Announcing Priority Account Protection in Microsoft Defender for Office 365

Published 09-22-2020 08:00 AM 11.6K Views
Microsoft

Today I am incredibly excited to announce the public preview of a critical new feature in the Microsoft Defender for Office 365 portfolio - Priority Account Protection. This capability is extremely valuable in helping security teams prioritize focus on critical individuals within the organization, offer them differentiated protection and thwart costly breaches in the process.

 

Girish_Chander_0-1600732327389.png

 

 

Before I dive in further, I want to make sure that you did not miss the other piece of exciting news we announced today – the rebranding of Office 365 Advanced Threat Protection to Microsoft Defender for Office 365. Read more about the new Microsoft 365 Defender suite here.

Now back to Priority Account Protection and why we’re so excited about it.

 

The challenge for security teams

It is unfortunately not surprising anymore to learn that cyberattacks are on the rise or that phishing campaigns are a preferred tool in attacker’s toolkits. Over the past few years, attackers have increasingly moved from targeting infrastructure or devices to targeting users and duping them to give up credentials or sensitive data directly. And, with over 90% of attacks originating over email, it is clear that this old collaboration staple has remained a favorite vector to target users with.

 

What is interesting, however, is the increasing level of user-targeting and sophistication in these attacks. Attackers make use of well-researched information about the intended victim to make the emails look even more compelling and convincing, thereby increasing the chances of duping the target. As an example, Business Email Compromise (BEC) attacks, one flavor of very targeted attacks, have increased significantly in recent times. Last year, the FBI reported that global losses due to BEC attacks totaled $26 billion over the preceding three fiscal years, with a 100% increase in the final year. Other types of targeted phishing attacks can be equally devastating.

 

Obviously, the more visible the user, the easier it is to get information about them to target them with. And the more privileged the user, the more valuable the information they have access to---making them prime, not to mention, lucrative targets for attacks.

 

Protecting the most visible and targeted users

In response to the changed realities of this increasingly sophisticated and targeted threat landscape, organizations need differentiated protection for their most visible and targeted employees. This is often the members of the C-suite who routinely deal with sensitive and secret information and have the added advantage (from the attacker’s point of view) of being extremely visible and research-able. However, individuals in the C-suite are not the only ones that can be targeted. Very often, users lower down in the organization hierarchy have access to critical tools and information. And these users make prime targets as well. We frequently see such examples of attacks in the news - a user with access to critical administrative tools being a victim of a targeted attack that winds up making a larger scale attack embarrassingly possible.

 

These most visible and most targeted accounts - these “priority accounts” - demand more protection and more attention from security teams. From the point-of-view of security teams, monitoring these priority accounts closely can yield early warning signals and important threat intelligence signals to protect the organization better.

 

And security teams are actively looking for mechanisms to do this easily.

 

Introducing Priority Account Protection

Having deeply internalized the need to adapt to the threat attack patterns referenced above, a lot of security teams we work with want to put in place workflows and systems to better protect Priority Accounts.

 

With Priority Account Protection in Defender for Office 365, security teams can now realize these workflows using the experiences in Office 365. Let’s review a few of them.

 

Prioritizing alerts involving Priority Accounts

The focus of security teams is often dictated by the Alert queue. With Priority Account Protection, all alerts involving any of these Priority Accounts are automatically tagged as such. This allows security teams to prioritize their focus on these alerts first – especially when alert volumes are high.

 

Girish_Chander_1-1600732327415.png

 

 

Girish_Chander_2-1600732327445.png

 

 

Some customers we work with even have dedicated sub-teams to investigate and respond to alerts targeting their C-suite. Now, they can choose to direct these ‘Priority Account’ alerts to these specific sub-teams.

 

Priority Accounts and Threat Investigation

As security teams investigate alerts, emails, or attacks using the Threat Explorer feature (shown below) within Defender for Office 365, it will now be noticeably clear which of these attacks impacted Priority Accounts. This will allow teams to automatically prioritize certain investigations higher. Additionally, they can actively filter on Priority Accounts to further help optimize their focus.

 

Girish_Chander_3-1600732327460.png

 

 

Identifying campaigns targeting Priority Accounts

Priority Account integration with Campaign Views (shown below) within Defender for Office 365, allows security teams to quickly identify campaigns that impact an organization's most visible or targeted users.

 

With the support for Priority Accounts, SecOps teams investigating a campaign will be able to determine if any Priority Account users were impacted and actively search for campaigns involving Priority Accounts.

 

Girish_Chander_4-1600732327472.png

 

 

Girish_Chander_5-1600732327490.png

 

 

Prioritizing submissions reported by Priority Accounts

Optics into what users are reporting as attacks landing in their inbox can serve as a strong signal for Security teams to gear into action and thwart campaigns before the breach proves costly. The Report message add-in and the submissions explorer experiences within Defender for Office 365 are tightly integrated to help give security teams this early warning signal.

 

Over the next few months, Priority Accounts will be integrated with Submission explorer. With this upcoming work, submissions from any of the Priority Accounts will be explicitly tagged, and filterable, allowing security teams to first focus on these submissions over others.

 

Proactively investigating attacks targeting Priority Accounts

A lot of organizations we work with have a dedicated team of security hunters who are looking to scrutinize attacks targeting their C-suite - to learn about attack patterns and attackers themselves.

Within Defender for O365 all malicious emails are automatically quarantined allowing security teams to review these emails in the quarantine experience within the portal.

 

Over the next few months, Priority Account protection will be integrated with quarantine experience within Defender for Office 365. With this upcoming integration, any email targeted at one of these accounts will be tagged as such. What’s more, it will be extremely easy to filter the view to only look at malicious emails that were targeted at Priority Accounts.

 

As always, any further exploration of the emails will possible in Threat Explorer as called out above.

 

Assessing trends of malicious emails targeting Priority Accounts

Filtering capabilities are now available for the Threat protection status report for a more granular assessment of malicious email messages going to the most targeted individuals in the organization.

 

Girish_Chander_0-1600735138204.png

 

Customizing workflows

Priority Accounts as described above greatly enhance the ability for security teams to optimize their focus and improve their efficiency.

 

But, as we often do, we went one step further.

 

Priority Account Protection is built on a powerful underlying capability called ‘Tags’. Users identified as Priority Accounts are effectively tagged as such. But with the way we’ve built this, security teams can define their own attributes or Tags. For example, security teams can choose to define a tag called ‘susceptible users’ to describe those users who have an increased propensity to fall prey to attacks.

 

 

Girish_Chander_1-1600734479379.png

 

 

Once defined, these tags will be infused into security workflows as called out above – in alerts, Threat Explorer, Campaign Views, and more. For example, custom alert policies scoped to specific tags can be created, following which alerts on a particular mail recipient will be enriched with the tags that are assigned to that recipient.

 

Go on…give it a try!

This feature is rolling out into public preview starting today. So, you will start seeing it light up in your tenants over the next few weeks.

 

Priority Account Protection will be available to customers with Defender for Office 365 Plan 2, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.

 

We’ve been partnering very closely with a number of customers to learn about their challenges and their desires to shape our thinking and the evolution of this feature. Customers that have seen early previews of this capability love it so far. We’re very excited for you to try this out as well. And we hope you’ll love it too!

 

Tune in to our on demand session at Ignite this week to learn more.

4 Comments
Senior Member

Hi,

 

nice & good feature but why "Priority Account Protection" is available only for tenant with 10.000 licences. -> Under 10.000 licences, do you think that companies do not need to be protected? ...  


note : "At least 10,000 licenses" -> https://docs.microsoft.com/fr-fr/microsoft-365/admin/setup/priority-accounts?view=o365-worldwide 

Regular Visitor

@Ols_75 asks an interesting question. Why is there a requirement to need at least 10,000 licenses?

Occasional Contributor

we have M365 E5 and I still do not see the ability to add Priority Tags.  What am I missing?

Microsoft

@JamesRV - Do you not see Priority Accounts under Settings > Users, in the Microsoft security dashboard?

Version history
Last update:
‎Sep 22 2020 08:00 AM
Updated by: