MS-203 Microsoft 365 Messaging – Manage message hygiene using Exchange Online and Office 365

1. Advanced Threat Protection (ATP) Safe Attachments and Safe Links

Is ATP advanced Threat Protection. So this is a feature that is tied to your organizational assets in Microsoft 365 that is going to be monitoring your email, monitoring for malicious links, monitoring for malicious documents, and it’s going to use various different systems to do that. One of the things that’s going to use obviously, is Policies. Policies is sort of in a goto technology that we’ve used throughout the Microsoft 365 environment.

You’ve seen that numerous times throughout our previous lessons, lectures, and it provides us with a way to implement different rules, restrictions that are put in place that we are wanting to use to analyze the types of things users are utilizing in their environment. Whatever documents they’re opening, maybe they’re being attached to email or they’re trying to share these documents with users, they’re clicking links and going to different websites and all that maybe we want to try to police.

So Policies is going to provide us a way in Microsoft 365 to do that. We can implement ATP policies that are going to analyze the places people are going, the things they’re opening, the links they’re clicking via email, or documents they’re looking at via email. And it generates a nice report for us to see what’s going on and try to investigate a little bit of the things that are happening in our environment. Of course, that the reports goes right along with investigative tools we’ll talk about a little bit later involving being able to find what it is that people are doing.

One of the really nice things about this is this also works in conjunction with Exchange Online as well. And so it provides a way for us to not only deal with things like SharePoint and One drive, our Office 365, but also email. If you think about it, one of the most common ways that malicious code gets into our environment is via email. People clicking links, being fished by phishing links, receiving attachment files that they’re opening that have malware on it.

And with Exchange Online exchange Online has this thing called EOP exchange Online protection. And Exchange Online Protection is monitoring for certain aspects of email. It is going the process of going through the process of scanning and looking at all that and looking for keywords and things like that. However, this ATP advanced Threat protection really goes the extra mile. The two primary things that you get with it is safe attachments and safe links. So with safe attachments, the ATP Advanced Threat Protection is going to, when an email comes in, for example, that’s got an attachment to it, it’s going to actually open it in a virtual container environment and it’s going to analyze the actual attachment to see what it’s trying to do.

It looks at things like if the attachment is trying to modify DLL files, if the attachment is trying to access system specific files, drivers, it looks to see if possibly it’s a rootkit. A rootkit is a type of malware that tries to gain admin privileges and it analyzes what it does. It’s almost like a little explosive chamber, this virtual container that it uses. So this piece of malware could explode and try to take over. But it’s in a virtual sandbox, essentially. It’s quarantine so it can’t really do any damage. And this is a really great way for our enterprise to watch out for what is known as a zero day threat.

A zero day threat involves new types of malware that our virus scanners have never heard of, or maybe our operating systems don’t have patches for yet. And so ATP can try and execute those attachments to make sure that they’re not going to damage the user’s operating system. Another thing we have is ATP safe links. Safe links is another feature that works along the same lines of safe attachment. When an email comes in that has a link associated with it, that link can be analyzed, it can be executed in a virtual container using a browser, and it looks to see where it’s going. It looks for known phishing websites. If the website tries to execute some code, it’ll execute the code and see what happens in that little virtual container before the email can be sent.

The other thing that’s great about both of these safe attachments and safe links is that if it does find something, there’s a couple of things it can do. One thing it can do is obviously it can go ahead and send an email and say, hey, this attachment is a malware and you can’t run it, or this link connects to malware and you can’t run it. You can also have a copy of that email sent to an administrator who could then further investigate it. This is good, especially in a situation where maybe you’re afraid ATP could flag something as malware when it’s actually something legitimate. You could have it go to an inbox where an administrator could further test things and that’ll go for both the attachment as well as safe links. So it gives us some control. If we want to moderate things a little bit, we have the ability to moderate things and test all of this out.

Another thing that can happen is we can have a safe link that displays a message that says, hey, this is possibly an infected link, go there at your own, basically proceed with caution, or we flat out don’t have to allow that if we don’t want to. We can just completely block that if we’d rather just block it. So we definitely have a measure of control when we implement ATP safe links. And again, it works really well with Microsoft’s Exchange online. Now, this is not only for email, this works in conjunction with SharePoint, it works with OneDrive, it works with teams, your office, 365 applications and all that. As you’re dealing with things out in the cloud, your ATP policies can take effect all right? And this is a huge step forward for anti phishing, okay? Phishing being one of the number one ways that users are getting tricked into doing things and opening things in your environment. Now another thing you get is you get some investigative tools.

One of the really nifty little tools that they give you access to is called threat explorer. Threat explorer gives you a real time look at the different threats that have been detected throughout the environment. So it kind of breaks it down into different types of malware. It tells you the IP addresses that have access to that or tried to open that. You can look at your users and see who your risky users are in your environment that are opening these. You can see what email addresses are being attacked through exchange. Maybe there’s a lot of malware coming in through a certain email account or email address. This is a great way for us to kind of hone in on our troublemakers in our environment, or maybe the people that are targeted in our environment more often than others.

Now we also have the ATP attack simulator. This is a really awesome tool that Microsoft gives us access to that lets us try out doing phishing attacks against our users. And so, as you can see, you could draft your own email there and you can send emails to your users and see who are the ones that are clicking those emails, opening those emails. I was talking to a guy one time, he was telling me that he had implemented this in his company. And he said in the beginning, lots of people were clicking the links and opening up the infected malware, which really wasn’t infected, it was really just a test to see who was opening it. And he was saying that in the beginning, lots of people were doing it. And then what his company did is they implemented a policy called mandatory weekend training.

So basically their employees would have to go to mandatory training on the weekend if they clicked the link. He said that as soon as they implemented that policy, immediately people stopped clicking those links links, because nobody wants to go to mandatory weekend training, right? So anyway, you can implement ATP attack simulator and send out these emails and get a good idea of, again, who your troublemakers are, who the people are that are actually opening up these attachments, or clicking these links and all that fun stuff.

2. Configuring ATP Safe Attachments and Safe Links

In this demonstration, I’m going to step you through the process of looking at ATP. We’re going to talk about advanced threat protection policies. We’ll take a glimpse of the safe links policy, safe attachments, all that good stuff. So to start with here we’re on Admin, Microsoft. com. I’m going to click Show All and we’re going to go to the Security Compliance Center.

So we’re going to click on security, load up the Security Compliance Center. Now in this case we’re going to be under threat management here. So we’re going to drop down this little threat management area and we’re going to click on policies. Notice some of the stuff I was mentioning in my slide presentation earlier, tax Simulator, Explorer, all that good stuff. But here we are in the policy area for threat management. And a couple of things here stand right out at you, the safe attachments and safe links. We’ll take a look at the safe attachments policy right now.

So here’s safe attachments. And if I wanted to turn this on for SharePoint OneDrive teams, I could check this box here, okay? Right here it says help people stay protected or stay safe when trusting a file. Open outside protected view and Office, you could turn that on as well. This is an E Five licensed base feature though. Now down here it says Protect email attachments. I’m going to click the little plus sign here and I could give it a name, give it a description. All right. From there you’re going to get a warning option. Here it says monitor, replace and block actions may cause significant delay to email delivery.

Now that’s something I did want to clarify. Anytime you implement ATP, it can slow things down, okay? Because obviously the email is having to be checked. And as I mentioned in my introduction to this, I talked about how this is going to open in a virtual container and of course that is going to slow things down. It’s got to test it, it’s got to check it against the operating system. It’s got to make sure there’s not going to be any damage done. So this virtual container is going to slow things down a bit. So you do kind of have to know that going into this.

Okay, so look at your options. Here. You have monitor. So Monitor is going to go ahead and continue deliver the message. Even if it detects malware, it’s just going to send an alert. It’ll show up as a message for us admins to look at. Obviously this is not a popular option in most cases, but it is good if you’re worried about things getting stopped that are legitimate. Now blocking, that’s a pretty obvious one. I’m just going to flat out block it. If it’s got some sort of malware, it’s detected to be malicious, it’s just going to get blocked. You have replace.

So this is going to replace the attachment so it’ll go ahead and continue to deliver it, but it’s going to basically replace that attachment and display a message that says, hey, the attachment has been replaced and you can have it replaced with a PDF file that says something like this file was infected. So you can’t open it and if you want to further investigate it, please email this administrator. You could put a document in place for that and then you have dynamic delivery. Dynamic delivery is going to deliver the message without the attachment.

This is a really great feature because it means that the user will get the email and it’ll basically say, hey, here’s the email. But then your email has an attachment and currently it’s going through the process of scanning it. So it doesn’t actually allow the person to access the attachment until it’s done scanning it and checking it and all that. Okay, so that’s a great feature because at least the email gets delivered very quickly. This option here is redirect attachments on detection.

This is great. If you want to have a catch all inbox for an admin who is going to get a copy of all of these attachments, you can go ahead and set that up here. You can specify an email address for an admin that’s going to do that. So maybe I want to get a copy of all these malicious attachments so that I can further investigate. That’s a great way to do that. So this is how you would set up a safe attachment. Let’s take a look at safe links now.

So we’re going to go back over to policy. Click on ATP Safe Links. This is what I want to focus my hands on activity on. Now we’ve got a default policy here that represents the entire organization. Although if we wanted to we can create a policy and tie it to specific users. Okay, I’m going to go ahead and edit the default policy because my policy, I want it to affect the entire organization. So I’m going to click this little pencil symbol here and then at that point I’m going to put in the URLs that I want to look for. Now keep in mind that you can use Wildcards for this.

So perhaps, maybe I am looking for a link that’s from a site called we are going to hack you. I could put a star in front of that which is basically going to say everything that’s got we are going to hack you. com on the end of it. I could, even if I wanted to I could do we are going to hack you star. That means just anything that has we are going to hack you in it anywhere. Okay, I could add that if I want or if I wanted to be explicit. Now this is something I like to say.

Let’s say it was a type of scenario that you got on the exam. You would want to do it exactly like they tell you to if they don’t tell you to put stars, you wouldn’t put stars, you wouldn’t put wild cards. So if they were to tell you, hey, we just want you to block the URL called, we are going to hack you, then that’s what you would do. You put that in, you would click the plus sign. And now you’ve added that as a link that you want to block something.

You definitely just want to flat out block it. You’re not going to allow it. It’s not going to be scanned, it’s just going to get blocked immediately if there is a link tied to that domain name. Okay, so pretty straightforward idea there. You’re just putting in a domain name there, URL, whatever that you want to block, you can use wild cards. Pretty straightforward. So right here, so settings that apply to content accept email, these settings don’t apply to email messages. If you want to apply them for email, create a safe links policy for email recipients. So right here it says, use Safe links in Office 365. Applications for these applications selected above do not track when users click safe links.

Okay? So anything that’s safe, it’s not going to actually track those, but anything that’s not safe, they click on. Obviously it’s going to keep track of those. Then it says do not let users click through safe links to original URLs. So what happens there is if a link pops up that a user wants to open, we can prevent them entirely from being able to click through because what will happen is they’ll get a warning message and it is possible for them to pass through and open that link anyway. So if we don’t want to allow that, we can select that checkbox.

Okay, now going back to this though, where it says these settings don’t apply to email messages. If you want to apply them for email, create a safe links policy. So where we’re going with that is if we set our block policy up here, you’ve also got down here policies that apply to specific users. So if you wanted to apply a set of policies to a specific group of users or whatever, you could do that here. All right, specify the name of the safes link policy here, apply it to the URLs that you want right here, and then you can specify who this is going to go to.

Okay, so that’s where they’re going in regards to safe links policy, another thing you can do in that regard, when you set your URLs up, if you come down here, it’ll say applied to if you wanted it to go to specific group, specific recipients, you’ll notice this is an if statement. So I can drop this down and I can say the recipient is and I could specify a specific recipient, I could do a recipient domain, or I could say the recipient is a member of and I could specify a specific group.

Okay, now, in my case, the only thing I wanted to do in this hands on activity is I wanted to add the policy right here for the entire organization. I wanted to add this domain name. And again, as far as an exam goes, you want to do exactly what they tell you to do. They tell you to add a URL, one URL, for the entire organization. That’s all you got to do.

They are not telling you to go and add policy specific users, then don’t add it to specific users. Again, you want to stick to what it is that they tell you to stick to on this, okay? And at that point, we’ve added our safelinks policy, and we’ve completed this task.

• Category: Uncategorized