Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks

Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks


Welcome to Office Mechanics coming up on
today’s show, if you’re not satisfied with your current spam filter and looking to harden your email environment we’ll show
you what you can do with the latest in a advanced threat protection. We’ll also take a look at new
capabilities in Office 365 & Exchange Online to consistently protect you against
phishing attacks with new features such as safe attachments and safe links
plus more to safeguard you against malware and bulk spamming. Office Office Mechanics I’m joined by Shobhit Sahay, Office 365
security expert so what’s behind these enhancements? Thanks Jeremy great to be here. So we have
had protection in place for a while now with Exchange Online Protection and it
continues to be an area of constant evolution but as attackers around the globe are
getting smarter finding new ways to create sophisticated attacks we have to provide proactive defenses
against such attacks whether or not they are known or unknown Right, now let’s take a look at this through some common attack vectors
because there are lot’s of things that we can do in terms of getting malware to different users and what I want to start with is really opening up my attack Surface
itself in terms of sending bulk spam email and I’ve got something here that will do that right now, If I go into a folder here that
contains all my script files I’ve actually got a CSV file and I’ve been
going through Contoso Bank ATP’s user accounts and I’ve got a nice list
here about 150 people I’m going to try to hit spam with and I’m going to use this spamusers.ps1 PowerShell script that will basically send all of these different users this spam email so what happens there? Can you protect
those users against this attack? yes we can but depending on the content
of the email you might actually get through the first
time but once we know that you’re a known spammer we now have more advanced ways of
blocking you, like with enhanced bulk mail protection couldn’t i just change the sender’s
email address every time I send an email well it’s actually more sophisticated
than that. We don’t just block your email address we block you at the IP address level the other thing to realize is not every
buck email is bad somethings you want to keep and people subscribe to the favorite service all the time what do you care about is a deceitful
email of the bulk offenders and to help you with that Microsoft
actually works behind the scenes to evaluate bulk email messages and
rates the reputation of the sender How do these ratings work? via machine learning where we take inputs on different things such as IP addresses the bulk reputation for the sender we also look at the
frequency of the mailing and at the same time we’re also looking at other things like
whether somebody has marked that document or email as junk and based on this the system then
figures out a classification level from a scale of 1 to 9 for the bulk
messages that are coming through Okay so how I take advantage of this is
an Office 365 admin? well as an admin you can setup bulk
classification level. Let me show you how so on my screen here I have a default
content filtering policy and if I try to open that I can walk
into spam and bulk email settings and now what you will notice we
have something called as the bulk email and here is where we can specify the
threshold for our organization by default seven is our threshold and you
can go up or higher or you can go down and make our default
rating of 3 the key thing here is that the higher the threshold the more
bulk spam can come true the lower the threshold the less bulk
spam can get in okay so we’ve covered off spam now but what if I then go to
the next level and I say I’m just going to attack people one by one or individually, do you have anything that can protect be better there Yes, at first at a connection filtering
level, we can block your IP address so here in my Office 365 administrative console I have a default policy where I’ve
specified certain IPs that I’ve already blocked, now these are IPs
that I know are bad and I’ve definitely, easily blocked them
using this control but I can’t subscribe to every single bad IP I can’t manage them, so what Microsoft
provides me is safe list and this is a list of
thousands of IPs that we have collected over a course of time there are 1.7 million
such IPs and it’s a growing list that continues to grow even further and one other things here is, and even on
the first example, I was a malicious sender trying to get bulk email out, a lot of
these emails are coming through unintentional senders a bad mail maybe they’ve download some files, maybe they’ve looked some links they want to forward those on other people and I’ve actually got a couple things here set up but what
can you do in terms of helping me out there to protect unintentional senders of bad mail well that’s why we have malware filtering so here in my malware filter I have
a default policy that I’ve changed slightly for my organization, so here I can specify how I want to treat such messages, if a message contains malware I can easily delete the entire
message or I can take some more granular controls I can say you know what let’s delete the
attachment but let’s still send the customer load message back to the sender
and the recipient and I can also notify the
administrator on the company by specifying their email address and
providing a custom notification for them okay now I got some mails actually prepared here that have malware in them i’ll go ahead and send you one. So the first one here the bank opening form .doc file now what’s going to happen
there is it’s going to go through and the first thing that we’ll see is it will actually, as the sender, inform me that this
message was automatically picked up by the
malware filter, it’s got something bad in it, so I then know that I’ve got
something bad I’ve sent to you. Right and it’s not just you who knows
that something bad has come in I received that same email on my inbox
and here I’m logged in with my account on outlook and I can clearly see that I see a
message that has come from you but instead of the the same attachment that
you sent across I now have a different attachment and if I try to open that I see that exact same notification
that my administrator placed for this because be found malware in this
particular message and we blocked it this is all great for known malware but as a
lot people know anti-virus problems in general it has to actually know about that malware in advance to be able to write signature files to know
that it’s there but what happens if I got a brand new piece malware that’s never been dedected before well that’s where advanced threat
protection comes in because it even protects you against the unknown threats the first new capability is called save
attachments and here is how it works now every single message in Office 365
goes through different multiple spam filters and it also goes through two different anti-virus engines but for any message that contains suspicious
attachments we now have a sandbox environment where each such suspicion attachment goes through detonation chamber and within the detonation chamber we are
doing behavior analysis to find out whether the attachment is malicious we’re looking for machine learning things and patterns such as is this attachment
running an executable? Is it requesting access privileges? is
It calling any other registry keys? and based on our analysis we can block your message because we can say this message or this attachment is definitely
suspicious and you can easy setup a policy for your company using the same attachment and you can find that from the administrative console we have a new filter all altogether called advanced threats and within the advanced threat
protection, you can see the safe attachment policy I’ve set up a policy for my organization
here by default where I can specify by default any such suspicious attachments must be blocked so I’ve done that and at
the same time any such attachment which are getting
blocked I can redirect back to the administrator so
he can go back and find out what exactly was blocked in that message Right, I just so happen to have an email here prepared that has some brand new malware that’s never been released yet,
what I want to do is send you that just to see what happens after you created this policy using advanced threat protection. So unlike
the other message I’m not actually going to see a sender notice that I’ve sent some something bad
but you can detect that on your end right? that’s right what’s happening behind the scenes right
now is its that particular attachment is going to a detonation chamber and on
average it takes about seven to eight minutes for us to figure out if that attachment
is bad and our SLA is about 30 minutes what you’ve done previously is because
it’s taking some time we already have a notification that is come in from one of
the previous emails that you sent me and you can clearly see here the
emails coming from Exchange Online advanced threat protection so the administrator is aware that yes
this is a malicious attachment it does not have a known signature and at the same time I can also see
exactly what the message was so if I try and open this particular
message I can see that you sent me an email and they were a couple of attachment
files and all of them apparently contained the unknown malware So even going beyond this, I know a lot of
people are thinking, ok, well that’s malware that’s detected through the actual transport
of email but a lot of viruses, a lot of malware, comes in through
the browser, so what happens if I send you links to something, maybe that’s gonna try to phish your credentials
or do something else to get you to load that malware itself from the browser well, that’s where we have another new capability It’s called Safe Links. so here in my
administrative console again I have a Safe Links policy that is set
up for my organization and what Safe Links policy allows me to do is set up a policy for each individual clicks in my organization and I can track those clicks as well so
I can later find out who exactly in my organization is getting
targeted and I can also protect them in real time because when they try to click their link it’ll open up in a protective shell and
we’ll see that shown all right, so I’ve actually got a mail here that’s got a
bunch of bad links and a couple good ones so I’m going to go ahead and send that out to you.
Go ahead and continue writing click send. There we go. Now it’s already out
of my inbox it’s on its way back to Shobhit great and I’ve logged in to my
demo account here in Outlook and I can see that your email just came
in. So let me try and open up that email I can clearly see that there are a couple of
links in this email on first site they look
pretty non-suspicious it’s saying Contoso Tax, let me go ahead and
click on that link. Now, the thing here to note is that this link actually was malicious,
the attacker did, behind-the-scene, change that link and
what I’m presented with is a new protective shell and within the shell it specifically calls out that this is a re-directed link it’s pointing to spam link and it’s recomending me to not continue I can if I want to, but as an
administrator, I can also block that action So this is a completely isolated browser
environment right? So I can’t actually do any harm with where that’s rendering? That’s correct, we can’t do anything. But
there are other links in that message which might have been nice so for example, I can see you also
like using Bing so for example if I click on that I can clearly see that I can get to
Bing.com without getting the protective shell because we’re looking only for the
suspicious links so at that time a click we evaluate all of those scenarios and then based on that we provide the right set of tools for you So there are some similar functionality with Exchange
Online Protection what’s different here? Yes what EOP provides is a time of
delivery protection where we are scanning each individual message for any suspicious links what Safe Links is extending is providing the
time of click protection because attackers will frequently go back
and switch the destination of the link and also on the administrative side we
have another set up new capabilities so for example, I mentioned I can see exactly who in my company is
getting targeted, I can do that from the admin console. So if I go back to
my mail flow and come here, I’ll see a new tab
called URL trace now people in our company generally are
people for Office 365 that already familiar with message
trace but now with the URL trace I can track
individual clicks in my company so let’s say for example we are trying
to find data for last 24 hours or last 48 hours and I know the email was
sent back to me so let me add my email here, so let’s
choose Shobhit let’s add that and let’s try to run the click trace and what you notice here all the clicks that I have done in
the past 48 hours are showing up on the screen now so I
can see that I clicked on that bad link and it was blocked automatically. I also clicked on a good link and it was not blocked another key thing here is that I can
double-click on each of those individual clicks and that’ll lead me exactly the same
message trace that will provide the details on the message that came through and it’s not just click trace that
we’re extending we also have reporting available for the type of attachments that have
come in, so already in my protective environment I can see that some of the emails that
came through, they were of different types and what action were applied to them and at
the same time you also have the malicious types called
out, so I can see there were some documents which were PDFs,
some of them were Word documents and so on so it’s a really great tool for the
admins to find out and discover information so very comprehensive set of solutions.
So the system can now be set up to proactively detect and block suspicious
attachments, links, bulk email and really go beyond basic filtering
for known malware that’s right and simultaneously we are
working on some new capabilities such as post-delivery, removal of malicious messages and also the rescue of misclassified good emails so when is all this coming to Office 365 tenants? well the advanced threat protection capabilities are currently in a private preview with
our selected customers and it all goes to a public availability in third quarter of 2015 Thanks Shobhit. Of course all this information and more can be found on the Office blogs and on
Wednesdays and when news hits on Office Mechanics Thank you for watching and good-bye for now. Office Mechanics Office.com/Mechanics

3 Replies to “Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks”

  1. Business competitors can report my IP addresses/domain names to Microsoft in order to block my bulk emails while white listing their own?  Doesn't sound fair.  If they have a lot more users then isn't that going to disadvantage small competitors and start ups.

  2. We'd been on Office 365 for about 24 hours when it let a .scr screensaver file straight through and a user got infected. What kind of protection doesn't block .scr attachments out of the box? How many people are emailing legitimate screensavers to each other these days?!? Plus don't get me started on why Microsoft Security Essentials didn't warn the user that it was highly likely a screensaver was a virus and block it!

  3. Why isn't advanced threat protection part of the standard offering?  I have Office 365 E3 for my organization and your virus/spam protection is sketchy at best.  At this point, I'm going to need to spend additional money to purchase a secondary service from Cisco or MXLogic to do what your product should already be doing for me.

Leave a Reply

Your email address will not be published. Required fields are marked *