Microsoft Defender For Office 365
-Microsoft Defender For Office 365-
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Integrated threat protection for all of Office 365
Help prevent a wide variety of volume-based and targeted attacks, including business email compromise, credential phishing, ransomware, and advanced malware with a robust filtering stack.
Detect malicious and suspicious content like links and files across Office 365—all using industry-leading AI.
Investigation and hunting
Track attacks across Office 365 with advanced hunting capabilities that help identify, prioritize, and investigate threats.
Response and remediation
Amplify your security team’s effectiveness and efficiency with extensive incident response and automation capabilities.
Awareness and training
Build user awareness with rich simulation and training capabilities along with integrated experiences within client apps.
Use recommended templates and configuration insights to help your organization get and stay secure.
A holistic view of threat protection
Defender for Office 365 supports organizations throughout the lifecycle of an attack.
Frequently Asked Questions FAQs
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 is a cloud-based email filtering service that provides protection against advanced threats, such as phishing and malware, for Office 365 email users.
Microsoft Defender for Business VS Microsoft Defender for Endpoint VS Microsoft Defender for Office 365
|Feature||Microsoft Defender for Business||Microsoft Defender for Endpoint||Microsoft Defender for Office 365|
|Advanced Threat Defense||Yes||Yes||Yes|
|Integration with Azure||Yes||Yes||Yes|
|License Requirements||Microsoft 365 Business Premium||Microsoft 365 E5||Microsoft 365 E5|
Can Microsoft Defender for Office 365 be used with other email services?
No, Microsoft Defender for Office 365 is specifically designed for use with Office 365 email accounts.
Is Microsoft Defender for Office 365 suitable for businesses of all sizes?
Yes, Microsoft Defender for Office 365 is suitable for businesses of all sizes, from small businesses to large enterprises. It provides advanced threat protection and security features that can help protect businesses from cyber threats.
Can Microsoft Defender for Office 365 be integrated with other security solutions?
Yes, Microsoft Defender for Office 365 can be integrated with other security solutions, such as Azure Active Directory and Microsoft Cloud App Security, to provide a comprehensive security solution for Office 365 users.
Microsoft Defender for Office 365 - How does it work?
The Microsoft Defender for Office 365 protection or filtering stack can be broken out into four phases, as in this article. Generally speaking, incoming mail passes through all of these phases before delivery, but the actual path email takes is subject to an organization’s Defender for Office 365 configuration.
Phase 1 – Edge Protection
- Network throttling protects Office 365 infrastructure and customers from Denial of Service (DOS) attacks by limiting the number of messages that can be submitted by a specific set of infrastructure.
- IP reputation and throttling blocks messages being sent from known bad connecting IP addresses. If a specific IP sends many messages in a short period of time, they’ll be throttled.
- Domain reputation blocks any messages being sent from a known bad domain.
- Directory-based edge filtering blocks attempts to harvest an organization’s directory information through SMTP.
- Backscatter detection prevents an organization from being attacked through invalid non-delivery reports (NDRs).
- Enhanced filtering for connectors preserves authentication information even when traffic passes through another device before it reaches Office 365. This improves filtering stack accuracy, including heuristic clustering, anti-spoofing, and anti-phishing machine learning models, even when in complex or hybrid routing scenarios.
Phase 2 – Sender Intelligence
- Account compromise detection triggers and alerts are raised when an account has anomalous behavior, consistent with compromise. In some cases, the user account is blocked and prevented from sending any further email messages until the issue is resolved by an organization’s security operations team.
- Email Authentication involves both customer configured methods and methods set up in the Cloud, aimed at ensuring that senders are authorized, authentic mailers. These methods resist spoofing.
- SPF can reject mails based on DNS TXT records that list IP addresses and servers allowed to send mail on the organization’s behalf.
DKIM provides an encrypted signature that authenticates the sender.
DMARC lets admins mark SPF and DKIM as required in their domain and enforces alignment between the results of these two technologies.
ARC builds on DMARC to work with forwarding in mailing lists while recording an authentication chain.
Spoof intelligence is capable of filtering those allowed to ‘spoof’ (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious senders who imitate organizational or known external domains. It separates legitimate ‘on behalf of’ mail from senders who spoof to deliver spam and phishing messages.
- Intra-org spoof intelligence detects and blocks spoof attempts from a domain within the organization.
- Cross-domain spoof intelligence detects and blocks spoof attempts from a domain outside of the organization.
- Bulk filtering lets admins configure a bulk confidence level (BCL) indicating whether the message was sent from a bulk sender. Administrators can use the Bulk Slider in the Antispam policy to decide what level of bulk mail to treat as spam.
- Mailbox intelligence learns from standard user email behaviors. It leverages a user’s communication graph to detect when a sender only appears to be someone the user usually communicates with, but is actually malicious. This method detects impersonation.
- Mailbox intelligence impersonation enables or disables enhanced impersonation results based on each user’s individual sender map. When enabled, this feature helps to identify impersonation.
- User impersonation allows an admin to create a list of high value targets likely to be impersonated. If a mail arrives where the sender only appears to have the same name and address as the protected high value account, the mail is marked or tagged. (For example, trαcye@contoso.com for firstname.lastname@example.org).
- Domain impersonation detects domains that are similar to the recipient’s domain and that attempt to look like an internal domain. For example, this impersonation tracye@liwαre.com for email@example.com.
Phase 3 – Content Filtering
- Transport rules (also known as mail flow rules or Exchange transport rules) allow an admin to take a wide range of actions when an equally wide range of conditions are met for a message. All messages that flow through your organization are evaluated against the enabled mail flow rules / transport rules.
- Microsoft Defender Antivirus and a third-party Antivirus engine are used to detect all known malware in attachments.
- The anti-virus (AV) engines are also used to true-type supported attachment types, which allows Type blocking to correctly block file types specified by admins.
- Whenever Microsoft Defender for Office 365 detects a malicious attachment, the file’s hash, and a hash of its active content, are added to Exchange Online Protection (EOP) reputation. Attachment reputation blocking blocks that file across all Office 365, and on endpoints, through MSAV cloud calls.
- Heuristic clustering can determine that a file is suspicious based on delivery heuristics. When a suspicious attachment is found, the entire campaign pauses, and the file is sandboxed. If the file is found to be malicious, the entire campaign is blocked.
- Machine learning models act on the header, body content, and URLs of a message to detect phishing attempts.
- Microsoft uses a determination of reputation from URL sandboxing and URL reputation from third party feeds in URL reputation blocking, to block any message with a known malicious URL.
- Content heuristics can detect suspicious messages based on structure and word frequency within the body of the message, using machine learning models.
- Safe Attachments sandboxes every attachment for Defender for Office 365 customers, using dynamic analysis to detect never-before seen threats.
- Linked content detonation treats every URL linking to a file in an email as an attachment, asynchronously sandboxing the file at the time of delivery.
- URL Detonation happens when upstream anti-phishing technology finds a message or URL to be suspicious. URL detonation sandboxes the URLs in the message at the time of delivery.
Phase 4 – Post-Delivery Protection
- Safe Links is Defender for Office 365’s time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it’s checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.
- Zero-hour auto purge (ZAP) for phishing retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
- ZAP for malware retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.
- ZAP for spam retroactively detects and neutralizes malicious spam messages that have already been delivered to Exchange Online mailboxes.
- Campaign Views let administrators see the big picture of an attack, faster and more completely, than any team could without automation. Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns, and then allows admins to investigate them from start to end, including targets, impacts, and flows, that are also available in a downloadable campaign write-up.
- The Report Message add-ins enable people to easily report false positives (good email, mistakenly marked as bad) or false negatives (bad email marked as good) to Microsoft for further analysis.
- Safe Links for Office clients offers the same Safe Links time-of-click protection, natively, inside supported Office apps like Word, PowerPoint, and Excel.
- Protection for OneDrive, SharePoint, and Teams offers the same Safe Attachments protection against malicious files, natively, inside of OneDrive, SharePoint, and Microsoft Teams.
- When a URL that points to a file is selected post delivery, linked content detonation displays a warning page until the sandboxing of the file is complete, and the URL is found to be safe.