Introduction:
Microsoft Defender for Office 365 is a robust defense solution when it comes to defending users and other resources in the Office 365 environment. It provides multiple options for granular tuning by using various flexible policies which cover a wide area in every organization’s environment.
The path to Microsoft Defender for Office 365 leads through Microsoft 365 Admin Center (https://admin.microsoft.com) and by choosing the Security option:
This gets us onto the main page for Microsoft Defender for Office 365, where you have to follow the path Email & collaboration-> Policies & rules-> Threat policies-> Anti-phishing
Microsoft Defender for Office 365 offers out-of-the-box policies called “Preset security policies”. Preset security policies allow you to apply protection features to users based on Microsoft recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable and are based on Microsoft observations in the datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
The following preset security policies are available:
- Standard
- Strict
- Built-in protection (default policies for Safe Attachments and Safe Links protection in Defender for Office 365)
Another useful feature is the Configuration analyzer. It helps to identify and improve the defences by analysing currently implemented policies and providing recommendations.
Microsoft Defender for Office 365 covers a wide range of security policies, but the scope of this blog post will be recommendations related to anti-phishing policies.
Custom anti-phishing policy recommendations:
The custom anti-phishing policy in Microsoft Defender for Office 365 provides granular tuning of impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds.
The default anti-phishing policy automatically applies to all recipients. For greater granularity and tuning, it is recommended to create custom anti-phishing policies that apply to specific users, groups, or domains in your organization.
When creating a new anti-phishing policy, the important settings for the policy are modified in the “Phishing threshold & protection” section:
The recommended settings for the new anti-phishing policy should look like this:
Phishing threshold:
It is recommended to start with the default value of 1 – Standard and then modify the setting based on the environment. The severity of the action that's taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence).
User impersonation protection:
This setting isn’t selected by default, and it is recommended to turn it on.
User impersonation protection prevents specific internal or external email addresses from being impersonated as message senders.
This setting helps to identify the internal and external senders and protect them by the combination of their display name and email address and can be addressed later when the list of high-profile users is established.
Domain impersonation protection:
This setting isn’t selected by default, and it is recommended to turn it on.
Domain impersonation protection prevents specific domains in the sender's email address from being impersonated. This can be applied to all domains that you own or specific custom domains (domains you own or partner domains).
Trusted impersonated senders and domains:
This setting is used to specify impersonation protection exceptions for the policy and can be adjusted later.
Mailbox intelligence:
By default, this setting is turned on and it is recommended to leave it selected. This setting helps the AI distinguish between messages from legitimate and impersonated senders.
Mailbox intelligence for impersonations:
By default, this setting is turned off and it is recommended to turn it on. This setting allows mailbox intelligence to take action on messages that are identified as impersonation attempts.
Spoof intelligence:
By default, this setting is turned on and it is recommended to leave it selected. Spoofed messages appear to originate from someone or somewhere other than the actual source.
Conclusion:
Phishing is one of the biggest challenges that organizations are facing today. This calls for every available and useful control to be implemented to minimize the phishing attack surface, and Microsoft Defender for Office 365 anti-phishing policies provide just that. The other policies have a great number of settings as well and are very useful if implemented correctly, but they are very granular and have to be adjusted individually for each environment. Therefore, it is difficult to provide recommendations for them because this won’t be the “easy fix” solution that addresses all issues.
Microsoft Defender for Office 365 anti-phishing policies offer a good range of impersonation protection (user, domain), AI enhanced mailbox intelligence and spoof protection. These policies could be combined with other third-party mail security solutions for even more robust layered defence.
Too many phishing emails allowed into organizations will lead to credential thefts and account compromises, potential malware downloads etc. The SOC team will have to analyse and remediate these issues as well. The impact is huge for the organization and the blue teams, so it is vital to implement correctly configured anti-phishing rules.