Defender for O365 overview - aaqibwani/M365 GitHub Wiki

Microsoft Defender for Office 365 (MDO) is a cloud-based security service that protects against threats to email and collaboration tools like Exchange Online, SharePoint, OneDrive, and Microsoft Teams.

Microsoft Defender for Office 365 offers a range of features that build upon the default protections of Exchange Online Protection (EOP). The features are categorized into two plans: Plan 1 and Plan 2, with Plan 2 including all the features of Plan 1 and more.

  • Default email protections for cloud mailboxes prevent broad, volume-based, known email attacks.
  • Defender for Office 365 Plan 1 protects email and collaboration features from zero-day malware, phishing, and business email compromise (BEC).
  • Defender for Office 365 Plan 2 adds phishing simulations, post-breach investigation, hunting, and response, and automation.

How the default email protections for cloud mailboxes work

  • Incoming messages in Microsoft 365 initially pass through connection filtering, which checks the sender's reputation. Most spam is rejected at this point. For more information, see Configure connection filtering.

  • If malware is found in the message or a message attachment, the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use quarantine policies to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see Anti-malware protection.

  • Policy filtering evaluates the message against any Exchange mail flow rules (also known as transport rules) configured to act on messages. For example, a rule can notify a manager about messages from a specific sender.

  • In on-premises organizations with Exchange Enterprise CAL with Services licenses, data loss prevention (DLP) checks also happen at this point.

  • The message passes through content filtering, which includes anti-spam and anti-phishing filtering:

  • Anti-spam policies identify messages as bulk, spam, high confidence spam, phishing, or high confidence phishing.

  • High confidence phishing messages are always delivered to quarantine. By default, only admins can view and interact with high confidence phishing messages.

  • Anti-phishing policies identify messages as spoofing.

  • You can configure the action to take on the message based on the filtering verdict (for example, quarantine or move to the Junk Email folder), and what users can do to the quarantined messages using quarantine policies. For more information, see Configure anti-spam policies and Configure anti-phishing policies for all cloud mailboxes.

  • A message that successfully passes all of these protection layers is delivered to the recipients.

Configure Defender for Office 365 are described in the following diagram:

Step 1: Configure email authentication for your Microsoft 365 domains

  • Sender Policy Framework (SPF): The SPF TXT record identifies valid sources of email from senders in the domain.
  • DomainKeys Identified Mail (DKIM): DKIM signs outbound messages and stores the signature in the message header that survives message forwarding.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC helps destination email servers decide what to do with messages from the custom domain that fail SPF and DKIM checks. Be sure to include the DMARC policy (p=reject or p=quarantine) and DMARC report destinations (aggregate and forensic reports) in the DMARC records.
  • Authenticated Received Chain (ARC): If a non-Microsoft service modifies inbound messages before delivery to Microsoft 365, you can identify the service as a trusted ARC sealer (if the service supports it). Trusted ARC sealers preserve unmodified email information so the modified messages don't automatically fail email authentication checks in Microsoft 365.

Step 2: Configure threat policies

Turn on and use the Standard and/or Strict preset security policies for all recipients. Or, if business needs dictate, create and use custom threat policies instead, but check them periodically using the configuration analyzer.

  • Default threat policies: These policies exist from the moment the organization is created. They apply to all recipients in the organization, you can't turn off the policies, and you can't modify who the policies apply to. But you can modify the security settings in the policies just like custom threat policies.

  • Preset security policies: Preset security policies are actually profiles that contain most of the available threat policies in Defender for Office 365 with settings that are tailored to specific levels of protection. The preset security policies are:

  • The Strict preset security policy.

  • The Standard preset security policy.

  • Built-in protection. The Standard and Strict preset security policies are turned off by default until you turn them on. You specify recipient conditions and exceptions (users, group members, domains, or all recipients) for default email protection features for cloud mailboxes and protection features in Defender for Office 365 within the Standard and Strict preset security policies.

Built-in protection in Defender for Office 365 is on by default to provides basic Safe Attachments and Safe Links protection for all recipients. You can specify recipient exceptions to identify users who don't get the protection.

In Standard and Strict preset security policies in Defender for Office 365 organizations, you need to configure entries and optional exceptions for user and domain impersonation protection. All other settings are locked into our recommended standard and strict values (many of which are the same). You can see the Standard and Strict values in the tables in Recommended email and collaboration threat policy settings for cloud organizations, and you can see the differences between Standard and Strict here.

As new protection capabilities are added to Defender for Office 365 and as the security landscape changes, the settings in preset security policies are automatically updated to our recommended settings.

Custom threat policies: For most available policies, you can create any number of custom threat policies. You can apply the policies to users using recipient conditions and exceptions (users, group members, or domains) and you can customize the settings.

Order of precedence for threat policies

How threat policies are applied is an important consideration as you decide how to configure security settings for users. The important points to remember are:

  • Protection features have an unconfigurable order of processing. For example, incoming messages are always evaluated for malware before spam.
  • The threat policies of a specific feature (anti-spam, anti-malware, anti-phishing, etc.) are applied in a specific order of precedence (more on the order of precedence later).
  • If a user is intentionally or unintentionally included in multiple policies of a specific feature, the first applicable threat policy for that feature (based on the order of precedence) determines what happens to the item (a message, file, URL, etc.).
  • Once the first threat policy is applied to a specific item for a user, policy processing for that feature stops. No more threat policies of that feature are evaluated for that user and that specific item.

Step 3: Assign permissions to admins

When it comes to assigning permissions for tasks Defender for Office 365, the following options are available:

Microsoft Entra permissions: These permissions apply to all workloads in Microsoft 365 (Exchange Online, SharePoint, Microsoft Teams, etc.). Exchange Online permissions: Most tasks in Defender for Office 365 are available using Exchange Online permissions. Assigning permissions only in Exchange Online prevents administrative access in other Microsoft 365 workloads. Email & collaboration permissions in the Microsoft Defender portal: Administration of some security features in Defender for Office 365 is available with Email & collaboration permissions. For example: Configuration analyzer Admin quarantine management and quarantine policies Admin submissions and review of user reported messages User tags For simplicity, we recommend using the Security Administrator role in Microsoft Entra for others who need to configure settings in Defender for Office 365.

Step 4: Priority accounts and user tags

In Defender for Office 365, priority accounts allows you to tag up to 250 high value users for ease of identification in reports and investigations. These priority account also receive additional heuristics that don't benefit regular employees. In Defender for Office 365 Plan 2, you also have access to create and apply custom user tags to easily identify specific groups of users in reports and investigations. For more information, see User tags in Microsoft Defender for Office 365.

Step 5: Review and configure user reported message settings

Use the built-in Report button in Outlook or a supported non-Microsoft tool so users can report false positives and false negatives in Outlook, and so those reported messages are available to admins on the User-reported tab of the Submissions page in the Defender portal. Configure the organization so reported messages go to a specified reporting mailbox, to Microsoft, or both.

Make sure clients are using one of the following methods so reported messages appear on the User-reported tab of the Submissions page in the Defender portal at https://security.microsoft.com/reportsubmission?viewid=user:

Submitting user reported messages to Microsoft is important to allow our filters to learn and improve.

Step 6: Block and allow entries

You need to become familiar with how to block and (temporarily) allow message senders, files, and URLs at the following locations in the Defender portal:

The Tenant Allow/Block List at https://security.microsoft.com/tenantAllowBlockList. The Submissions page at https://security.microsoft.com/reportsubmission. The Spoof intelligence insight page at https://security.microsoft.com/spoofintelligence. In general, it's easier to create blocks than allows, because unnecessary allow entries expose your organization to malicious email that the system would otherwise filter.

Block:

You can create block entries for domains and email addresses, files, and URLs on the corresponding tabs in the Tenant Allow/Block List and by submitting the items to Microsoft for analysis from the Submissions page. When you submit an item to Microsoft, corresponding block entries are also created in the Tenant Allow/Block List.

Tip

Users in the organization also can't send email to domains or email addresses that are specified in block entries in the Tenant Allow/Block List.

Messages blocked by spoof intelligence are shown on the Spoof intelligence page. If you change an allow entry to a block entry, the sender becomes a manual block entry on the Spoofed senders tab in the Tenant Allow/Block List. You can also proactively create block entries for not yet encountered spoofed senders on the Spoofed senders tab.

Allow:

You can create allow entries for domains and email addresses and URLs on the corresponding tabs in the Tenant Allow/Block List to override the following verdicts:

Bulk Spam High confidence spam Phishing (not high confidence phishing) You can't create allow entries directly in the Tenant Allow/Block List for the following items:

Malware or high confidence phishing verdicts for domains and email addresses or URLs. Any verdicts for files. Instead, you use the Submissions page to report the items to Microsoft. After you select I've confirmed it's clean, you can then select Allow this message, Allow this URL, or Allow this file to create a corresponding temporary allow entry in the Tenant Allow/Block list.

Messages allowed by spoof intelligence are shown on the Spoof intelligence page. If you change a block entry to an allow entry, the sender becomes a manual allow entry on the Spoofed senders tab in the Tenant Allow/Block List. You can also proactively create allow entries for not yet encountered spoofed senders on the Spoofed senders tab.

Step 7: Launch phishing simulations using Attack simulation training

In Defender for Office 365 Plan 2, Attack simulation training allows you to send simulated phishing messages to users and assign training based on how they respond. The following options are available:

  • Individual simulations using built-in or custom payloads.
  • Simulation automations taken from real-world phishing attacks using multiple payloads and automated scheduling.
  • Training-only campaigns where you don't need to launch a campaign and wait for users to click links or download attachments in the simulated phishing messages before trainings are assigned.

Step 8: Investigate and respond

Now that your initial set up is complete, use the information in the Microsoft Defender for Office 365 Security Operations Guide to monitor and investigate threats in the organization.