Today we’re thrilled to announce general availability of differentiated protection for priority accounts. In every organization, there are people that are critical, like executives, leaders, managers, or other users who have access to sensitive, proprietary, or high priority information. We previously announced the ability to tag these users within Microsoft Defender for Office 365 as priority accounts, allowing security teams to prioritize their focus on these critical individuals. With this release, users tagged as priority accounts will receive a higher level of protection against threats.
Differentiated protection for priority accounts
We know that priority accounts are a high-value target for attackers and are generally under a higher rate of attack with ever more sophisticated techniques. By focusing on these specific user sets and the attacks targeting them, we were able to enhance machine learning models to provide a higher level of protection. We were also able to adjust other aspects of the protection stack such as how messages are handled in our detonation chambers, again increasing the protection provided to these accounts.
This differentiation in learning and message handling allowed us to provide the highest level of protection for these accounts from the specific types of attacks that they are targeted with. We have also ensured that we maintain the same false positive rate for these users as a high rate of false positives can also have a negative impact for these users.
Configuring Priority account protection
Priority account protection will be automatically enabled by default for applicable tenants, but Security Administrators can toggle this functionality by going to Settings > Email & collaboration > Priority account protection in the Microsoft 365 Defender portal. However, we don’t recommend disabling this setting.
Figure 1: Priority account protection will be automatically enabled by default for applicable tenants
Reviewing differentiated protection in Threat Explorer and the email entity page
Figure 2: You can filter Threat Explorer views by selecting Priority account protection in the context dropdown.
Figure 3: Priority account protection is now listed under Threat detection details in the Email entity page.
In addition, the threat protection status report will have a new filter that will allow admins to filter for those emails that were detected as bad due to the extra layer of protection that was applied by Priority account protection.
In addition to Priority account protection, we are excited to share additional features that have recently gone live to make priority accounts and custom tags more effective across Microsoft Defender for Office 365:
User tags can be added as conditions to custom alert policies
A custom alert policy is a set of conditions that define user, admin, or email activity that will generate an alert. Email sender and recipient tags, as well as user tags, can now be added as conditions on custom alert policies to receive alerts following the defined activities. For more information, see Microsoft 365 alert policies on Microsoft Docs
Proactively investigate attacks targeting priority accounts within quarantine
Priority account tags are now integrated with the quarantine experience within Microsoft Defender for Office 365. Any email targeted at one of the priority accounts will be tagged as such and filtered within the quarantine experience, making it easy to filter the view to only look at malicious emails that targeted these critical accounts.
Prioritize submissions from priority accounts and other tagged users
User tags and priority accounts are now integrated with the new unified Submissions experience new submissions experience. As users report attacks landing in their inboxes, security teams can take these signals and thwart campaigns before breaches become costly. Now, submissions from priority accounts and tagged users are explicitly tagged and filtered so that security teams can prioritize focus on these submissions over others.
Target user tags in Attack simulation training
Targeting priority accounts and other custom user tags are now possible in attack simulation and can be done within the Simulation Creation experience. You can now use this capability to run targeted simulations against pre-defined user tags and even set up simulation automations targeting these groups at specific frequency. For more information, see our recent blog post on User tags based targeting in Attack simulation training and more details on Microsoft Docs.
Priority accounts within the Compromised users report
The priority account tag is now integrated with the Compromised users reporting experience so that compromised users from priority accounts are explicitly tagged and filtered. This report shows the number of accounts that were marked as Suspicious or Restricted within the last 7 days. This allows security teams to filter the Compromised users report to these key users within an organization and closely monitor any spikes or trends within priority accounts.
Microsoft is partnering very closely with several customers to learn about their challenges and their desires to shape the thinking and the evolution of this feature. Customers that have seen early previews of this capability love it so far, and we hope you’ll love it too!
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.