Office 365’s adoption is growing at the speed of light, and that means that it is also growing as an attack vector. Combining this with the growth in email-based malware and phishing attacks we need Microsoft to step up to the plate and protect us, and of course, they have!
In a previous article, I wrote about Windows Defender Advanced Threat Protection and said that we would look at the Office 365 version next. APT features two power plays that almost no one else can offer.
O365 ATP makes up the third side of the protection triangle that started by detecting an on-premises attack with ATA, it then covered an attack on the device with Windows Defender ATP, and now we are stopping an attack vector through email with a very similar technology.
O365 ATP has a detonation chamber for attachments and can rewrite unsafe links preventing both attacks reaching the end user. Office 365 ATP is made up of two components
Let’s explore them a little more…
Safe attachments begin with a policy that deals with what to do with attachments sent to a user via O365. The actions range from;
Once we decide what we are going to do with an attachment we can then decide whom this applies to. A simple default policy could likely;
· Dynamically deliver the mail (with a notice that an attachment is being scanned and will be delivered shortly, if safe)
· Apply this at the enterprise level
This policy would inspect all attachments company-wide. A short delay would be experienced by all users of around 2-8 minutes.With safe attachments, we have a number of options we can take, but the most useful are to apply a company policy to deliver the body of an email and send all attachments to the detonation chamber. After a short delay, the email attachments gets delivered (or not) to the original email if it’s safe. With this policy we know the email got there ok, we can read the mail and wait for the attachment to be cleared.
Phishing attacks in email send an internet link that often looks legitimate but leads the end user to a nefarious location. Safe Links scans the URL and then cross references it with known attack locations.
Just like Safe Attachments, Safe Links is configured as a policy online. There are fewer options in Safe Links than Safe Attachments, and it’s a very easy policy to configure. The policy settings allow us to do;
Safe links verification happens in near real time and does not have the same delay as Safe Attachments does.
As with all these articles there I have recorded a youtube video that explains the process.
We started off this journey with the usual “Sky is Falling” internet security panic, but that is really just to set the stage. The point is that is the sky is falling from a security perspective, but Microsoft offers you real tools to keep your users, endpoints, and data safe.