Configuring Microsoft Defender for Office 365 for Advanced Threat Protection

Configuring Microsoft Defender for Office 365 for Advanced Threat Protection

01/12/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and optimizing Microsoft Defender for Office 365 (MDO), a robust solution for advanced protection against email and collaboration threats. In a scenario where email remains the main vector for cyber attacks such as phishing, malware and spam, MDO offers essential layers of defense to protect users and the organization [1].

Introduction

Email is an indispensable communication tool, but also a frequent entry point for cyber threats. Phishing attacks, ransomware delivered via malicious attachments, business email compromise (BEC), and spoofing are common tactics that aim to exploit user trust and bypass traditional defenses. Microsoft Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection - ATP) is a cloud-based security suite designed to protect against these advanced threats, offering features such as Safe Attachments, Safe Links, anti-phishing, anti-spoofing, and anti-malware protection [2].

This practical guide will cover step-by-step configuration of MDO's key features, including creating policies for Safe Attachments, Safe Links, anti-phishing, and anti-malware. Detailed instructions, practical examples, and actual commands (when applicable) will be provided so that the reader can implement, test, and validate the effectiveness of these protections. Additionally, security tips, compliance checks and best practices will be discussed to ensure your organization is protected against the latest threats, autonomously, professionally and reliably.

Why is Microsoft Defender for Office 365 crucial?

  • Advanced Threat Protection: Defends against sophisticated attacks like targeted phishing, ransomware, zero-day malware, and business email compromise (BEC) that traditional defenses may not detect.
  • Safe Attachments: Opens email attachments in a virtual sandbox environment to check whether they are malicious before delivering them to users, protecting against unknown malware.
  • Safe Links: Rewrites URLs in emails and documents to verify their security at the time of click, protecting users from malicious links, even if the original URL was safe at the time of delivery.
  • Anti-Phishing and Anti-Spoofing Protection: Uses machine intelligence and advanced heuristics to identify and block phishing emails and spoofing attempts.
  • Reporting and Analytics: Provides detailed visibility into detected threats, enabling security teams to investigate incidents and adjust policies as needed.
  • Microsoft 365 Integration: Natively integrates with Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams, providing comprehensive protection across the entire collaboration ecosystem.

Prerequisites

To configure Microsoft Defender for Office 365, you will need the following items:

  1. Licensing: MDO is included in licenses such as Microsoft 365 E5, Office 365 E5, Microsoft 365 E5 Security, or can be purchased as an add-on to other Microsoft 365/Office 365 subscriptions [3].
  2. Administrative Access: An account with the role of Global Administrator or Security Administrator in the Microsoft 365 Defender portal (https://security.microsoft.com).
  3. Configured Domains: Your domains must be configured and validated in Microsoft 365, with the MX records pointing to Exchange Online Protection (EOP).

Step by Step: Configuring Microsoft Defender for Office 365

Let's configure advanced protection policies in MDO.

1. Accessing the Microsoft 365 Defender Portal

All MDO settings are managed from the unified Microsoft 365 Defender portal.

  1. Open your browser and navigate to the Microsoft 365 Defender portal: https://security.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Email & Collaboration > Policies and Rules > Threat Policies.

2. Configuring Secure Attachment Policy(Safe Attachments)

Safe Attachments policies protect against zero-day malware in email attachments.

  1. On the Threat Policies page, select Safe Attachments.
  2. Click +Create to launch the new Secure Attachments policy wizard.
  3. Policy name: Give a meaningful name (ex: Global Secure Attachment Policy).
  4. Description: Provide a clear description (e.g. Protection against malicious attachments for all users).

  5. Click Next.

  6. Users, groups and domains:

    • Under Users and groups, select All users or add specific users/groups. For comprehensive protection, All Users is recommended.
    • Under Domains, select All Domains or specific domains.

  7. Click Next.

  8. Settings:

    • Safe Attachments Malware Response Action: Select Block.
      • Explanation: This is the safest action as it blocks emails with detected malicious attachments.
    • Redirect detected attachments: Optionally, you can redirect malicious attachments to a secure mailbox email address for analysis.
    • Priority: Leave the default value, or set a priority if you have multiple policies.

  9. Click Next.

  10. Review: Review the settings and click Submit to create the policy.

3. Configuring the Safe Links Policy

Safe Links policies protect against malicious URLs in emails and other Microsoft 365 apps.

  1. On the Threat Policies page, select Safe Links.
  2. Click +Create to launch the new Safe Links policy wizard.
  3. Policy name: Give a meaningful name (ex: Global Safe Links Policy).
  4. Description: Provide a clear description (e.g. Protection against malicious URLs for all users).

  5. Click Next.

  6. Users, groups and domains:

    • Under Users and groups, select All users or add specific users/groups.
    • Under Domains, select All Domains or specific domains.

  7. Click Next.

  8. URL and Click Protection Settings:

    • Select action for potentially malicious URLs: Select Enable Safe Links in email.
    • Apply Secure Links to email messages sent within the organization: Check this option to protect internal links.
    • Apply Secure Links to URLs in supported Office 365 clients: Check this option to secure links in applications such as Teams, Word, Excel, PowerPoint.
    • Do not rewrite URLs, but perform checks via API only on Safe Links: Uncheck this option, as rewriting is crucial for protection.
    • Block users from clicking on original URLs: Check this option to ensure that users cannot bypass verification.
    • Do not verify the following URLs: Optionally, add trusted URLs that should not be rewritten or verified (e.g., your organization's internal URLs).

  9. Click Next.

  10. Review: Review the settings and click Submit to create the policy.

4. Configuring Anti-Phishing Policy

Anti-phishing policies protect against spoofing and other phishing attacks.

  1. On the Threat Policies page, select Anti-phishing.
  2. Click +Create to launch the new Anti-Phishing policy wizard.
  3. Policy name: Give it a meaningful name (e.g. Global Anti-Phishing Policy).
  4. Description: Provide a clear description (e.g. Phishing and spoofing protection for all users).

  5. Click Next.

  6. Users, groups and domains:

    • Under Users, Groups and Domains, select All Users, All Groups and All Domains respectively. You can also exclude some users or groups if necessary.

  7. Click Next.

  8. Phishing Threshold and Impersonation Protection:

    • Phishing threshold: Set the level of aggressiveness of the protection. Standard or Aggressive is recommended for most organizations.
    • Enable Impersonation Intelligence: Keep Enabled.
    • Enable Mailbox Intelligence: Keep On.
    • Enable user impersonation protection: Click +Add User to protect executive or high-value users.
    • Enable domain impersonation protection: Click +Add Domain to protect your own and partner domains.

  9. Click Next.

  10. Actions:

    • Messages detected as forgery: Select Move message to Junk Email or Quarantine message.
    • Messages detected as user impersonation: Select Quarantine the message.
    • Messages detected as domain impersonation: Select Quarantine the message.
    • Messages detected as phishing: Select Quarantine the message.

  11. Click Next.

  12. Review: Review the settings and click Submit to create the policy.

5. Configuring Anti-Malware Policy

Anti-malware policies protect against malicious software in emails.

  1. On the Threat Policies page, select Anti-Malware.
  2. You will see a default policy (Default) that applies to all recipients. For customizations, you can create a new policy or edit the default one.
  3. Click + Create (or select the Default policy and click Edit Protection).
  4. Policy name: Give it a name (ex: Custom Anti-Malware Policy).
  5. Description: Provide a description.

  6. Click Next.

  7. Users, groups and domains:

    • Select All Recipients or add specific users/groups/domains.

  8. Click Next.

  9. Protection Settings:

    • Protection section: Keep the Enable common attachment filter and Enable automatic zero-hour discard for malware options enabled.
    • Quarantine section: Define how long malware messages should be kept in quarantine (e.g. 30 days).
    • Notification section: Configure notifications for administrators and senders/recipients when malware is detected.

  10. Click Next.

  11. Review: Review the settings and click Submit to create/update the policy.

Validation and Testing

It is critical to test the effectiveness of configured policies to ensure they work as expected.

1. Testing Safe Attachments

  1. Scenario: Send an email from an external address to an internal user with a harmless test file that simulates malware (e.g. an EICAR file, which is an antivirus test pattern). You can generate an EICAR file from various security websites.
  2. Expected Action: The email with the EICAR file should be blocked or moved to quarantine, and the attachment should not be delivered to the user.
  3. Verification:
    • In the Microsoft 365 Defender portal, navigate to Email & Collaboration > Explorer (or Message Tracking).
    • Search for the test email. You should see that it has been detected and blocked by the Safe Attachments policy.

2. Testing Safe Links

  1. Scenario: Send an email from an external address to an internal user containing a link to a phishing testing site (e.g. http://www.phishtest.com or a link to a malware testing site). Please make sure the link is not to a real website that could cause harm.
  2. Expected Action: When the user clicks the link, they should be redirected to a Safe Links warning page, informing them that the site is malicious or suspicious, and access should be blocked.
  3. Verification:
    • In the Microsoft 365 Defender portal, navigate to Email & Collaboration > Explorer.
    • Search for the test email. You should see click details for the link and that it was blocked by Safe Links.

3. Testing Anti-Phishing and Anti-Spoofing

  1. Scenario:
    • Spoofing: Send an email from an external address that spoofs your organization's domain (e.g. [email protected] from an unauthorized email server).
    • Impersonation Phishing: Send an email from an external address that looks like the address of an executive protected by the impersonation policy (e.g. [email protected]).
  2. Expected Action: Emails should be moved to the quarantine or junk folder as configured in the anti-phishing policy.
  3. Verification:
    • Check the user's quarantine or junk folder.
    • On the Micro portalsoft 365 Defender, navigate to Email & Collaboration > Explorer.
    • Search for test emails. You should see that they have been detected and handled by anti-phishing/anti-spoofing policies.

Security Tips and Best Practices

  • Predefined Security Policies: Consider using the predefined security policies (Standard and Strict) in MDO. They apply settings recommended by Microsoft for fast and effective protection [4].
  • User Education: Technology is only part of the solution. Train your users regularly on how to identify and report phishing emails and other threats. Microsoft Attack Simulation Training can be a valuable tool for this.
  • Continuous Monitoring: Monitor reports and Threat Explorer in the Microsoft 365 Defender portal regularly to identify attack trends, high-risk users, and adjust policies as needed.
  • Exceptions with Caution: Use exceptions (e.g. Do not check the following URLs in Safe Links) with extreme caution and only for domains that are proven to be safe and necessary.
  • Policy Priority: Understand how policy priority works. More specific policies must have a higher priority (smaller number) to be applied before more general policies.
  • Integration with Microsoft Sentinel: Send MDO logs and alerts to Microsoft Sentinel for a centralized view of security and incident response automation.
  • Collaboration Protection: Remember that MDO protects not just emails, but also files in SharePoint, OneDrive, and messages in Teams. Make sure these protections are enabled and configured.

Common Troubleshooting

  • Malicious emails are not being blocked:
    • Ensure policies are Enabled and applied to the correct users/groups/domains.
    • Check priority of policies. A less aggressive policy with higher priority may be in place sooner.
    • Use Message Tracking in the Exchange Admin Center (EAC) or Threat Explorer in the Microsoft 365 Defender portal to see how a specific email was processed.
    • Check that there are no exceptions or allow lists that are allowing delivery.
  • False positives (legitimate emails blocked):
    • Investigate the email in Threat Explorer to understand why it was blocked.
    • Adjust policy sensitivity (e.g. less aggressive phishing threshold).
    • Whitelist trusted senders or domains, but do so with caution.
    • Submit the email for Microsoft review to improve detection.
  • Links are not being rewritten by Safe Links:
    • Check that the Safe Links policy is On and applied to the correct users/groups/domains.
    • Make sure Do not rewrite URLs, but perform API checks only on Safe Links is unchecked (unless intended for specific scenarios).
    • Make sure the link is not on a list of "Do Not Verify" URLs.
  • Malicious attachments are not being detected:
    • Make sure the Safe Attachments policy is Enabled and set to Block.
    • Check the file type. Safe attachments focus on file types that may contain executable content or scripts.

Conclusion

Microsoft Defender for Office 365 is a powerful and essential tool for protecting organizations against the ever-evolving landscape of email and collaboration-based threats. By carefully implementing and optimizing Safe Attachments, Safe Links, Anti-phishing, and Anti-malware policies, security teams can build a robust defense that protects users against sophisticated attacks. The combination of advanced detection, automated remediation, and in-depth investigation tools allows organizations to maintain productivity while mitigating significant risks. With this practical guide, security professionals will be well-equipped to configure, validate, and manage Microsoft Defender for Office 365, ensuring a more secure and resilient communication and collaboration environment for their organizations.

References:

[1] Microsoft Learn. Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/ [2] Microsoft Learn. Overview of the protection stack in Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/protection-stack-microsoft-defender-for-office365 [3] Microsoft Learn. Licensing of Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/mdo-licensing [4] Microsoft Learn. Recommended settings for EOP and Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/recommended-settings-for-eop-and-office365 [5] Microsoft Learn. Configure Safe Attachments policies in Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/safe-attachments-policies-configure [6] Microsoft Learn. Configure Safe Links policies in Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/safe-links-policies-configure [7] Microsoft Learn. Anti-phishing policies in Microsoft Defender for Office 365. Available at: https://learn.microsoft.com/pt-br/defender-office-365/anti-phishing-policies-mdo [8] Microsoft Learn. Configure anti-malware policies in EOP. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide