moved from targeting infrastructure or devices to targeting users and duping them to give up credentials or sensitive data directly. And, with over 90% of attacks originating over email, it is clear that this old collaboration staple has remained a favorite vector to target users with.</P> <P>&nbsp;</P> <P>What is interesting, however, is the increasing level of user-targeting and sophistication in these attacks. Attackers make use of well-researched information about the intended victim to make the emails look even more compelling and convincing, thereby increasing the chances of duping the target. As an example, Business Email Compromise (BEC) attacks, one flavor of very targeted attacks, have increased significantly in recent times. Last year, the FBI reported that global losses due to BEC attacks totaled $26 billion over the preceding three fiscal years, with a 100% increase in the final year. Other types of targeted phishing attacks can be equally devastating.</P> <P>&nbsp;</P> <P>Obviously, the more visible the user, the easier it is to get information about them to target them with. And the more privileged the user, the more valuable the information they have access to---making them prime, not to mention, lucrative targets for attacks.</P> <P>&nbsp;</P> <H2>Protecting the most visible and targeted users</H2> <P>In response to the changed realities of this increasingly sophisticated and targeted threat landscape, organizations need differentiated protection for their most visible and targeted employees. This is often the members of the C-suite who routinely deal with sensitive and secret information and have the added advantage (from the attacker’s point of view) of being extremely visible and research-able. However, individuals in the C-suite are not the only ones that can be targeted. Very often, users lower down in the organization hierarchy have access to critical tools and information. And these users make prime targets as well. We frequently see such examples of attacks in the news - a user with access to critical administrative tools being a victim of a targeted attack that winds up making a larger scale attack embarrassingly possible.</P> <P>&nbsp;</P> <P>These most visible and most targeted accounts - these “priority accounts” - demand more protection and more attention from security teams. From the point-of-view of security teams, monitoring these priority accounts closely can yield early warning signals and important threat intelligence signals to protect the organization better.</P> <P>&nbsp;</P> <P>And security teams are actively looking for mechanisms to do this easily.</P> <P>&nbsp;</P> <H2>Introducing Priority Account Protection</H2> <P>Having deeply internalized the need to adapt to the threat attack patterns referenced above, a lot of security teams we work with want to put in place workflows and systems to better protect Priority Accounts.</P> <P>&nbsp;</P> <P>With Priority Account Protection in Defender for Office 365, security teams can now realize these workflows using the experiences in Office 365. Let’s review a few of them.</P> <H2>&nbsp;</H2> <H3>Prioritizing alerts involving Priority Accounts</H3> <P>The focus of security teams is often dictated by the Alert queue. With Priority Account Protection, all alerts involving any of these Priority Accounts are automatically tagged as such. This allows security teams to prioritize their focus on these alerts first – especially when alert volumes are high.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_1-1600732327415.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220608i885AD47D56937B16/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_1-1600732327415.png" alt="Girish_Chander_1-1600732327415.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_2-1600732327445.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220606i14D9B41363837D8E/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_2-1600732327445.png" alt="Girish_Chander_2-1600732327445.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Some customers we work with even have dedicated sub-teams to investigate and respond to alerts targeting their C-suite. Now, they can choose to direct these ‘Priority Account’ alerts to these specific sub-teams.</P> <P>&nbsp;</P> <H3>Priority Accounts and Threat Investigation</H3> <P>As security teams investigate alerts, emails, or attacks using the Threat Explorer feature (shown below) within Defender for Office 365, it will now be noticeably clear which of these attacks impacted Priority Accounts. This will allow teams to automatically prioritize certain investigations higher. Additionally, they can actively filter on Priority Accounts to further help optimize their focus.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_3-1600732327460.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220611i8283B16D257E9E70/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_3-1600732327460.png" alt="Girish_Chander_3-1600732327460.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Identifying campaigns targeting Priority Accounts</H3> <P>Priority Account integration with Campaign Views (shown below) within Defender for Office 365, allows security teams to quickly identify campaigns that impact an organization's most visible or targeted users.</P> <P>&nbsp;</P> <P>With the support for Priority Accounts, SecOps teams investigating a campaign will be able to determine if any Priority Account users were impacted and actively search for campaigns involving Priority Accounts.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_4-1600732327472.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220612i711B12C6E3F69AFC/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_4-1600732327472.png" alt="Girish_Chander_4-1600732327472.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_5-1600732327490.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220614i15587A2E61A8E9DA/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_5-1600732327490.png" alt="Girish_Chander_5-1600732327490.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Prioritizing submissions reported by Priority Accounts</H3> <P>Optics into what users are reporting as attacks landing in their inbox can serve as a strong signal for Security teams to gear into action and thwart campaigns before the breach proves costly. The Report message add-in and the submissions explorer experiences within Defender for Office 365 are tightly integrated to help give security teams this early warning signal.</P> <P>&nbsp;</P> <P>Over the next few months, Priority Accounts will be integrated with Submission explorer. With this upcoming work, submissions from any of the Priority Accounts will be explicitly tagged, and filterable, allowing security teams to first focus on these submissions over others.</P> <P>&nbsp;</P> <H3>Proactively investigating attacks targeting Priority Accounts</H3> <P>A lot of organizations we work with have a dedicated team of security hunters who are looking to scrutinize attacks targeting their C-suite - to learn about attack patterns and attackers themselves.</P> <P>Within Defender for O365 all malicious emails are automatically quarantined allowing security teams to review these emails in the quarantine experience within the portal.</P> <P>&nbsp;</P> <P>Over the next few months, Priority Account protection will be integrated with quarantine experience within Defender for Office 365. With this upcoming integration, any email targeted at one of these accounts will be tagged as such. What’s more, it will be extremely easy to filter the view to only look at malicious emails that were targeted at Priority Accounts.</P> <P>&nbsp;</P> <P>As always, any further exploration of the emails will possible in Threat Explorer as called out above.</P> <P>&nbsp;</P> <H3>Assessing trends of malicious emails targeting Priority Accounts</H3> <P>Filtering capabilities are now available for the Threat protection status report for a more granular assessment of malicious email messages going to the most targeted individuals in the organization.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_0-1600735138204.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220691i7737C786EB7CD231/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_0-1600735138204.png" alt="Girish_Chander_0-1600735138204.png" /></span></P> <P>&nbsp;</P> <H2>Customizing workflows</H2> <P>Priority Accounts as described above greatly enhance the ability for security teams to optimize their focus and improve their efficiency.</P> <P>&nbsp;</P> <P>But, as we often do, we went one step further.</P> <P>&nbsp;</P> <P>Priority Account Protection is built on a powerful underlying capability called ‘Tags’. Users identified as Priority Accounts are effectively <EM>tagged</EM> as such. But with the way we’ve built this, security teams can define their own attributes or Tags. For example, security teams can choose to define a tag called ‘susceptible users’ to describe those users who have an increased propensity to fall prey to attacks.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Girish_Chander_1-1600734479379.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220672i4F5BF530CDA0AC44/image-size/large?v=v2&amp;px=999" role="button" title="Girish_Chander_1-1600734479379.png" alt="Girish_Chander_1-1600734479379.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once defined, these tags will be infused into security workflows as called out above – in alerts, Threat Explorer, Campaign Views, and more. For example, custom alert policies scoped to specific tags can be created, following which alerts on a particular mail recipient will be enriched with the tags that are assigned to that recipient.</P> <P>&nbsp;</P> <H2>Go on…give it a try!</H2> <P>This feature is rolling out into public preview starting today. So, you will start seeing it light up in your tenants over the next few weeks.</P> <P>&nbsp;</P> <P>Priority Account Protection will be available to customers with Defender for Office 365 Plan 2, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.</P> <P>&nbsp;</P> <P>We’ve been partnering very closely with a number of customers to learn about their challenges and their desires to shape our thinking and the evolution of this feature. Customers that have seen early previews of this capability love it so far.&nbsp;We’re very excited for you to try this out as well. And we hope you’ll love it too!</P> <P>&nbsp;</P> <P>Tune in to our <A href="#" target="_self">on demand session at Ignite</A> this week to learn more.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Defender for Office 365 forum</A><SPAN>.</SPAN></P> Thu, 12 Aug 2021 18:09:47 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385 Girish_Chander 2021-08-12T18:09:47Z