Microsoft Defender: Getting the Most Out of Office 365 Policies
In this article, I’ll examine the various components of Defender for Office 365. We’ll also look at configuration beyond the default settings to improve the relevance and impact of policies on your tenant. I’ll highlight key areas to consider when making configuration changes and the reasons to consider each option.
*See documentation for feature availability under your current subscription.
Where do I start?
There are so many configurable options in Defender for Office 365 that it can be difficult to know where to start. To help you understand, I’ll break them down into the following broad sections:
- Anti-Phishing
- Anti-Spam
- Anti-Malware
- Secure links and attachments
I’m going to assume that Configuration Analyzer applied Microsoft’s standard recommendations.
Anti-Phishing
By default, Microsoft doesn’t use relevant information (users and domains) in anti-phishing policies. Let’s look at some useful settings to improve this situation.
Anti-Phishing Policy: Enable users and domains to protect themselves with impersonation protection
Whaling is a practice in which the attacker conducts a highly targeted phishing attack. The attacker impersonates a high-level individual, such as the CEO or CFO of an organization. This makes the phishing attempt appear urgent, which encourages the recipient to accept it at face value. For example, an email appearing to come from the CFO and requesting an urgent payment may prompt recipients to act before examining its validity.
Using the “Users and domains to protect” setting, you can specify which users and domains to protect. If you protect the user Bruce.Wayne@contoso.com, an email from Bruce.Wayne@fabrikam.com will have a higher probability of being a false positive.
It is important to note that this does not specify who is assigned the policy, this is done in regular policy assignments.
Similarly, if you protect the domain “contoso.com,” emails from a domain like “contosoo.com” will have a higher probability of false positives. This method can obviously cause problems if it is extended to all contacts—internal and external. However, it can be a very effective way to protect important users such as the CEO of a partner organization. The default settings in Configuration Analyzer will protect accepted domains. However, it is worth adding any critical partner or vendor domains.
Once impersonation protection is active for these users and domains, you can define the action to be taken in the actions section, as shown in Figure 2:
Anti-Phishing Policy: Enable Identity Theft Protection by Mailbox Intelligence
Mailbox Intelligence in Defender for Office 365 uses machine learning to gather information about users. This creates a “sender map” for the user. Defender then uses this information to inform decisions about potential spoofing attempts using the collected data. Mailbox Intelligence is active by default; however, the option to leverage Mailbox Intelligence for spoofing protection is not active.
This setting extends Mailbox Intelligence functionality to emails protected by spoofing protection. This improves the reliability of the results. For example, Bruce.Wayne@contoso.com is a protected user, and a user in our organization frequently communicates with Bruce.Wayne@fabrikam.com. Mailbox Intelligence will collect this information and influence the confidence of this scenario. This will reduce the likelihood of the legitimate sender being false positive.
Note: For Mailbox Intelligence to work, recipient mailboxes must be in Exchange Online.
Anti-Phishing Policy: Safety Tips for First Contact
First Contact Security Tips is a relatively new addition to Defender for Office 365. It doesn’t appear to be present in Configuration Analyzer at this time. When enabled, this setting notifies the user when they receive an email from an unknown address with the tip shown below. This is particularly useful for helping users stay vigilant:
I expect this setting to eventually become the default. But it’s worth manually enabling it in the meantime to help users detect potential phishing attempts. This setting is available in the “Actions” section of the anti-phishing policy.
Anti-Phishing Policy: Phishing Threshold
Suspected phishing attempts are assigned a confidence level by Defender. This confidence level can be “low,” “medium,” “high,” or “very high.” Messages are then treated differently depending on the assigned confidence level.
By default, the phishing threshold is set to 2 (aggressive). Therefore, all attempts marked as “high” or “very high” will trigger the spam filter. While “low” and “medium” will not trigger the filter.
The value defined here depends heavily on the organization, industry, and associated risk. This is something to monitor and adjust as needed.
If you continue to receive phishing attempts, this threshold can be useful for strengthening protections. Similarly, if you are receiving too many false positives, it may be worth considering a lower threshold. This setting should also take into account the actions assigned in the Anti-spam Phishing and High Confidence Phishing settings.
Microsoft Defender : Anti-Spam
In the Anti-Spam policy, the “Spam Properties” section contains the Advanced Spam Filter (ASF) configuration. You will notice that it is not configured by the configuration analyzer. This is because the ASF settings that are part of the Anti-Spam policies are being deprecated. The current recommendation is not to use them in new configurations in the future.
Microsoft Defender: Anti-Malware
Anti-malware policies address malicious content in files and emails. There aren’t many configurable options in the anti-malware settings. However, there are a few settings you’ll want to review that aren’t covered by default.
Anti-Malware Policy: Common Attachment Filter
There are a handful of attachment types blocked by the filter, covering the most commonly blocked extensions. So, with some exceptions, most extensions listed in the common attachment filter can be blocked.
This covers a wide range of unwanted file types. I recommend reviewing the list provided by Microsoft and using a “whitelist” to choose trusted senders.
Anti-Malware Policy: Configure Notifications
Multiple notifications can be configured for the anti-malware policy to inform different parties. I don’t recommend notifying an external sender when something is blocked, as you could potentially expose information about your configuration unnecessarily.
Notifying internal senders when items are quarantined is a good practice. But the most important configuration is to notify admins when emails contain malware. Configuring the options:
- “Notify an administrator of undelivered messages from internal senders” and
- “Notify an administrator of undelivered messages from external senders”
to forward reports to a monitored security mailbox will allow administrators to track malware blocking with a notification similar to the one shown below:
Microsoft Defender: Safe Links and Attachments
If there are no safe attachment policies, safe attachments will not appear in Configuration Analyzer. This can make it appear as though everything is perfectly compliant when it may not be. Creating the initial policies will bring them into the analyzer’s scope. Once the default settings are in place and appear in Configuration Analyzer, there are a few other settings to monitor.
Global Attachment Security Setting
In the “General Settings” of the Safe Attachments feature, you can enable the feature for SharePoint, OneDrive, and Teams. This setting can extend the protections applied to Exchange, Teams, or SharePoint. This is especially useful when external users interact.
With this setting in place, files uploaded to SharePoint but detected as malicious by Safe Attachments will be locked. Users will not be able to interact with the file. By default, file upload is still possible. However, we can disable this by running the following command in the SharePoint Online Management Shell:
| 1 | Set-SPOTenant -DisallowInfectedFileDownload $true |
Global settings for secure attachments
The Secure Documents feature for Office clients allows you to apply a Microsoft Defender for Endpoint scan before opening a file. Unfortunately, Secure Documents requires a full Microsoft 365 E5 license.
When this feature is enabled, files opened in Protected View are scanned before opening. If the file is detected as malicious, the user will not see the “Enable Editing” option. Instead, they will see a message similar to the following:
There is an option to “Allow people to click through Protected View even if Safe Documents has identified the file as malicious.” However, I recommend never enabling this option outside of testing.
Attachment Security Policy: Enable dynamic delivery for non-hybrid environments
If not all mailboxes are on Exchange Online, Safe Attachments can block emails containing malware. Both options can delay mail flow to allow Defender to review attachments.
In an environment where all mailboxes are in Exchange Online, dynamic delivery can be enabled. Ultimately, this setting allows email to be delivered immediately, without attachments. Attachments are then scanned and included in the email after delivery by Defender. This allows the scanning process to have minimal impact on end-user productivity.
Attachment Security Policy
Sometimes scanning cannot be performed on a particular file due to encryption, for example. Therefore, I recommend enabling the option “Apply safe attachment detection response if scanning cannot be performed.” This ensures that these errors do not allow unscanned attachments to reach end users.
Conclusion
The default settings are a fantastic way to quickly configure Defender for Office 365. But they don’t get you there. Ultimately, there are still things to consider and adapt for your organization. The items I’ve listed here are just a subset of what’s available. Combined with the default settings, they’ll help take your Defender implementation to the next level.
