Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Enhancements to the Office 365 ATP admin experience
Published Jul 24 2018 02:48 PM 29K Views
Microsoft

Over the last several months, we have made many advancements to Office 365 Advanced Threat Protection (ATP).  Due to our impressive malware catch effectiveness, threat actors have altered attack methods to bypass security capabilities leading to an increase in phishing campaigns.  To this end, we have enhanced our anti-phish capabilities.  Recently we improved the admin experience in Office 365.  Now we combine both the advancements in our anti-phish capabilities and admin experience, to deliver powerful new tools that further upgrade our ability to mitigate phishing campaigns.

 

Enhancements to the Office 365 ATP anti-phishing policy

Office 365 ATP customers will now benefit from a default anti-phishing policy providing visibility into the advanced anti-phishing features enabled for the organization.  We’re excited to deliver this as customers often ask for a single view where they can fine-tune the anti-phishing protections applied across all users within the organization.  Admins can also continue to create new or user existing custom anti-phishing policies configured for specific users, groups, or domains within the organization.  The custom policies created will take precedence over the default policy for the scoped users.

 

Customer feedback also led us to increase coverage of our anti-impersonation rule to 60 users and we simplified the spoof protection configurations within the ATP anti-phishing policy.

 Figure 1 - ATP anti-phishing default policy settingsFigure 1 - ATP anti-phishing default policy settingsFigure 2 - ATP anti-phishing impersonation settingsFigure 2 - ATP anti-phishing impersonation settings

 

Empowering admins with anti-phishing insights

We recently added a set of in-depth insights to the Security & Compliance Center and now we are excited to announce a new set of anti-phishing insights. These insights provide real-time detections for spoofing, domain and user impersonation, capabilities to manage true and false positives, and include what-if scenarios for fine-tuning and improving protection from these features.

 

  • Spoof Intelligence insights allow admins to review senders spoofing external domains, providing rich information about the sender and inline management of the spoof safe sender list. If spoof protection is not enabled, admins can review spoofed messages that would have been detected if protection was turned on (what-if analysis), turn on the protection, and manage the spoof safe sender list proactively.
  • Domain and User Impersonation insights allow admins to review senders attempting to impersonate domains that you own, your custom protected domains, and protected users within your organization. You can also review impersonation messages that would have been detected if protection was turned on (what-if analysis), turn on impersonation protection, and proactively manage the safe domain and safe sender list before enforcing any action.

 Figure 3 - Spoof Intelligence insight widgetFigure 3 - Spoof Intelligence insight widget

FigureFigure

 

Explorer, Real-time reports and Office 365 management API will now include phish and URL detections

Earlier this year, we released real-time reports for malware, phish and user-reported messages for Office 365 ATP custo.... We are now excited to extend email phishing views in Real-time reports and Explorer experiences to include additional phishing detection details including the detection technology that resulted in the phish detection. These views are enriched with additional details on URLs.  This includes URLs included in messages, filtering based on URL information, display of URL information in the graph/pivot, and Safe Links time-of-click data on allowed/blocked clicks from messages.  Threat Intelligence customers will also get URL data in the ‘all email view’, enabling analysis on URLs for delivered mail, supporting security analysis for missed phish, data loss, and other security investigations.   We have also enriched phish detection events in the Office 365 management API.  The schema will now include email phish and URL click events. We believe these enhanced views are critical to powering security investigation and remediation scenarios across advanced phishing attack vectors.

 

Figure 5 - URL domain and URL clicks viewFigure 5 - URL domain and URL clicks view

 Figure 6 - Phish detection technology and URL click verdictsFigure 6 - Phish detection technology and URL click verdicts

Send Your Feedback

We hope you try these new features and provide feedback.  Your feedback enables us to continue improving and adding features that continue making ATP the premiere advanced security service for Office 365.  If you have not tried Office 365 Advanced Threat Protection, you should begin a free Office 365 E5 trial today and start securing your organization from today’s threat landscape.

20 Comments
Copper Contributor

Do these features require an ATP license for all users or are they available to Office 365 clients as default security options?

Microsoft

@Brian Lee - these features do require ATP licenses

Deleted
Not applicable

Hi,

 

This is Very Good Indeed!

 

We have E3 with threat Intelligence as a Add on. Will this work or need E5 ?

 

If E5 is required then how many license we should buy ? Currently, we have 9k E3.

 

Thanks,

Shantanu

 

 

Copper Contributor

We're loving ATP so far. Anxious for the in Depth insights to hit out tenant. 

Steel Contributor

@David Fantham I can add up to 60 users for impersonation protection now, but I cannot add the same amount of users for trusted senders and domains. If each of my users has only 1 alias to whitelist, then I am unable to complete that task. My users tend to have multiple aliases to whitelist. How can I accomplish this?

Brass Contributor

So Explorer is seeing all sorts of messages listed under the View: Phish. Most of this messages are being delivered. What can I do to have those be quarantined or blocked? I do have an anti-phishing policy, but really it's more of an anti-spoofing policy..? @David Fantham

Microsoft

@Robert Woods - the new Anti-Phishing Impersonation mailbox intelligence feature will take care of this for you based on the Microsoft Intelligence Security Graph. You can read more about that protection here

 

@Jordan Moore - this means that you may not be taking action on specific protection components within the Anti-Phishing policy. Navigate to the Security & Compliance Center, Threat Management, Policy, ATP Anti-Phishing and you should be able to investigate. 

Brass Contributor

@David FanthamHow can I see how aggressive I need to be setting my phishing thresholds to stop these emails from being delivered? I.e. do I have a way to review the phishing confidence level, as that relates to the aggressiveness of the policy.

Steel Contributor

@David Fantham I actually figured out a way to add more than 20 to the exceptions list, but only after they have been caught in quarantine 1x. In the impersonations over the past 7 days report it gives me an option to allow impersonation for the blocked user which bypasses the 20 user limit in the GUI.

 

Capture.PNG

Brass Contributor

@Robert WoodsUnder your explorer > view > phish, are all emails identified as phish going to a quarantine?

I've got an anti-phishing policy, but all the emails identified as phish under explorer are still being delivered.

Steel Contributor

@Jordan Moore

Yes, the messages land here: Capture.PNG

 

This is the setting in my policy that causes this: Capture1.PNG

Brass Contributor

@Robert Woods

Thanks! What is your phishing threshold set to?

Steel Contributor

@Jordan Moore

2 - Aggressive

Deleted
Not applicable

@Jordan Moore

Not sure why but emails from ai-noreply@applicationinsights.io (address used by Azure Application Insights) get trigger "Domain impersonation" and get blocked.

 

info from one of emails:

Time received Oct 31, 2018 8:21:30 AM
Return path

ai-noreply@applicationinsights.io
Sender (From)
ai-noreply@applicationinsights.io
Sender name
Application Insights

 

Original IP 207.46.200.16
Threats/Detection technology
Phish/Domain impersonation
Delivery status Blocked
Protection policy/action DIMP-b7cc8738-8704-4a93-a632-16711aae9452/Send to quarantine
Internet Message ID <4e009d43-6664-476b-9594-b4a2e43577ee@CH1GMEHUB12.gme.gbl>
Network Message ID 945ce975-a34e-49ce-d47b-08d63f017838

 

Could you provide me with any hint what's going on?

Deleted
Not applicable

@Jordan Moore

Emails from MS Teams noreply@email.teams.microsoft.com are treated as phishing:

NOREPLY@EMAIL.TEAMS.MICROSOFT.COM appears similar to someone who previously sent you email, but may not be that person.

 

 

Microsoft

@Deleted - the best way for you to get a timely and thorough response to your questions is to submit a support ticket through the Microsoft 365 Admin Center. You can file a service request under the 'Support' or 'Need help?' sections. Be sure to attach either the messages in question, or the headers, in order to get a detailed response. 

Copper Contributor

A new option called "Enable mailbox intelligence based impersonation protection" is now available in the Mailbox Intelligence > Impersonation Policy settings.

 

Additionally, there is a new setting within Mailbox Intelligence to apply an action "If email is sent by an impersonated user".

 

Can you you share some details about these new features, and how this action relates to already existing "If email is sent by an impersonated user" setting in the Actions section?

 

It seems these policy settings are similar, it would be good to understand the precedence of each and what circumstanced would trigger these actions to apply.

 

Also posed the question in the Feedback section of https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies#phishpol..., which directed me to this page.

 

1.png2.png

Brass Contributor

Is the "60 users to protect" a per tenant limitation or a per policy limitation? 

 

Our observation is that if you have multiple policies with 60 in each, only the policy with the highest priority works.  The Users defined in the "users to protect" section for the other policies are not working.  

Iron Contributor

Any update or thoughts on how Microsoft is going to help with sender name spoofing?  These tools allow these to sail right through - even when the display name is the same as one of our internal users, including a user that is in the users to protect list.  This needs to get smarter to include:

 

- All users

- display name spoofing (coming from a valid, often consumer email service)

- name variation support (e.g. Robert & Bob, Dan & Daniel, etc)

Copper Contributor

I've never paid much attention to the rules used in filtering phishing, scams and so forth.

 

However, recently, I realized that my colleague's emails were all going to my Junk Folder in Outlook.

 

I warning I get with her emails is (after I anonymize her email details):

 

First.Last@domain.com    appears similar to someone who previously sent you email, but may not be that person. Learn why this could be a risk

 

I sent her this warning message to dig further, and found out that her domain (company) asked

her to change her login email address to conform with a company-wide policy. So, her email used

to be:

 

FirstMiddle.Last@domain.com

 

which was changed by company policy to:

 

First.Last@domain.com

 

This change has seemingly resulted in the junk mail filtering.

 

This is not ideal. I understand that there are ways to bypass this filtering through whitelisting.

But I am more curious about the method and the effects of this method on legitimate email addresses.

Version history
Last update:
‎May 11 2021 03:43 PM
Updated by: