How to block phishing with Defender for Office 365

04/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and optimizing Microsoft Defender for Office 365 (MDO) to effectively block phishing attacks. Phishing remains one of the most prevalent and dangerous cyber threats, aiming to steal credentials, install malware or trick victims into divulging confidential information. MDO offers a robust suite of anti-phishing features that go beyond basic Exchange Online Protection (EOP) protection, providing advanced defenses against sophisticated attacks [1].

Introduction

Phishing attacks have evolved from generic emails to highly targeted and convincing campaigns known as spear-phishing, whaling and business email compromise (BEC). These tactics exploit human trust and can bypass traditional defenses. Microsoft Defender for Office 365 is designed to combat these advanced threats by using artificial intelligence, machine learning, and behavior analysis to detect and block malicious emails before they reach users' inboxes [2].

This practical guide will cover configuring anti-phishing policies in MDO, including spoofing protection, mailbox intelligence, impersonation protection, and secure links and attachments. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can strengthen their organization's defense against phishing attacks and educate users on best practices.

Why is Defender for Office 365 essential against phishing?

• Advanced Protection: Goes beyond EOP, offering detection of zero-day threats and polymorphic attacks.
• Threat Intelligence: Utilizes Microsoft's vast threat intelligence to identify emerging attack vectors and patterns.
• Behavioral Analysis: Analyzes the behavior of emails and URLs to identify anomalies that indicate phishing.
• Impersonation Protection: Defends against emails that attempt to impersonate trusted executives, brands, or partners.
• Secure Links and Attachments: Scans URLs and attachments in real time at the time of click or opening, protecting against malicious content.
• Visibility and Reporting: Provides detailed reporting and investigation tools to understand and respond to phishing attacks.

Prerequisites

To configure and optimize anti-phishing policies in Microsoft Defender for Office 365, you will need the following items:

1. Licensing: A license that includes Microsoft Defender for Office 365 Plan 1 or Plan 2. This is usually part of packages such as Microsoft 365 E5 Security, Microsoft 365 E5, Office 365 E5, or can be purchased as an add-on [3].
2. Administrative Access: An account with Security Administrator or Compliance Administrator permissions in the Microsoft 365 Defender portal (https://security.microsoft.com).
3. Verified Domains: Your email domains must be configured and verified in Microsoft 365.
4. Email DNS Records: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) must be configured correctly for your domains. This is critical for protection against spoofing and impersonation.

Step by Step: Configuring Anti-Phishing Policies in MDO

Let's configure a custom anti-phishing policy to protect your users.

1. Accessing the Microsoft 365 Defender Portal

1. Open your browser and navigate to https://security.microsoft.com.
2. Log in with an account that has the necessary permissions.

2. Creating a Custom Anti-Phishing Policy

Although MDO has a default anti-phishing policy, it is highly recommended to create custom policies for specific user groups (e.g. executives, high-risk users) and to adjust protection settings.

1. In the left navigation pane, select Email & Collaboration > Policies & Rules > Threat Policies.
2. In the Policies section, click Anti-phishing.
3. Click Create to launch the new policy wizard.

Step 1: Name the Policy

1. Name: Anti-Phishing PolicyCustom - Executives (or a descriptive name for your target group).
2. Description: Advanced phishing protection for executives and high-risk users.
3. Click Next.

Step 2: Users, Groups and Domains

1. Users, groups or domains: Select the users or groups to which this policy will apply. For this example, select a security group that contains your executives.
   • Tip: Start with a small test group before applying to the entire organization.
2. Exclude these users, groups and domains: (Optional) Add any entities that should be excluded from this policy.
3. Click Next.

Step 3: Phishing Threshold & Impersonation Threshold

This section allows you to configure the level of protection against phishing and impersonation.

1. Phishing Threshold: It is recommended to set a value of 3 or 4 (default is 1). Higher values ​​offer more protection, but may increase false positives.
2. Enable Users to Protect: Click Add User and add the email addresses of the executives or key people you want to protect from impersonation (e.g. CEO, CFO). MDO will actively monitor emails that attempt to impersonate these people.
3. Enable domains to protect: Click Add Domain and add your own domains (e.g. yourcompany.com). This protects against internal and external domain spoofing.
4. Actions: Set actions for messages detected as impersonation:
   • If message is detected as user impersonation: Quarantine message or Move message to recipient's Junk Email folder.
   • If the message is detected as domain impersonation: Quarantine the message.
   • Tip: Start with Move message to recipient's Junk Email' orQuarantine` folder to avoid losing legitimate emails.
5. Mailbox Intelligence: Make sure it is On. This allows MDO to use machine learning intelligence to determine normal communication patterns for each user and detect anomalies.
6. Spoofing Protection: Make sure it is On and set the action for unauthenticated spoofing messages to Move message to recipient's Junk Email folder or Quarantine the message.
7. Click Next.

Step 4: Review

1. Review all policy settings.
2. Click Create.

3. Configuring Safe Attachments

Secure Attachments protects against zero-day malware by opening attachments in a virtualized environment (sandbox) before delivering them to users.

1. In the left navigation pane, select Email & Collaboration > Policies & Rules > Threat Policies.
2. In the Policies section, click Secure Attachments.
3. Click Create.
4. Name: Secure Attachment Policy.
5. Description: Scans sandboxed email attachments to protect against zero-day malware.
6. Secure Attachment Malware Response Action: Select Block.
7. Redirect detected attachments: (Optional) You can redirect attachments to a security mailbox for further analysis.
8. Apply to: Select Users, Groups or Domains and add your relevant users or groups.
9. Click Create.

4. Configuring Safe Links

Safe Links rewrites URLs in emails and documents to check their reputation in real time at the time of click, protecting against malicious links.

1. In the left navigation pane, select Email & Collaboration > Policies & Rules > Threat Policies.
2. In the Policies section, click Secure Links.
3. Click Create.
4. Name: Safe Links Policy.
5. Description: Protects against malicious URLs in emails and documents.
6. Apply Secure Links to email messages: Make sure this is Enabled.
7. Apply Secure Links to content in Office 365 apps: Make sure this is Enabled.
8. Actions: Configure actions for blocked URLs (e.g. Block malicious URLs).
9. Do not rewrite the following URLs: (Optional) Add internal or trusted URLs that should not be rewritten.
10. Apply to: Select Users, Groups or Domains and add your relevant users or groups.
11. Click Create.

Validation and Testing

Validating the effectiveness of anti-phishing policies is crucial to ensure protection is working as expected.

1. Using Attack Simulation Training

MDO includes a phishing attack simulation tool that allows you to test user resilience and the effectiveness of your policies.

1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Training Attack Simulation.
2. Click Start a simulation.
3. Follow the wizard to create and launch a simulated phishing campaign to a group of test users.
4. Monitor the results to see how many users were compromised and whether MDO policies intercepted the simulated phishing emails.

2. Checking Protection Logs

1. In the Microsoft 365 Defender portal, go to Email & collaboration > Explorer.
2. Use filters to look for emails with Phishing, Spoof or Malware verdicts to see if the policies are detecting malicious emails.

3. Testing Secure Links and Attachments

Send a test email with a known malicious link (e.g. from a secure phishing test site) or a malware test file (e.g. EICAR) to a protected user and check whether MDO rewrites the link or blocks the attachment.

Security Tips and Best Practices

• User Education: The most important line of defense. Regularly train users to recognize and report phishing emails. Use the Training Attack Simulation to reinforce learning.
• Set up SPF, DKIM, and DMARC: These DNS records are crucial for email authentication and spoofing protection. Ensure they are configured correctly for all of your domains.
• Granular Policies: Create personalized anti-phishing policies for different user groups, especially for those at high risk (e.g. executives, finance).
• Increase Phishing Threshold: Consider increasing the phishing threshold to 3 or 4 in custom policies for greater protection by monitoring for false positives.
• Monitor Reports: Regularly review threat protection reports in MDO to identify trends, targeted attacks, and areas where protection can be improved.
• Integrate with Defender for Endpoint: Email protection and endpoint protection work together for layered defense. If a user clicks a malicious link, Defender for Endpoint can help detect and remediate the threat on the device.

Common Troubleshooting

• Legitimate phishing emails getting through: Check your anti-phishing policy settings, especially phishing thresholds and actions for impersonation and spoofing. Make sure SPF, DKIM, and DMARC are configured correctly. Review the logs in Threat Explorer.
• False positives (legitimate emails blocked): Adjust phishing thresholds to a lower value. Check impersonation and spoofing settings. Add trusted senders or domains to the exceptions list (if necessary, with caution).
• Unrewritten links or unverified attachments: Verify that the Safe Links and Safe Attachments policies are enabled and assigned to the correct users. Confirm that the email is being routed through the MDO.
• Training Attack Simulation Issues: Verify that test users are included in the correct groups and that there are no policies that could be blocking simulation emails before they reach users.

Conclusion

Microsoft Defender for Office 365 is a powerful and indispensable tool in the fight against phishing. By configuring and optimizing their anti-phishing, Safe Attachments, and Safe Links policies, organizations can establish a robust defense against a wide range of malicious email attacks. Combining advanced technology with ongoing user education creates a layered security strategy that effectively protects company identities, data, and reputation. Constant vigilance and policy adaptation are essential to remain effective against ever-evolving phishing tactics.

---

References:

[1] Microsoft Learn. Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender-for-office365/microsoft-defender-for-office-365?view=o365-worldwide [2] Microsoft Learn. Anti-phishing policies in Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/anti-phishing-policies-about [3] Microsoft Learn. Microsoft Defender for Office 365 licensing requirements. Available at: [https://learn.microsoft.com/pt-br/microsoft-365/security/defender-for-office365/mdo-faq?view=o365-worldwide#what-are-the-licensing-requirements-for-microsoft-defender-for-office-365] (https://learn.microsoft.com/pt-br/microsoft-365/security/defender-for-office365/mdo-faq?view=o365-worldwide#what-are-the-licensing-requirements-for-microsoft-defender-for-office-365)