Real World Advanced Threat Protection Brian Reid Microsoft Office Servers and Services MVP Exchange Server Microsoft Certified Master brian@nbconsult.co | @BrianReidC7

Classifying Advanced Threats General Spam and Malware / Viruses = Threats Zero-Day, Phishing, Spoofing, Unsafe Links = Advanced Threats This, for the purpose of this presentation, is everything that classic Antivirus cannot detect! We will look at zero-day attacks, spoofing and other threats that we need to protect against

Email Malware Threats The most common source for all threats to enter a company Threats are typically not the same variant of the virus repeated time and again (as that is easy to spot) but variations and tweaks on the malware so it continually evolves and is typically always “zero-day” Use sandboxing, attachment blocking and quarantine tools A quick demo of Office 365 Advanced Threat Protection Safe Attachments

Email Link Threats Links to suspect content in email needs to be protected against Corporate proxies used to (still do) hold this role, but with the rise of mobile devices need something that can filter from anywhere Links in email, links to executable content, and links in Office documents A quick demo of Office 365 Advanced Threat Protection Safe Links

Advanced Threat Analytics Microsoft’s offering (there are others) which is licenced as part of Enterprise Mobility + Security (and standalone) Detection of the behaviours of the threat, rather than the threat itself as well as detection of advanced attacks and security risks For example, creds being passed around when this would not be expected; session enumeration; privilege escalation

Windows Defender ATP Not Office ATP Part of Microsoft 365 Licence (Windows E5 product), previously called Secure Productive Enterprise Requires Windows 10 Creators Edition or later Reports on activity, sources and impacts from “code” running on Windows devices, and utilises the Security Graph of learned info from across the globe

Spoofing Threats We will take a look at a sample, and then look at the protection of the end user Spoofing and phishing can start with a compromised account, but it can also have nothing to do with a company account – though it looks like it does! Are you pawned? And have you ever phished your users intentionally?

SPF, DKIM and DMARC (Sender Policy Framework) is a list of allowed email server sender SPF (DomainKeys Identified Mail) is encrypted headers done by authorized email server DKIM (Domain Message Authentication Reporting & Conformance) is reporting and telling receivers what your email quarantine policy is DMARC Why should I care and what can I do about implementing SPF and DMARC? And how easy is it to implement? That is the next session…

Safety Tips in Office 365 Notifications that are written into the email (rather than the client) Admin portal for spoof rules and reports Get-PhishFilterPolicy to export 30 days of spoof info or the Protection UI

Failed Sender Authentication Warnings Arriving now to Outlook Web App / Outlook.com Emails that fail authentication do not display the user photo or auto determined initials Implement SPF and/or DKIM to ensure your emails are authenticated

Call To Action Spin up a demo Office 365 E5 tenant and enable Office 365 ATP A few 2000 and 10,000 seat deployments turned it on without issue Its not just part of Office 365 E5 – it is also available as a standalone licence Requires Exchange Online Protection (EOP) as your email gateway