Have you purchased or are you thinking of purchasing Office 365’s Advanced Threat Protection (ATP) for your Office 365 tenant? In Part 1 of this article series, I’m going to show you how to take your first steps into making your mailboxes more secure by reducing the amount of phishing e-mails sent to your users with ATP anti-phishing policies.
In this scenario, I’m assuming you have an Office 365 tenant with Exchange Online, and you’ve already purchased ATP licenses and have assigned them to your users.
ATP anti-phishing works by checking incoming messages for indicators that the message may be phishing. Messages are evaluated by multiple learning models that analyze the message. Office 365 administrators can define policies that protect users from phishing attacks that include impersonation of other users or domains. These policies also define what kind of action should be taken when a phishing message is detected. If you’d like to read more on how ATP anti-phishing works, Microsoft has written a good article here.
Office 365 does have a default anti-phishing policy configured out-of-the-box; however, it offers basic protection against phishing and none of the more advanced protection features to protect your users from impersonation and spoofing attacks.
Creating Your First ATP Anti-Phishing Policy
Instead of modifying the default policy, I’d recommend creating a new anti-phishing policy and apply it to a test user or pilot group. In this article, we’ll be configuring a policy that:
- Protects all users in the organization under our primary e-mail domain
- Protects users from impersonated emails
- Send phishing emails to the quarantine
You can find all three of the ATP policies in Office 365’s Security & Compliance Center under Threat Management and then under Policy.
At the ATP anti-phishing policy page, click on the “Create” button to create a new anti-phishing policy. Give the policy a name and a brief description, and click Next.
At the next screen, you’ll need to define who this policy will apply to. This can be a recipient, a group of recipients, or an entire domain in your organization. In this example, we’ll be applying this policy to an entire domain.
At the next screen, review your settings, and click “Create this policy”.
We’re not quite done yet. We’ll need to edit this policy to turn on the impersonation and anti-spoofing features. This policy will: - Protect users from impersonated emails from our CEO and other C level executives.
- Protect imaginet.com mail domain.
- Emails that impersonate users or domains will be sent to the quarantine
- Enabled safety tips to notify users that an e-mail may contain
- Advanced phishing threshold set to standard level
How Does This Impact My Users and Exchange Online Environment?
This goes without saying, I would recommend testing this policy by applying it to a test user or group first before applying it to the whole organization. As soon as this policy is enabled, it is active. When you go and apply these policies, the whole process is transparent to your users, their Outlook clients and mobile devices will continue to receive and send mail. However, anything detected as a phishing e-mail will be sent to the quarantine since this is what we set the policy to do.
ATP’s anti-phishing engine is quite good at discerning what’s “good” mail and what could be a phishing email, but once in awhile, the occasional e-mail may get flagged as a false positive. This is where you may need to adjust your policy and add trusted senders or trusted domains. I find services that use e-mail notifications tend to trigger false positives more often. For example, our Imaginet incident management system allows me to email users directly from its interface; however, the email uses my name and helpdesk@imaginet.com as the send address, which triggers ATP to think this is a spoof attempt. Adding our incident management system’s mail address as a trusted sender solves this problem.
Threat Management Dashboard is Your Friend
The policy we created is general and could be tweaked further, but wouldn’t it be nice to get some insight into who in your organization is being targeted?
After you’ve enabled your first ATP anti-phishing policy, the Threat Management Dashboard will become a useful tool at your disposal to help you fine tune your policies or implement more policies to help you protect specific user groups or departments in your organization.
With the threat management dashboard, you’ll be able to get insights like users in your organization who have been targeted with the most phishing e-mails, where are the emails originating from, domains that have been spoofed, and users who have been impersonated.
With this kind of information, you’ll be able to stay one step ahead of the bad guys of the internet. I recommend after making your first ATP anti-phishing policy to monitor the dashboard over a few business days, and you’ll be able to determine if you need to implement more policies to cover specific users or groups without worrying about impacting the entire organization with stricter anti-phishing policies.
Reviewing Detected Phishing Messages
I’ve mentioned that users may report the occasional false positive flagged by ATP’s anti-phishing engine. If you do find yourself being notified about false positives or want to review the amount of phishing e-mails detected, you’ll want to head over to the Threat Explorer page under Threat Management.
Here you’ll be able to view malware threats and phishing threats with handy details like the time it was received and how many recipients received the same e-mail. All of this is displayed in a nice bar graph for you to review.
Under the pretty bar graph, you’ll find the more detailed report of phishing mail detected by ATP. Here you can view time it was received, subject, recipient, sender, sender IP, and status.
This is where you can apply actions like move to junk, to deleted items, or to a user’s inbox in case it’s a false positive.
Coming Up Next
Next, in Part 2 of this Office 365 Advanced Threat Protection 101 article series, we will explore Office 365’s ATP Safe Attachment Policies that check to see if email attachments or files are malicious and helps to protect your organization. And as always, if you need help with your Office 365 environment but not sure where to start, Imaginet is here to help. Our Imaginet certified Office 365 experts can help you get started with any of your Office 365 initiatives. To find out more, schedule your free consultation call with Imaginet today.
=====
Imaginet is your trusted technology partner who turns your business innovation ideas into reality. 20+ years | 1200+ satisfied customers | 2500+ successful engagements. Primary services include Web Application Development, Mobile App Development, and SharePoint consulting services, with additional specialties in Power BI & Business Intelligence, Office 365, Azure, Visual Studio, TFS, & VSTS, Skype for Business, and more. Located in the United States (Dallas, TX) and Canada (Winnipeg, MB) with services offered worldwide. Contact us today at info@imaginet.com or 1-800-989-6022.