MS-203 Microsoft 365 Messaging – Manage message hygiene using Exchange Online and Office 365 Part 3

6. Managing Protection For Phishing with ATP Anti-Phishing

Let’s now look at Microsoft’s anti phishing capabilities that we’ve got in the Security and Compliance Center. Okay, so here we are on Microsoft 365 Admin Center. This is Portal, Microsoft. com. We’re going to click show. All Then we’re going to click Security. That’s going to bring us into the Security and Compliance Center. All right, we’re now going to drop down the thread management area and we’re going to click on Policy. All right. And you’re going to see you have ATP anti fishing. This is the Advanced Threat Management. Advanced Threat protection? Anti fishing capability.

So I’m going to click that and you’ll notice that it tells you that by default, your Office 365 has some built in features for preventing fishing. You got a default policy that it uses. It doesn’t list that there, but it does have a default policy. You can create custom policy to kind of refine things a little bit. Okay, so I’m going to go ahead and click to Create. So then I just got to give it a name. I’m just going to call this phishing test. We’re going to click next. At that point I can apply a condition. You’ve seen these conditions before. Most likely you can specify the recipient who a specific recipient is.

A recipient that’s a member of a specific group, a recipient member of a specific domain. You can also set accept when recipient is accept when recipient is a member of accept when the recipient is a member of the domain. I’m going to say the recipient is let’s just pick on how about Alex Rogers? We wanted to add more than one recipient or entire group. We could we’re just picking on one person though. I’m just going to click next and I’m going to now go ahead and create the policy. Once the policy is created, I can edit the policy. So all got to do is just click on it. And then down here I can alter these options that I’ve got so I can alter impersonation settings.

So users to protect, protect all domains I own. Protect specific domains. I can click Edit on that. And you can go through and you can select these. So this first option says Add users to protect. This is add up to 60 internal and external users you want to protect from being impersonated by tax. Says we recommend adding users in key roles so, you know, admins all that or managers, they mentioned CEO, CEOs, CFOs, people that might have some extra power. So I could turn that on if I want and then I can add those users. Okay, so I’ve got that and I actually need to edit more than that. I’ve got my domains to protect here. So I can say automatically include the domains I own.

So I could do that if I want. Include custom domains. I wanted to add some custom domains there. I could, I can set some actions to perform if an attacker impersonates the users or domains you specify. We’ll apply the actions you choose here. So if the email is sent by an impersonated user, says don’t apply any action, okay? Redirect the message to other emails, move the message to recipients, quarantine the message, deliver the message and add other addresses to the blind carbon copy line, delete the message, don’t apply any action. I’m going to say Quarantine says if email is sent by an impersonated domain, then I can do the same thing, say quarantine if I want, all right, then I can do mailbox intelligence. They tell you here that the mailbox intelligence is going to analyze your cloud based users mail flow patterns to try and determine which context they communicate with most often. So this is actually using some machine learning capabilities to try to determine if there is a form of phishing going on. So I can enable this if I want. I’ve also got enable mailbox intelligence based impersonation protection, turn that on if I want, all right, so that adds that additional impersonation protection there.

As if an attacker impersonates a user protected by mailbox intelligence will apply these actions. If email is sent by an impersonated user, do the following same thing I do Quarantine if I want, all right? I can also add trusted senders to the list here, trusted domains to the list and at that point I would view my settings and at that point I can save the items that I’ve enabled here. Okay, you’ve also got spoof protection here, so enable anti spoofing. I could edit that if I want. Choose how you want to filter email from senders who are spoofing domains.

All right? I could say enable unauthenticated users. So choose if you want to apply question mark symbol and outlook sender card if the sender fails authentication checks. So in other words, if the person you’re communicating with the sender is not an authenticated user, it has a warning queue for you that it’s going to show, then I can also decide what actions I want to perform.

So if the person spoofing your domain isn’t an allowed sender, we’ll apply the action you choose here if email is sent by someone who’s not allowed to spoof your domain. Okay, I know it’s kind of funny, you think, well, why would anybody want to allow spoofing domains? Remember, in exchange we have the send as and send on behalf and if you’re not careful, sometimes that can be seen as a spoofed domain or spoofed email. So we can choose what to do. Do we want to move it to junk mail? Do we want to quarantine it? I’m going to say quarantine at that point. I’ve got that enabled. You can also do advanced settings, advanced phishing thresholds. I can click edit on that and it shows you here that you can control how aggressive it’s going to be.

All right, you can move this up or down and they tell you that number one is just the standard. If you go to number four, this is going to be the most aggressive. So it’s going to really dig and try to prevent fishing attacks. And the downside of course is you kind of need to find your happy medium because the downside here is if you’re not careful it may end up stopping legitimate mail flow.

So you really want to kind of test this out a little bit. It might be good for you to set up a group and have it test the policy on the group group a little bit, see, make sure it’s not preventing mail flow and then go from there. Okay. But that’s how you can create yourself a nice little anti phishing policy. And again I recommend and of course Microsoft, they recommend the same thing, which is you should definitely test this out on a group of email accounts before you put this out to the production environment.

7. Monitoring Quarantined Items

Let’s look now at where Exchange Online will place its Quarantined email messages. Now this used to be just within the Exchange protection blade, but it’s now moved into the Security and Compliance Center. So here I am in Portal Microsoft. com, also known as Admin Microsoft. com. And I’m going to click on the show all lip symbol and I’m going to click Security. This is going to bring me into the Security and Compliance Center. Okay. All right. And then from there I’m going to go to threat management and there is a review blade here I can click on. And then you’ll see Quarantine right here.

Okay. So this is where you can see your Quarantine messages. I’ll click on that, anything that’s been Quarantined will show up here. You get information on when it was received, the sender the subject Quarantine release, if it was a policy that did it. And so you can basically control the Quarantine items from there. Okay. So all in all, two pretty straightforward.

That’s going to be for Exchange. I can also sort by message ID, sender email address, recipient email address, subject policy name, all that. You can search and type a keyword in here. So like an exact ID or address or subject name. You can also sort by not just emails, but you can sort by files as well. Okay. And of course this is just Microsoft is trying to move everything in Security Compliance Center here just to kind of be your one stop shop for all your security related needs, if you will. Yeah.

• Category: Uncategorized