Office 365 Advanced Threat Protection
There are three ATP policies available for your Office 365 environment in the Security & Compliance portal(https://protection.office.com). I will explain what these policies are and how you set up policies for these.
What is ATP anti-phishing? It checks incoming messages for indicators that the message may be phishing, the incoming messages are evaluated by multiple machine learning models that analyse the message to determine if the policy applies to the message and that the appropriate action is taken based on the configured policy. ATP learns how each user communicates with users inside and outside of the organization and builds a relationship map. Using this map ATP can understand if a message is trying to impersonate a user in the organization.
How do you set up an anti-phishing policy in your office 365 environment? Choose to create a new policy in the ATP anti-phishing page here you first name and choose who the policy will be applied to. When the policy is created more settings can be done as shown in the picture below. Here we have protected a user from phishing but could be a specific domain instead, a user has also been protected from impersonation. Only 60 internal and external users can be protected from impersonation preferably these users are high ranking in the organization I.e. CEO or CFO.
Two actions have been made when email is sent by impersonated user or domain to forward this attempt to another mailbox. Tips can also be displayed when user receives email with unusual characters, impersonated domains or users. Mailbox intelligence which is the function that maps the users to determine if an impersonation have been made of another user. We can also choose to add trusted senders and domains which won’t be classified as an impersonation attack. When trying to spoof the domain we move the message to the recipient’s junk folder we can also quarantine the message.
ATP Safe Attachment
What is ATP Safe Attachment? It protects against bad attachments by opening it in a virtual environment before the user receives the attachment, if it is determined that the attachment is malicious it will be removed from the email. ATP Safe Attachment can also include files in SharePoint, OneDrive and Microsoft Teams. If a malicious file is uploaded to one of these and a link is shared to the file, it is not possible to open the file to prevent other users from getting infected with the malicious file.
How do you set up a Safe Attachment policy in your office 365 environment? Start by naming the policy something appropriate. Then we can choose an action, in the example below Dynamic Delivery is used where the message is sent without attachment and rettaches after the scan is complete. We can also redirect attachments to another email adress on detection of malware or if the scanning times out or errors occurs. As the other ATP policies we choose to apply to a specific user but can be applied to domain or group. We can also enable ATP for Sharepoint, OneDrive and Microsoft teams on this policy page.
ATP Safe Links
What is ATP Safe Links? It protects users from bad links in email and for Word, Excel, PowerPoint and Visio documents. When a user receives a mail, it goes through Exchange Online Protection where IP and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are applied. When the user opens a link in the mail ATP Safe Links immediately checks the URL before opening the website and the URL is identified as blocked, malicious or safe.
How do you set up a safe links policy in your office 365 environment? Threat management and Policy where you find all the security policies available in office 365. First, we need to define a policy for the entire organisation by editing the default policy. Start by choosing which domains and subdomains to block in below example the domain idg.se is blocked for all user to access.
When trying to access the blocked URL below message pop-up and blocks user from going forward to the site.
If some users or groups need to access a globally blocked URLs a policy that applies to specific email recipients can be created. As per below policy a single user can access the otherwise blocked URL and does not rewrite the URL. It is also possible to specify more how you want to apply in the policy than the global policy which is more of a blanket block list.