Utilizing features in Defender for Office 365

Utilizing features in Defender for Office 365

February 6, 2023 Off By Blake Roberts

In today’s world, email-based attacks are becoming increasingly sophisticated and widespread, posing a serious threat to organizations of all sizes. From phishing scams to business email compromise (BEC), the cost of these e-mail attack vectors can be staggering, both in terms of financial losses and damage to a company’s reputation. The reality is that no organization is immune to these threats. Defender for office 365 and Exchange Online Protection (EOP) provide tools that allow us to take proactive steps to secure email communications, reduce the risk of financial losses, protect sensitive information, and safeguard your organization’s reputation.


The basis of Microsoft’s mail security is AI, machine learning, and the analysis of BILLIONS of signals on their platform. These things make up the foundation that 365’s threat policies sit on top of. Within these policies, we have access to Impersonation protection, which can be configured in the “anti-phishing” policy. Impersonation protection allows us to combat a common attack vector where attackers will stand up legitimate domains that closely resemble another organization, often off by a single letter (CONTOSO.COM vs. C0NTOSO.COM) or they will use .net instead of .com. This is a tried-and-true method to bypass security checks like SPF and for most users can be difficult to spot. By utilizing Impersonation protection we can specify domains (internal or external) and specific users like executives and other critical roles to protect. While it is possible to see false positives with this configuration, if certain users or organizations have similar names, we can whitelist these specific cases and maintain a higher overall level of security.


The next tool we have access to within EOP is Zero-hour Auto Purge (ZAP); ZAP allows us to protect our users from malicious content within a message. While this may be standard for mail protection services, ZAP has an additional capability to retroactively remediate issues. One way attackers are able to bypass mail security is to include links that are not malicious when sent, then weaponize it post-delivery. ZAP is constantly scanning messages for signatures of potentially malicious content and can automatically remove the message from a user’s inbox, no remediation, companywide emails, or scrambling security teams required.


As security professionals, we have an ever-growing set of strategies to help protect our users, but ultimately there is no substitute for a well-trained user that can identify potentially harmful messages on their own. This is why the last tool we look at is “Attack simulation training”. This service is located within the security dashboard and is perfect for helping our users identify and report messages that happen to make it through the defenses. The beauty of this service is the low level of effort required to start using it. By default, Microsoft has included a plethora of prebuilt messages that are designed around real-world situations and techniques, such as a fake Capital One report, or “You have 2 new quarantined messages, please click this pretty big button to view them”. At the time of writing there are over 100 pre-built attacks using the credential harvesting technique alone.

Once we’ve concocted a tricky attack we can specify sets of users and the timeframe for the test to run, we can also plan phishing simulations in advance allowing our security teams to automate campaigns throughout the year. This can be particularly helpful for those of us that need to run quarterly campaigns, or for cyber insurance requirements. Once a campaign is launched we receive detailed reporting around how users handled the attack, we can track who reported a message, who deleted a message, anyone that clicked the link, and if anyone unfortunately provided credentials. This is all great data to have to understand where your organization is at from an e-mail risk perspective, but that’s not all. The service also offers a completely automated training program! Users can be assigned the built-in Microsoft training or custom training materials created by your org. The training material varies based on if they clicked the link, provided credentials, or are a repeat offender.

In conclusion, users are companies’ most valuable assets and ultimately the weakest link. Due to this, email-based attacks are more prevalent and pose a significant threat to organizations. Microsoft provides various key features in Defender for Office 365 and Exchange Online Protection (EOP) to secure email communications. Unfortunately, many organizations are unaware of the extent of security features available to them through Microsoft tools. This is why security professionals need to stay “in-the-know” and educated about security features and tools available in the market today.