microsoft 365 defender
511 TopicsLearn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.7KViews2likes0CommentsBlocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan Rojas1.5KViews0likes5CommentsSecurity Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?346Views2likes2CommentsMicrosoft Security in Action: Zero Trust Deployment Essentials for Digital Security
The Zero Trust framework is widely regarded as a key security model and a commonly referenced standard in modern cybersecurity. Unlike legacy perimeter-based models, Zero Trust assumes that adversaries will sometimes get access to some assets in the organization, and you must build your security strategy, architecture, processes, and skills accordingly. Implementing this framework requires a deliberate approach to deployment, configuration, and integration of tools. What is Zero Trust? At its core, Zero Trust operates on three guiding principles: Assume Breach (Assume Compromise): Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. Verify Explicitly: Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Use Least Privileged Access: Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based policies like adaptive access control. Implementing a Zero Trust architecture is essential for organizations to enhance security and mitigate risks. Microsoft's Zero Trust framework essentially focuses on six key technological pillars: Identity, Endpoints, Data, Applications, Infrastructure, & Networks. This blog provides a structured approach to deploying each pillar. 1. Identity: Secure Access Starts Here Ensure secure and authenticated access to resources by verifying and enforcing policies on all user and service identities. Here are some key deployment steps to get started: Implement Strong Authentication: Enforce Multi-Factor Authentication (MFA) for all users to add an extra layer of security. Adopt phishing-resistant methods, such as password less authentication with biometrics or hardware tokens, to reduce reliance on traditional passwords. Leverage Conditional Access Policies: Define policies that grant or deny access based on real-time risk assessments, user roles, and compliance requirements. Restrict access from non-compliant or unmanaged devices to protect sensitive resources. Monitor and Protect Identities: Use tools like Microsoft Entra ID Protection to detect and respond to identity-based threats. Regularly review and audit user access rights to ensure adherence to the principle of least privilege. Integrate threat signals from diverse security solutions to enhance detection and response capabilities. 2. Endpoints: Protect the Frontlines Endpoints are frequent attack targets. A robust endpoint strategy ensures secure, compliant devices across your ecosystem. Here are some key deployment steps to get started: Implement Device Enrollment: Deploy Microsoft Intune for comprehensive device management, including policy enforcement and compliance monitoring. Enable self-service registration for BYOD to maintain visibility. Enforce Device Compliance Policies: Set and enforce policies requiring devices to meet security standards, such as up-to-date antivirus software and OS patches. Block access from devices that do not comply with established security policies. Utilize and Integrate Endpoint Detection and Response (EDR): Deploy Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on endpoints and integrate with Conditional Access. Enable automated remediation to quickly address identified issues. Apply Data Loss Prevention (DLP): Leverage DLP policies alongside Insider Risk Management (IRM) to restrict sensitive data movement, such as copying corporate data to external drives, and address potential insider threats with adaptive protection. 3. Data: Classify, Protect, and Govern Data security spans classification, access control, and lifecycle management. Here are some key deployment steps to get started: Classify and Label Data: Use Microsoft Purview Information Protection to discover and classify sensitive information based on predefined or custom policies. Apply sensitivity labels to data to dictate handling and protection requirements. Implement Data Loss Prevention (DLP): Configure DLP policies to prevent unauthorized sharing or transfer of sensitive data. Monitor and control data movement across endpoints, applications, and cloud services. Encrypt Data at Rest and in Transit: Ensure sensitive data is encrypted both when stored and during transmission. Use Microsoft Purview Information Protection for data security. 4. Applications: Manage and Secure Application Access Securing access to applications ensures that only authenticated and authorized users interact with enterprise resources. Here are some key deployment steps to get started: Implement Application Access Controls: Use Microsoft Entra ID to manage and secure access to applications, enforcing Conditional Access policies. Integrate SaaS and on-premises applications with Microsoft Entra ID for seamless authentication. Monitor Application Usage: Deploy Microsoft Defender for Cloud Apps to gain visibility into application usage and detect risky behaviors. Set up alerts for anomalous activities, such as unusual download patterns or access from unfamiliar locations. Ensure Application Compliance: Regularly assess applications for compliance with security policies and regulatory requirements. Implement measures such as Single Sign-On (SSO) and MFA for application access. 5. Infrastructure: Securing the Foundation It’s vital to protect the assets you have today providing business critical services your organization is creating each day. Cloud and on-premises infrastructure hosts crucial assets that are frequently targeted by attackers. Here are some key deployment steps to get started: Implement Security Baselines: Apply secure configurations to VMs, containers, and Azure services using Microsoft Defender for Cloud. Monitor and Protect Infrastructure: Deploy Microsoft Defender for Cloud to monitor infrastructure for vulnerabilities and threats. Segment workloads using Network Security Groups (NSGs). Enforce Least Privilege Access: Implement Just-In-Time (JIT) access and Privileged Identity Management (PIM). Just-in-time (JIT) mechanisms grant privileges on-demand when required. This technique helps by reducing the time exposure of privileges that are required for people, but are only rarely used. Regularly review access rights to align with current roles and responsibilities. 6. Networks: Safeguard Communication and Limit Lateral Movement Network segmentation and monitoring are critical to Zero Trust implementation. Here are some key deployment steps to get started: Implement Network Segmentation: Use Virtual Networks (VNets) and Network Security Groups (NSGs) to segment and control traffic flow. Secure Remote Access: Deploy Azure Virtual Network Gateway and Azure Bastion for secure remote access. Require device and user health verification for VPN access. Monitor Network Traffic: Use Microsoft Defender for Endpoint to analyze traffic and detect anomalies. Taking the First Step Toward Zero Trust Zero Trust isn’t just a security model—it’s a cultural shift. By implementing the six pillars comprehensively, organizations can potentially enhance their security posture while enabling seamless, secure access for users. Implementing Zero Trust can be complex and may require additional deployment approaches beyond those outlined here. Cybersecurity needs vary widely across organizations and deployment isn’t one-size-fits all, so these steps might not fully address your organization’s specific requirements. However, this guide is intended to provide a helpful starting point or checklist for planning your Zero Trust deployment. For a more detailed walkthrough and additional resources, visit Microsoft Zero Trust Implementation Guidance. The Microsoft Security in Action blog series is an evolving collection of posts that explores practical deployment strategies, real-world implementations, and best practices to help organizations secure their digital estate with Microsoft Security solutions. Stay tuned for our next blog on deploying and maximizing your investments in Microsoft Threat Protection solutions.1.4KViews1like0CommentsNo URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!184Views0likes4CommentsAnti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.3 internal obstacles to overcome for comprehensive security
Organizations today face relentless security challenges, fending off an average of 59 data security incidents each year. 1 At an average cost of $15 million, 2 successful exploits can be devasting. To address these risks, organizations need a comprehensive defense, including committed leadership and cutting-edge tools. At Microsoft, safeguarding data, technology, and secure AI adoption is a year-round priority. In fact, Charlie Bell, executive vice president of Microsoft Security, recently underscored Microsoft’s “unique responsibility in safeguarding the future for our customers and community.” As part of meeting this responsibility, Microsoft’s advanced security solutions include Microsoft Defender XDR, a platform designed to provide holistic security against today’s complex threats. While solutions like Microsoft Defender XDR are invaluable, getting them deployed can sometimes be challenging. Organizations may face internal hurdles—conflicting priorities, resource limitations, even resistance to change—that can slow or stall implementation of essential security tools. In this article, we’ll explore three common hurdles and discuss how, by deploying Microsoft security products, you can help ensure a more secure future at your organization. 3 common internal obstacles to achieving comprehensive security 1. Reluctance to replace individual, legacy solutions In the past, organizations commonly implemented individual security tools for different, siloed areas of the organization. Today, we know this fragmented approach weakens data security. In fact, according to Microsoft’s 2024 State of Multicloud Security Risk Report, organizations using multiple individual point solutions experience 2.8 times as many data security incidents as those using fewer, integrated tools. Here's a table comparing the performance of individual point solutions vs. Microsoft Defender XDR, the industry-leading unified security platform. 3 Is sunk cost fallacy to blame? “Security is an area significantly impacted by behavioral economics." 4 Sunk cost fallacy can lead cybersecurity professionals to resist replacing existing systems, even when evidence suggests it's necessary. According to Forbes: “The biggest risk in viewing cybersecurity as a sunk cost is inaction. In other words, thinking that you are safe because you haven’t yet suffered a major breach. Remember this maxim: Everyone is vulnerable." 5 To move past sunk-cost fallacy, Forbes says decision-makers need to understand that “the implementation of robust security measures can deliver substantial value beyond just mitigating risks.” By examining ROI and a products’ impact on improving security, reducing complexity, and streamlining operations “...businesses can start recognizing cybersecurity as a driver of competitive advantage, innovation and operational efficiency,” instead of as simply a cost center 6 [Emphasis added]. As an example of the potential for ROI, a 2022 Forrester TEI study found that a composite company achieved an ROI of 242% over three years and a net present value (NPV) of $17 million from switching to Microsoft Defender. It's easy to overestimate the value of individual or legacy security solutions but the clear security advantages and proven ROI of Microsoft Defender XDR demonstrate that replacing legacy systems can be well worth the effort. 2. Concerns about ensuring secure integration If not managed carefully, integrations involving newly opened communication, authentication, or data transfer channels can introduce vulnerabilities that become attack vectors. Microsoft’s 2024 State of Multicloud Security Risk Report notes that “...misconfigured APIs were one of the leading causes of cloud data breaches in 2023.” As a unified security platform, Microsoft Defender XDR mitigates such risks through a multilayered approach, through a multilayered approach, offering centralized management (including identity access), comprehensive visibility, and stronger security controls to help prevent human error. This approach “help[s] security teams proactively detect and monitor misconfigurations so they can remediate as needed." 7 Consistent, automated security with Microsoft Defender XDR Microsoft Defender XDR integrates seamlessly with other Microsoft security tools, Microsoft 365 products, and AI, delivering consistent, automated security across the entire stack. For example: Microsoft Defender XDR is embedded with Microsoft Sentinel, a cloud-native, AI-powered SIEM solution that aids Microsoft Defender XDR in addressing top cyberthreats like ransomware through: Improved visibility across domains: By ingesting data from an organization's infrastructure, devices, users, applications, and cloud environments, Microsoft Sentinel gives security teams a broad view of security threats. Enriched data with machine learning: Sentinel employs machine learning to enrich data with Microsoft threat intelligence, powering threat hunting, detection, investigation, and response across an ecosystem. Reduced alert fatigue: Filtering billions of signals, correlating them into alerts, and prioritizing incidents helps SOC teams handle alerts more efficiently, minimizing fatigue and enabling focused remediation. Microsoft Defender integrates with Azure’s Microsoft Defender for Cloud, a cloud-native application protection platform (CNAPP) that secures workloads across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services with constant cyberthreat monitoring at the code level. This capability allows: Broad attack investigation: Security teams can investigate threats across cloud resources, devices, and identities. Workload-specific protections: Dedicated protections extend to servers, containers, storage, databases, and more. Actionable security recommendations: Defender for Cloud provides insights to improve overall security posture and prevent breaches. 3. Resource, staff, and time constraints Resource constraints, staff shortages, and time limitations are intensifying today’s already challenging cybersecurity landscape and can, understandably, impede deployments of new security products. For example: Resource constraints: Many organizations face limited budgets for security tools, technology, and personnel, leading them to continue with patchwork solutions or delay implementing critical security measures, potentially leaving gaps in security. Staff shortages: As cyber threats become more sophisticated, global demand for skilled IT and security professionals continues to grow while supply hasn’t been able to keep up. 8 When insufficient staff results in missed security tasks, reduced monitoring, and slower incident responses, organizations can be left vulnerable to risk. Limited time: Time constraints are a problem as old as time itself, but for IT teams with already heavy workloads, one more thing to do is more than stressful, it can leave systems vulnerable and increase windows of opportunity for bad actors. FastTrack resources to help you get Microsoft Defender up and running For Microsoft 365 customers experiencing any of the issues mentioned above, FastTrack for Microsoft 365 is here to help with accessible resources, automated, prescriptive setup guides, and even one-on-one assistance. Here’s how to start: 1. Visit the Microsoft 365 Setup site Review openly accessible setup resources at the Microsoft 365 Setup site. Both business and IT leaders will find value in perusing detailed Microsoft Defender setup guides, on-demand videos, and helpful blogs to plan for safe, efficient Microsoft Defender deployment workloads. 2. Sign in to the Microsoft Admin Center (MAC) and start deploying Microsoft Defender using FastTrack’s automated setup guides When you deploy Microsoft Defender XDR from the MAC using advanced deployment guides, you’re taking the most accurate, efficient, and secure deployment path possible. These automated guides combine detailed documentation with step-by-step instructions tailored specifically for your environment to give you streamlined guidance from beginning to end. Start by setting up Microsoft Defender Zero Trust security model for your organization. 3. Request assistance from FastTrack for Microsoft 365 Customers with eligible licenses can request remote, one-on-one assistance from FastTrack before, during, or even post-deployment of Microsoft Defender. Take the next step to implement unified protection Security is too crucial—and the cost of breaches are too high—to let any impediments, real or potential, delay or dissuade you from fully implementing your security investments. When you deploy Microsoft Defender, you’re protecting your organization with a unified security platform that combines multiple security functions—including endpoint, identity, and cloud security—under a single tool. Start protecting your entire digital estate today: Keep your organization, data, and users safe by implementing the comprehensive power of Microsoft Defender, the industry-leading XDR solution that reduces costs and overhead while helping you keep your organization secure across all domains from costly cybercrime. To learn more about improving your security posture with Microsoft Defender, check out our recent webinar: Supercharging your SOC: Unlock the power of endpoint security in Microsoft Defender XDR. Footnotes 1 Microsoft’s 2024 State of Multicloud Security Risk Report 2 Microsoft’s Global Cybersecurity Outlook Insight Report, 2022 3 Microsoft Defender was named an XDR leader in The Forrester Wave: XDR platforms, Q2 2024 4 3 Ways Behavioral Economics Obstructs Cybersecurity 5 Closing the cybersecurity skills gap 6 Cybersecurity As a Strategic Investment (forbes.com) 7 2024-State-of-Multicloud-Security-Risk-Report.pdf (microsoft.com) 8 Closing the cybersecurity skills gap (microsoft.com)238Views1like0CommentsIngesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.5.8KViews1like5Comments365 developer program reaction
Hi All, all we know in 365 we have developer program. It's really use full. But unfortunately last year due to family I not use it regularly. So the trail period not extended got expired. I am trying to re active the account. In the dashboard we gave delete profiles. Once we click it's saw after 24 hour you can join and get 60 days trail again. But if I came after 24 hour it's going to the registration process. Once it's done it's reducing to the old dashboard page whenever I have the expired profile. Please help me with re activate my account. Thanks Kannan N30Views0likes0CommentsSetting up Admin Quarantine
Hi, We are looking to set up admin quarantine as per the instructions in here: Protect files with admin quarantine - Microsoft Defender for Cloud Apps | Microsoft Learn We have followed this step by setting up a location for admin quarantine: However, when editing the 'Malware Detection' rule in Defender we do not get an option for 'Put in admin quarantine', only 'Put in user quarantine': Does anyone have any idea how to resolve this? Thank you.