Microsoft Office 365 – Advanced Threat Protection

office365threatprotection_blog.jpg
Written by Greg Sik‌‌‌‌‌‍‌‌‌‌‌‌‌‬orski on 26 October 2018
Protect your organisation from modern cyber attacks with Advanced Threat Protection (ATP) from Microsoft Office 365

As a child my Mum would always praise the virtues of wearing layers. “You’ll catch your death of cold” she’d say, so we’d wear vests, shirts, long johns and coats in the winter.

Without sounding too cheesy, the same can be said for IT security - the more layers you have, the warmer (safer) you’ll be from the cold (data beaches, intrusions).

In the broadest sense you can think of your layers like armour - a single sheet just a few millimetres thick and it will be easily pierced. However, combine five or six of the sheets together and you have a much greater chance of stopping any bullets.

These layers start from the furthest reaches of your network where an attack can start and extend right down to your own desktop or laptop.

From the outside in, these layers typically consist of:

  • Email Anti-Virus / Anti-Malware
  • Network / Perimeter / Intrusion Detection / Firewall
  • User training
  • Server Anti-Virus / Anti-ransom
  • Desktop Anti-Virus / Anti-ransom
  • Backups

Naturally the first line of the defence is one of the most important, if you can stop these threats at the door then you don’t need to worry about engaging your other defences.

92.4% of all malicious software is delivered via email

(Verizon, 2018 Data Breach Investigations Report)

Over the past year we’ve seen an increasing number of reports of “hacked” email accounts from our customers, some of which have led to serious issues such as data loss and fraud.

However, the term “hacked” is actually pretty misleading in itself, what typically happens in most cases is the user freely hands over their username and password, such as in one of the following scenarios:

Scenario 1 – Credential harvesting

  • A user receives an email (apparently from someone they know) containing a call to action
  • The user follows the link, or launches the attachment which typically contains another link
  • The user is presented with a “fake” site which they then sign in to and the attacker now has their login details stored.
  • Those details are then used to immediately and automatically sign in to the users email and either:
    • Add a stealth forwarding rule to exfiltrate their email to a malicious email address
    • Distribute more malicious emails to everyone in that users address book – those users ‘trust’ the sender, they themselves get ensnared and the cycle continues!

Scenario 2 – Credential harvesting

  • An attacker obtains a user’s credentials in a data breach, there are some 5 billion leaked accounts in total circulating the Internet which are regularly used by attackers to “brute force” their way into email accounts. This can happen to anyone at any time, especially if they reuse passwords on different sites.
  • Those details are then used to automatically sign in to the users email and either:
    • Add a stealth forwarding rule to exfiltrate their email to a malicious email address
    • Distribute more malicious emails to everyone in that users address book.

Scenario 3 - Fraud

  • After obtaining access to the users email via one of the above methods an attacker will stealthily monitor the users email and begin a plan to defraud the company in question.
  • Typically, an attacker will use the stolen Email account to send out faked invoices or manipulate bank account / sort code details in genuine invoices to redirect funds to their own foreign bank accounts. A relatively simple technique, but it is one which is successful time and time again.

Fake invoices are the #1 disguise for delivering malware

(Symantec, Internet Security Threat Report (ISTR) 2018)

This is where Microsoft Advanced Threat Protection for Office 365 comes in – the first line of defence for modern Email based attacks.

Most Email anti-virus technologies rely on analysing “patterns” for file attachments that may contain malware or infected files. However, the security landscape is constantly evolving and presently a significant number of successful attacks occur just like the scenarios above, without ever having to deliver an infected file.

77% of attacks that successfully compromised organisations in 2017 utilised fileless techniques.

(Ponemon Institute)

So, what exactly does Advanced Threat Protection provide above and beyond normal Email filtering?

Safe Attachments

Utilising a pattern-less approach, Safe Attachments can detect malicious attachments in your incoming Email by executing the files in a virtual environment to determine if they are genuine or not. If the file is determined to be malicious, it is removed, and the remainder of the email is delivered. This approach is useful at detecting newly evolving attacks or techniques that wouldn’t typically be detected by traditional Anti-Virus.

Safe Links

One of the benefits of using a cloud Email service such as Office 365 is the shared security intelligence. Microsoft process hundreds of millions of Emails every day and the combined intelligence gathered from attacks on other customers is made available to you.

Safe Links provides an ingenious way of protecting your users from clicking malicious / phishing links in Emails. If such a link is detected, it is automatically replaced with a warning page when clicked:


In addition to preventing the user from ever leaking their credentials or visiting a malicious website, administrators can also report on how many users have clicked on malicious links in the first place and use this to drive more relevant user training.

Safe Attachments for OneDrive, SharePoint and Teams

In addition to Email, Advanced Threat Protection can also scan files uploaded to OneDrive and SharePoint – this is performed in the background using advanced threat indicators to determine which files require scanning. If discovered, malicious files are blocked and can no longer be opened except by an administrator.

Spoof Intelligence

Since the first specification draft for Email in 1982 it has been incredibly easy to fake or “Spoof” Emails to make them appear as if they are coming from someone else.

Spoof Intelligence provides a comprehensive suite of reports for Emails coming in to your organisation and allows you to authorise those parties who can legitimately “spoof” your emails (such as Marketing firms, etc).

One of the most common methods of gaining trust that attackers use is to “Spoof” an email pretending to be from someone you know, so it’s important that you have the right controls to identify these and potentially block them.

In addition to utilising Advanced Threat Protection to detect spoofing it is also worth ensuring your Email domain is configured with the standard anti-spoofing technologies such as SPF, DKIM & DMARC.

Anti-phishing

Spear phishing attacks are a type of phishing attack that are specifically personalised to an individual, they rely on accurately impersonating a user they trust and use sophisticated social engineering practices to trick the user into handing over their credentials or data.

Advanced Threat Protection Anti-phishing provides another layer of protection by attempting to block Emails that are determined to be “phishing” type emails by using machine learning algorithms.

By using advanced understanding of a user's email habits and personal contacts. Advanced Threat Protection learns how each individual user communicates with other users inside and outside the organization and builds up a map of these relationships. This map allows the system to understand more details about how to ensure the right messages are identified as impersonation.

You can also configure a list of “key” users who will have special attention placed on them by the algorithm, typically these should be HR, Billing or Accounts roles that are often primary phishing targets.

So, how do you deploy Advanced Threat Protection? If you’re already on Office 365 then it’s simple, purchase and assign an add-on licence for each user and then configure all the required policies. As with any cloud solution there is quite a bit of configuration required to enable the policies for all the above features. To ensure the settings and thresholds meet your business requirements we recommend taking advantage of our Advanced Threat Protection configuration and deployment service.

If you have Office 365 Enterprise E5 then you already have it! Get in touch with us and we’ll be happy to assist in configuring the policies to meet your requirements.

Share this page
About the author
greg.jpg
Greg Sik‌‌‌‌‌‍‌‌‌‌‌‌‌‬orski
Greg, Polymorph's Technical Director, has over 20 years’ experience delivering software and infrastructure projects for the likes of Manchester Airport, Center Parcs, Manchester City Council and the Ministry of Defence.
Can we help? Please get in touch