While the threat landscape continues to evolve in sophistication and volume, Office 365 Advanced Threat Protection (ATP) has maintained a rapid pace of evolution and continued enhancement to help ensure unparalleled security for emails and documents. Seamless integration with the Microsoft Intelligent Security Graph provides 6.5 trillion signals per day from identities, endpoints, user data, cloud apps, and infrastructure, uniquely positioning Office 365 ATP to offer intelligent protection and detection capabilities. Office 365 ATP provides a foundation for securing the modern workplace with a powerful feature set, detailed reporting, and comprehensive anti-phish capabilities.
Office 365 ATP is the most widely used advanced security service for Office 365, protecting more end users than all other security services from competitors combined while helping Microsoft improve its own security posture. Importantly, partners and customers are also confident with the security from Office ATP. The Oxford Computer Group use Office 365 ATP and are especially excited about the new anti-phish capabilities offered, highlighting the enhanced anti-impersonation, anti-spoof, and sophisticated ‘mailbox intelligence’ capabilities. Another partner ProserveIT shared this story where Office ATP helped them protect against a phishing attack and also describes some of the in-depth features offered in Office ATP, including protecting SharePoint Online, OneDrive for Business, and Teams. Our customer Operandis, also recently shared how they were a target of a socially engineered attack and how Office 365 ATP could have prevented the attack.
As we look forward to Microsoft Ignite 2018 where we will be announcing the latest innovative capabilities for Office 365 ATP, let’s take a look back at the recent enhancements that have enabled our customers and partners to continue maintaining their trust with Office 365 ATP.
As our customer and partner testimonials indicate, phishing is at the top of mind and one of the greatest causes for concern across the industry. The latest Microsoft Security Intelligent Report revealed that phishing was the #1 threat for vector for Office 365 based threats in second half of CY 2017.
To safeguard our customers against phishing attacks, we made the following enhancements in Office 365 ATP:
Impersonation is a commonly used technique in targeted phishing attacks. Attackers may use domain impersonation or user impersonation. The most prevalent scenario of user impersonation is when a threat actor impersonating the CEO or other influential executive emails finance or HR to transfer money. This is an example of a Business Email Compromise attack which can have severe financial impact. To help mitigate these phishing techniques, we made several enhancements.
Choose Action for Impersonated Users or Domains
Enhanced Anti-spoofing technology
Exchange Online Protection (EOP) has been securing Office 365 customers from internal domain spoof for many years. The newest anti-spoof features help protect organizations from external domain spoof, and offer admins greater control over the strength of spoof filters, the action taken when malicious spoof is detected, and the ability to turn safety tips on/off. The newly added anti-phishing insights provide real-time detections for spoofing, domain and user impersonation. You can learn more about anti-spoofing here.
Spoof Intelligence insight widget
Spoof intelligence insight report
Intra-Org Email link scanning and detonation of Phish Lures
When attackers gain access to an internal account, they can use it to launch intra-org phishing campaigns. With Internal Safe Links, Office ATP Safe Links policies can be applied to intra-org emails. Office 365 ATP is the only service not requiring routing of internal emails outside the compliance boundary of Office 365. This is critical in ensuring your organization is compliant with regulations such as GDPR.
Easy setup with an on/off button to execute the feature capability
Emails containing phish lures often lead to a user compromise. Office 365 ATP applies algorithms and heuristics to determine if a link should be detonated during the mail flow and scans the email body and attachments for such links to prevent the payload being executed.
Real Example of Office 365 ATP following suspicious link to the destination a URL points to and scanning that page for potential malware or phish
Earlier this year, we released real-time reports for malware, phish and user-reported messages for Office 365 ATP customers. We are also extending the email phishing views in Real-time reports to include additional phishing detection details including the detection technology that resulted in the phish detection. These views are also enriched with additional details on URLs. This includes URLs included in messages, filtering based on URL information, display of URL information in the graph/pivot, and Safe Links time-of-click data on allowed/blocked clicks from messages. Related, the phish detection events are also now available in the Office 365 management API. The schema includes email phish and is being extended to now include email URL click events. We believe these enhanced admin views are critical to powering security investigation and remediation scenarios across advanced phishing attack vectors.
Enhanced email views with phish detection technology pivots