For those of you using Microsoft Defender for Office 365 automated investigations, we have several new investigation improvements rolling out this month to improve your experience in the security center. These new features improve the clarity of Office 365 investigations, as well as improve Defender for Office 365 integration with SecOps tools in the security center.
Manually triggered investigations – Office 365 has supported investigations triggered manually by security administrators from Explorer since the Office 365 automated investigation features were released. This capability allows security teams to trigger ‘email investigations’ to see if anything in an email is bad, identify any unusual Office 365 behaviors for the recipient, and queue remediation actions for anything malicious or suspicious. With the addition of a new alert for admin-triggered email investigations from explorer, SecOps teams can now see alert notifications for these investigations in their alert queues – as well as view these investigations in the Microsoft 365 security center. The alert and investigations from these admin-triggered email investigations will be correlated in incidents, which further expands the signal provided by the admin action to show the full relevant scope of the suspected attack or malicious activity. In addition, this enables use of other Microsoft 365 Defender capabilities for these investigations, including the unified investigation page, the display of investigation actions in action center, and the alerts/entities within advanced hunting.
Mailbox configuration entities – Defender for Office 365 identifies suspicious configurations like external forwarding rules and suspicious delegation rules – which are key methods that attackers can setup malicious persistence in their attack on businesses. Microsoft 365 Defender incident view has shown such findings under the mailbox tab. Since these configuration findings will have actions to disable them, we have added a new entity type called ‘Mailbox configuration’. These new entities help you will clearly see these suspicious mailbox configuration findings in the incident and investigation evidence tabs, so that you can more easily review these suspicious mailbox configurations associated with the pending actions.
Outbound email clusters for user compromise investigations— Microsoft Defender for Office 365’s user compromise investigations analyze users in scenarios where the user has been blocked for sending out too many suspicious or malicious emails. To extend these investigations and provide better understanding of the potential impact of compromised mailboxes, we have added new email clusters to show recent email being sent from the mailbox. The three new email clusters show the ‘suspicious’ spam email, the ‘malicious’ malware/phish email, and the ‘clean’ email sent from the account in the last week. This information aids security operations teams in assessing:
Whether the mailbox account was compromised
What problems may have been created through malicious/suspicious use of the account
Whether there was any potential data exfiltration through email
Which outbound emails are legitimate (differentiate good email use from abuse/misuse)
These new email clusters will augment the existing email clusters in the user compromise investigation, which find emails similar to the malicious/suspicious messages that triggered the compromise-related mailbox alerts.
Deprecation of block URL investigation action – We are removing the redundant ‘block URL’ action from our current investigations. In these current investigations, this action appears when the investigation finds a malicious URL. Since the Office 365 protection stack will be blocking the URL at the time of delivery and from Safe Links protected clicks, the investigation action is no longer needed. There will be future action uses from advanced hunting and explorer for false positive and false negative related admin remediation actions.
There is no impact to your current incident and automated investigation use. These new features add new fields you can use to find items easier. The main thing to note is that the new manually triggered email investigation alert will be seen in the security center, will generate alert email notifications, and will be available alongside other alerts in the Office 365 Management Activity API.