The phishing problem has been around for a long time, and it isn’t going to go away anytime soon. Phishing attacks are getting exponentially more sophisticated and getting better at delivering ransomware, causing companies significant damage.
Fortunately, the cybersecurity industry is also changing, constantly researching new ways to combat ever-evolving cybersecurity risks, including phishing. One of the most popular products that many companies are implementing is Microsoft Defender, an endpoint detection and response (EDR) product that aims to be an “all-in-one” tool.
Formerly known as Advanced Threat Protection (ATP), Microsoft Defender has come a long way since its early days. It is now a central place for handling security threats in the M365 environment, with tools such as Microsoft Defender AV, Microsoft Defender for Endpoint (MDE), Microsoft Defender for Identity (MDI), Microsoft Defender for Office (MDO), etc., all under one umbrella.
While having all these tools in one product has many obvious benefits, it has a major drawback: It is often hard to find a specific policy that might be hidden deep in the platform. Additionally, Microsoft constantly evolves Microsoft Defender UI, often changing the location or the interface of its many functionalities. In this article, we will shed some light on anti-phishing policies in Microsoft Defender, including their roles, locations, and configuration possibilities.
The table below lists six different anti-phishing policies and features that can be found and configured in Microsoft Defender.
| Anti-phishing feature | Description |
|---|---|
|
Anti-phishing policy |
This policy allows you to configure or instruct Microsoft Defender when, on top of its usual checks, to consider an email malicious. This can be the check for unusual characters or whether DMARC is honored or not, to only mention a few. |
| Anti-spam policy | In this policy, you can specify whether an inbound or outbound email should be categorized as spam based on certain thresholds. |
| Anti-malware policy | Configure what kinds of attachments are explicitly blocked or allowed. |
| Safe links | Scan email links in real time before allowing them to reach the mailbox. |
| Safe attachments | Scan email attachments in real time before allowing them to reach the mailbox. |
| Phishing simulation and security awareness training (SAT) | Improve phishing protection by conducting phishing simulations and complementing them with SAT. |
In this article, we will explore in detail the six anti-phishing features in M365 that can help your company increase its phishing defense and configure how to handle malicious emails. Five of these features can be found at the same place, under Email & collaboration → Policies & rules:
Microsoft Defender: anti-phishing policies
“The” anti-phishing policy, as the name states, is one of the main anti-phishing security mechanisms in Microsoft Defender. It provides many configuration possibilities to control how emails are handled, and what exactly should be considered or labeled as phishing based on the company’s risk appetite:
Microsoft Defender: anti-phishing policy
Let’s look at each of these elements:
Microsoft Defender: Honor DMARC feature configuration (source)
The anti-spam policy is one of the most complex policies in Microsoft Defender and is divided into three sub-policies.
Given the sophistication of modern emails and robust phishing defenses, it's possible for some safe emails to be mistakenly identified as spam or blocked. If such emails come from specific email servers, you can use this policy to establish a whitelist of IP addresses of sending email servers to stop emails from these IPs from being blocked. Additionally, this policy gives you the ability to block the IPs of malicious servers that are known to send phishing campaigns or to be abused by hackers:
Microsoft Defender: connection filter policy
Use this policy to configure what constitutes a spam email based on the number of emails from the same sender (default: 5 emails) or other email elements:
Microsoft Defender: anti-spam inbound policy
While we usually expect spam campaigns to originate from bad actors outside the company (domain), but companies can unknowingly or accidentally send spam or spam-like campaigns themselves. This might happen with marketing activities such as the distribution of a newsletter or by sending a large amount of emails in a short period of time (e.g., in an hour). This is important since it might affect the company’s domain reputation, leading to other normal business emails being dropped or blocked due to poor domain reputation.
Microsoft Defender: anti-spam outbound policy
Phishing emails with attachments are the second most common type of phishing email after URL phishing. That is why Microsoft Defender has a dedicated anti-phishing policy to protect against emails with malicious attachments:
Microsoft Defender: anti-malware policy
If the default built-in policy provided by Microsoft is not enough, you can create a custom policy and configure the following elements:
Phishing emails often use malicious URLs, and Microsoft addresses this with the “Safe Links” feature. This policy, once enabled, rewrites URLs in emails to include the original URL as a parameter in a new link. When a recipient clicks on this link, Microsoft performs real-time analysis, using Microsoft SmartScreen and threat intelligence resources, to evaluate the URL's safety at the time of the click. This process recognizes that URLs and domains can change in reputation over time. Additionally, this mechanism allows Microsoft to track URL clicks in emails and generate alerts for suspicious links.
Microsoft Defender: safe links policy
As can be seen in the screenshot above, you can use the built-in policy provided by Microsoft or create your own policy and configure it based on your needs:
Safe Attachments is a feature/policy in Microsoft Defender; it scans attachments in Sharepoint, Outlook, OneDrive, Teams, and more before they reach the recipient. When activated, recipients initially get the email with the attachment stripped and replaced with a notice of ongoing scanning. Microsoft Defender assesses the attachment in a separate virtual environment. If deemed safe, the original email is re-sent with the attachment included.
Conversely, if an attachment is flagged as risky or not compliant with your company’s attachment policies, Microsoft Defender attaches a TXT file to the email, detailing the original attachment's name and size, noting its removal for security reasons. This mode of operation is called "dynamic delivery," and its process minimizes email delivery delays while ensuring thorough scanning.
Microsoft Defender: safe attachments email policy
It is also important to note that Microsoft also provides a default policy for safe attachments that will be operational if you activate it (no configuration needed). If the built-in protection is not what you are looking for, you can create a policy by clicking on the “Create” button and configure it to fit your needs. The main items to configure are:
Phishing simulation and SAT, while not direct anti-phishing policies, play a crucial role in mitigating phishing risks. They educate employees about phishing tactics and test their knowledge through simulations. Microsoft Defender offers these capabilities under "Email & collaboration → Attack simulation training," with several tabs for different functions:
Microsoft Defender: Phishing Simulation and SAT
Each of the tabs has a different purpose:
Due to the number of features and configuration possibilities, we will cover each of these tabs in a separate article.
Navigating the extensive and intricate Microsoft 365 suite can be challenging. This article has detailed six key anti-phishing features within Microsoft Defender, outlining their roles and configuration processes. While these tools can enhance your company's security, it's vital to configure them carefully and monitor them regularly to prevent potential disruptions in email delivery and business operations.