This blog is part one of a multi-part series focused on the new and improved incident response capabilities within Microsoft Defender for Office 365.
Security operations (SecOps) teams frequently need to investigate security alerts associated with emails and online interaction. Critical to this is ensuring that malicious emails associated with a likely attack are fully removed from all mailboxes – plus verifying no users or mailboxes have been compromised through interaction with any delivered emails. These days, the attack methods used by malicious actors, along with the high volume of email they send out, ensures that SecOps team are always busy with this task.
Earlier in May 2021, we announced that Microsoft is positioned as a leader in The Forrester Wave™: Email Security, Q2 2021, receiving the highest possible score in the incident response category. This represents the latest validation of our relentless effort, strategy, and focus on offering our customers industry-leading protection against threats orchestrated over email and collaboration tools – and of course industry-leading incident response capabilities.
Microsoft Defender for Office 365 is now rolling out three email investigation improvements that will drive additional SecOps efficiencies. The following changes will directly reduce the volume and prioritize the most malicious automated investigations for SecOps approval:
Previously automated investigations in Defender for Office 365 leveraged ‘original delivery information’ to identify emails that needed cleanup. This provided a view of emails that were initially visible to end users with recommendations on emails that should be removed. With this change, we are now pivoting the investigation email clustering analysis to the ‘latest delivery location’ information. As a result, investigations for things like Zero-hour auto purge (ZAP) or user submissions will show malicious emails that are still present in inbox or junk folders at the time of the investigation still in need of removal. The email location information for emails and email clusters will clearly show the latest delivery location and number of emails ‘in mailbox’, ‘not in mailbox’ (i.e. blocked or remediated), and ‘on-premise/external’ (inaccessible to Defender for Office 365’s remediation). Most importantly, to reduce SecOps work, the email analysis will now only trigger pending email actions when the emails are considered malicious and at least one email still in a cloud ‘mailbox’.
The latest delivery location and action changes that are currently rolling out apply to both the original emails that triggered the alerts as well as identified email clusters for similar emails and malicious URLs and files. The net effect of these changes is that you’ll see more current location information with fewer email actions required, particularly for ZAP alert investigations. After this change, if you see pending email actions for ZAP investigations, you should review and approve those actions to remove any residual email threats that remain.
The Defender for Office 365 team is also improving investigations to re-analyze the email status after the investigation has completed. Until an investigation’s actions are approved or rejected, the investigation will periodically re-evaluate the investigation’s email findings and actions against the latest delivery locations then update the remediation status. This updates the investigation’s findings and the pending actions based on the latest remediations from ZAP, manual admin actions, as well as other approved automated investigations actions. If all malicious emails with pending actions have been removed from the mailboxes, the actions will cancel, with the incident and action center showing the emails as remediated (with updated location information). If all the investigation’s email actions have been completed by other remediations, then the investigation will change to ‘remediated’, and the original alerts will close.
Investigations are also being updated to surface to SecOps personnel the most relevant threats, helping ensure they are given sufficient attention and that actions are driving critical containment activities.
In this blog, we talked about the new email analysis improvements in Defender for Office 365 investigations and how they will improve SecOps efficiencies. The new threat types, latest delivery locations, and updates after investigation completion ensure that SecOps teams get clearer threat data, more accurate and recent location information, plus fewer and more focused actions. In the next blog post, we will hear from some of our closest partners leveraging these capabilities in Microsoft Defender for Office 365 to help efficiently and effectively detect and respond to threats. Stay tuned!
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.