One of the frequent requests we hear from Office 365 customers is the ability for security teams to easily report suspicious email messages or content to Microsoft and get feedback. Today I’m super excited to announce that we’re rolling out this capability to customers world-wide. This builds on a powerful capability Office 365 already supports - the ability for end users to report suspicious emails to their security teams and Microsoft. With the feature set we’re announcing today, security teams that want to defer reporting issues to Microsoft until after they have reviewed the messages themselves can now do so. What’s more - security teams can get immediate feedback on these submissions within the Office 365 Security and Compliance Center, dramatically reducing the time to investigate and response to issues and take corrective actions.
One of Microsoft Threat Protection's most important elements is the ability to secure emails and collaboration services with Office 365 Advanced Threat Protection (ATP). Office 365 ATP's strength of signal offers comprehensive and best-in-class protection against sophisticated, targeted and zero-day phishing and malware attacks. To give you a sense of the scale that we deal with, in the course of 1 year in 2018, Office 365 ATP blocked 5 billion phish emails and analyzed 300k phish campaigns, protecting 4 million unique users from advanced threats. Analyzing such a huge amount of data helps continuously improve the machine learning algorithms, leading to the highest accuracy and effectiveness in the industry.
Phish email statistics from Office 365 from January 2018 to September 2018.
The impact to end users in 2018 from the enhanced anti-phish capabilities in Office 365
As proud as we are about the effectiveness offered by Office 365 ATP, we also know that no solution is 100% effective. For this reason, we also offer powerful feedback loops through which suspicious emails can be reported by end users to Microsoft to feed into the overall intelligence and continually improve the service to better protect customers.
End users can report suspicious messages they see in their inbox to Microsoft using the Report Message plug-in in Outlook and Outlook Web Access. Organizations’ security teams can also review these user-reported messages in the Office 365 Security and Compliance Center to better understand the attacks users are seeing and update their security policies.
Real-time report showing all user-submitted emails
From the SecOps perspective, these submissions form an important source of intelligence and can trigger investigation and remediation workflows to significantly reduce the time to detect and respond to an attack and therefore limit the scope of impact of an attack within the organization.
The Report Message plug-in is therefore an invaluable tool for users to flag suspicious content to not only their security teams, but directly to Microsoft as well. But some organizations don’t want their users to submit emails directly to Microsoft, as they may contain sensitive information. They want these submissions to first be reviewed by their security teams before being submitted to Microsoft.
Today we’re excited to announce that the email submission experience will now be available to security teams and admins from the same place where they review user-reported messages within the Office 365 Security and Compliance Center.
With this new capability, admins can easily submit emails and content, provide more details, and receive immediate feedback. The feedback provided by Microsoft will also offers valuable insights into configurations that may have caused a false positive or a false negative, reducing the time to investigate issues and improving the overall effectiveness.
With this new submission process, admins can:
Submit suspicious emails, files, and URLs to Microsoft for analysis
Receive immediate feedback on their submissions
Find and remove rules allowing malicious content into the tenant
Find and remove rules blocking good content into the tenant
Here’s a quick run through of the experience. You can also learn more about it in our technical docs.
Step 1 – Log in to the Security and Compliance Center or the M365 Admin Center as Global Admin, Security Admin, or Security Reader. Click on the ‘Submissions’ node under ‘Threat Management’. You will see all the end user reported messages here. Under the ‘User Reported’ tab. To create a new admin submission from the portal, click the ‘New Admin Submission’ on the top left.
Step 2 – Enter all the details related to the submission such as submission type, recipients, reason for submission and submit.
Step 3 – Review the status of your submission. You can see the progress of the submission after it is submitted. You can also drill down into specific submissions and see what was submitted, what it was submitted as, and reason for submission, as well as what verdict was issued.
Step 4 – Take actions to fix the suggested configuration.
This can be a great tool to manage false positives and help fix configurations issues that may result in EOP/Office 365 ATP not performing optimally. In the future we’ll not only present the config-related issues but also automatically fix them.
To whom is it available?
All Office 365 customers will be able to use this feature. However, customers using Office 365 ATP will benefit most from it. Customers using third-party reporting tools can also use this capability.
As you look to implement this solution, it’s important to know it provides valuable data for more than Office 365 ATP. Microsoft Threat Protection services in general can leverage it to fine tune the machine learning algorithms and better protect, detect, and respond to threats across different threat vectors. Get started with an MTP trial if you want to experience the comprehensive and integrated protection Microsoft Threat Protection provides. Learn more about Microsoft Threat Protection by following our monthly blog series.