Introducing campaign views in Office 365 Advanced Threat Protection
It’s no secret that most cyberattacks are initiated over an email. But it’s not just one email – it’s typically a swarm of email designed to maximize the impact of the attack. Attackers typically pick a carefully crafted attack pattern or template and send email in waves where they introduce slight variances to try and thwart defenses and dupe users. The common pattern or template across these waves of email defines their attack ‘campaign’, and attackers are getting better and better at morphing attacks quickly to evade detection and prevention. Being able to spot the forest for the trees - or in this case the entire email campaign over individual messages - is critical to ensuring comprehensive protection for the organization and users as it allows security teams to spot weaknesses in defenses quicker, identify vulnerable users and take remediation steps faster, and harvest attacker intelligence to track and thwart future attacks.
Figure 1: Example campaign seen in Office 365 ATP
Today, I’m thrilled to announce the public preview of campaign views in Office 365 Advanced Threat Protection. The additional context and visibility available in these campaign views provide the full story of how attackers targeted the organization and its users and how their defenses held up (or not).
Security teams can quickly:
- See summary details about the campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
- See the list of IP addresses and senders used to orchestrate the attack.
- Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
- See all the URLs that were manifested in the attack
- Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.
Armed with the information above security teams can more effectively and efficiently:
- Remediate compromised/vulnerable users
- Improving security posture by eliminating configuration flaws seen
- Investigate related campaigns that use the same indicators of compromise
- Hunt and track threats that use the same indicators of compromise
The feedback we’ve received from customers who have been using this in early previews is extremely positive. One large customer we’ve worked with, was able to identify multiple configuration flaws in their tenant, by using campaign views for just a short duration of time. In one instance, 34% of the phishing messages detected by ATP were rescued and delivered into user inboxes due to a configuration control (domain allow list) that was exploited by the attacker.
Another customer we worked with has been extremely excited about being able to see variances in how the campaign proliferated through the organization and being able to harvest attacker indicators of compromise for additional hunting.
One pleasantly surprising learning for us through these conversations with customers is how almost all of them have told us that these campaign views also allow security teams to more effectively represent to the CISO and business peers, the protection value security teams bring to the organization. They do this by enumerating the campaigns blocked, adding color by describing the type of key campaigns, the improvements made to the defenses and the users remediated.
We’re so excited about the value these campaign views can bring to your organizations and security teams, we cannot wait for you to try it out.
But let me give you a tour of the capability first and set some context.
Email Campaigns demystified
To better appreciate the importance of understanding email campaigns, it’s worthwhile to think about how attackers target organizations and users. It’s important to remember that attackers are often after financial gain. And to maximize that gain, they apply a great deal of sophistication in their attacks to get around defense systems. One way they look to achieve this is by setting up ‘factories’ where they can create/generate templates and introduce variances to evade detection at a rapid pace and scale.
Figure 2: How attackers generate campaigns
Within a single campaign, attackers may change the sending infrastructure, sending IPs, sending domains, sender names and addresses, URLs, and even the hosting infrastructure for these attack sites. They use these changes or ‘morphs’ to try and get around defenses.
If defense systems learn of and block a known bad URL, sending IP address, or sending domain, those defenses can be rendered useless by the morphs in the campaign achieved by changing the IP address, the sender that the attack is launched from, or simply the URL in the email template.
Thwarting attacks with Office 365 ATP
To thwart these well-orchestrated attacks, Office 365 Advanced Threat Protection leverages a multi-layered defense system that uses a combination of machine learning, advanced heuristics, rich detonation capabilities, targeted capabilities to spot business email compromise, and massive security intelligence sources that come together during mail-flow as well as after email delivery.
Figure 3: Office 365 ATP email protection stack
Along with an intense focus on pre-breach capabilities, Office 365 ATP also comes with powerful tools and automation to help security teams more comprehensively and effectively investigate and remediate issues, to limit the scope of any potential breaches in the organization.
If you haven’t had a chance to look at the richness of the Office 365 ATP stack, I encourage you to look our recent blog post to learn more, including some of the recent innovations we announced at the Microsoft Ignite conference.
Campaign views amplify protection value
It’s critically important that the defenses and built-in protections in mail flow, the detections and the alerts they generate are powerful and durable enough to act on individual email messages. It is equally important for the solution to correlate information from across the attack into a campaign view so security teams can assess how well their organization is protected.
This is why I’m excited to present the campaign views and related workflows we’re starting to rollout today, to help security teams better protect their organizations with a well-rounded view of the attacks that are targeting their users.
Figure 4: Another campaign view example (some details obfuscated on purpose)
Campaign views present security teams with an all-encompassing view of the entire email campaign that targeted their organization. As called out above, with a single view, security teams can easily:
- See summary details about the entire campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
- See the list of IP addresses and senders used to orchestrate the attack.
- Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
- See all the URLs that were manifested in the attack
- Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.
They can quickly explore the specifics of the entire campaign in Office 365 ATP Threat Explorer. And they can apply the usual filters and pivots to slice the campaign in a variety of ways.
Using the power of campaigns to secure the organization better
In the campaign above, a few things stand out as being worthy of immediate focus and action. These suggested actions and workflows really amplify the usefulness of the campaign views:
- Remediation of compromised/vulnerable users
- Improving security posture by eliminating configuration flaws that impact the organization
- Investigating related campaigns using indicators of compromise
- Hunting and tracking threats using Indicators of compromise
Remediation:
The first thing for security teams to focus on when reviewing campaigns is to ensure that compromised or vulnerable users are secured to limit the scope of a potential breach.
Figure 5: Easy to spot that there were user clicks and overrides.
In the above campaign, you see that some of the URLs were clicked on by users. In some cases, the clicks were blocked by Safe Links, but in other cases the block was overridden by the user. There is a high chance that these users may have fallen prey to the attack hosted on the target site---either revealing their credentials to the fake site or succumbing to some sort of drive-by malware.
Figure 6: user and url details.
To limit the scope of the possible compromise, it’s important to ensure that the user’s identity and devices are secure. To be safe, reset the user’s credentials and ensure that the user is enabled for multi-factor authentication (MFA). Also, ensure that the user’s devices are not exhibiting anomalous alerts.
Secure posture:
Campaigns make it easy to see how poor security configurations are helping attackers beat your organization’s defenses.
When looking at the campaign above, it’s clear that there are several configuration issues that need to be addressed:
- As seen earlier some users were allowed to override the Safe Links block
- Tenant allows: a large portion of the campaign seems to have been allowed due to a tenant specific configuration.
Figure 7: Easy to spot that tenant allows in the configuration allowed Phish emails into the inbox.
Exploring the campaign in Threat Explorer will reveal which messages have been allowed due to a Tenant allow setting. This will allow security teams to tighten the policy appropriately.
The Safe Links policy should be reviewed to secure the policy and avoid overrides.
Investigating related campaigns:
The campaign view presents a rich and easy to consume view of all the indicators of compromise (IOCs) used by an attacker: URLs, sender IPs, sending domains, sender email addresses, and so on.
Figure 8: URLs in the campaign.
And while all these IOCs have been used in this campaign, it's possible that these IOCs have been used in other messages to target the organization.
Using the All email view in Office 365 ATP Threat explorer, it’s easy for security teams to investigate other messages that have exhibited the usage of similar IOCs and take remediation actions. The reason this is interesting is because attackers may have re-used IOCs (for example the same malicious URL) in other email campaigns that used a different template to attack users.
Figure 9: Using Threat Explorer to search for other messages with matching IOCs.
Hunting and tracking future threats:
Security research teams like the rich IOC intel source as it allows them to proactively track attackers. Using Office 365 ATP Threat Trackers, it’s possible for security teams to write queries to track when new attacks are launched using one of the IOCs from the identified campaign.
Figure 10: Use Threat Tracker to write a tracking query to track and be notified of future attacks
Go on, give it a try!
As you can see, the combination of rich campaign analysis, paired with powerful tools like Office 365 ATP Threat Explorer and Office 365 ATP Threat Trackers can help organizations comprehensively and effectively improve their security posture, quickly remediate issues, and drive more thorough investigation, hunting, and response steps to help secure the organization.
Campaign views are available for customers with any of the following plans:
- Office 365 Advanced Threat Protection Plan 2
- Office 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E5
You can learn more about campaign views in Office 365 here.
The campaign views have started rolling out into public preview, so you’ll see it in your tenant over the next few days and weeks. Judging from the testimonials of our private preview customers and some of the feedback I’ve already shared above, we think you’re going to love it.
Go on, give it a try for yourself! We’d love to hear your feedback.