Getting started with Defender for Office 365: Part 1
Microsoft Defender for Office 365 (MDO) is one of the modules included within Microsoft's Extended Detection and Response platform (XDR) Microsoft Defender, and it protects the email and collaboration elements of their services such as, Exchange, Teams, SharePoint and OneDrive.
In this post I am going to explore MDO and provide some of the configuration settings I use as part of a standard baseline, a starting point for an organisation looking to deploy it, if you will. But first things first, licensing.
MDO has two licensing variants, Plan 1 and Plan 2 - Plan 1 is included in Microsoft 365 Business Premium which is fantastic but the M365 E3 SKU does not include it (although I think it should, read more about my thoughts on that here), the next Microsoft 365 license to include MDO is M365 E5 only this time its Plan 2, in between those you'll be looking to include it as an add-on to licenses such as Microsoft 365 Business Basic or Standard.
The cost for the plans at time of writing on the new NCE annual pricing is £1.51 for Plan 1 and £3.80 for Plan 2.
Thanks to Aaron Dinnage's https://m365maps.com/ we can clearly see the features included in each plan, shown below.
So without further ado, lets jump into 365 and take a look at how to configure MDO, you'll want to head to https://security.microsoft.com/ to get started.
It should be noted that I am using a Microsoft 365 E5 licensed tenant so am using Defender for Office 365 Plan 2.
From there you can then head over to Policies and Rules within the Email and Collaboration dropdown.
First thing we may need to do before we can create or make changes to policies in Exchange Online is to enable organisation customisation which must be done using PowerShell, so go ahead and do the following.
Open PowerShell as Administrator.
If you don't already have it, install the Exchange Online Management Module: PowerShell Gallery | ExchangeOnlineManagement 2.0.5
Connect to Exchange Online by running the below and signing into your tenant as global admin.
Once connected you can check if you need to update the setting by running the following.
Get-OrganizationConfig | FL isDehydrated
If in the above message you see True then you must follow the below PowerShell steps
Run the following command.
Once that has been completed we can now create custom policies in Exchange Online.
We will start with configuring our required Quarantine Policies - These policies define what level of access your users will have for items quarantined against a certain policy type, for example, you could have a quarantine policy that allows users to view and release emails for any that get flagged as impersonated user, but you may only want them to be able to view those that get flagged as impersonated domain or not at all - The new quarantine policies allow for granular control over each policy setting to define how users may interact with emails caught within quarantine.
From here you'll see the default quarantine policies, if these policies will suffice for your requirements then I would advise using them, in our case we are going to create a new custom policy.
Keep in mind these new quarantine policies replace the end-user spam notifications so if you had this configured before hand you may see an additional default policy in the above list, you can find out more here: Quarantine policies - Office 365 | Microsoft Docs
Create your policy and give it a name.
When creating the policy you'll get the choice of two options Limited Access and Specific Access (Advanced) - Specific Access allows you to define more granular end user controls and even request messages to be released.
If you require these additional controls, go ahead and create your policy - For my use case we will use the Limited Access settings which will allow end users to preview message, request message release, delete message, and block sender, but the user will not be able to release the message.
Choose whether you want to enable notifications on quarantined items, enabling this will mean users are informed when items are sent to their quarantine.
Review your policy and submit the changes to save the policy.
While here go ahead and update the Global settings.
Update the settings appropriately for your requirements, keep in mind if you fill in the top two text boxes then add a new language from the default it will clear what you've entered. In this case we want our end users to receive their quarantine notifications daily so we'll set the notifications to 1 day. If you want to provide your company logo you must make sure you have added it to the tenant following the steps here: Customize the theme for your organization - Microsoft 365 admin | Microsoft Docs
That's the quarantine policies done, now onto the good stuff, head back to the Threat policies section to take a look at our options.
Now, if you want a 'quick and dirty' setup within MDO, you can opt to use the Preset Security Policies section which will automatically create baseline protection profiles for anti-spam, phishing and malware threats, you can choose between Standard protection and Strict protection - For the purpose of this article however, we will be creating the policies ourselves, so lets start with the Anti-phishing policy.
You'll notice there is a policy in here already, this is the default one provided and pretty much has everything disabled, go ahead and create a new policy, provide a name and description for the policy.
Next you'll choose who to target the policy to, in this case we want to ensure everyone in the tenant is included so we will choose to target the primary domain name.
Next you are going to configure the threshold and protection options and the threshold level you decide to go with will be dependant on your organisation and your tolerance for potential phishing emails, I would normally recommend starting with the Standard level of protection and then slowly increase this after a period of time in order to fine tune the threshold.
The Impersonation element of the policy needs to be enabled in order to use it and as it states, can be applied for up to 350 users, this includes internal and external email addresses that you want to protect against impersonation attempts. Tick the box to enable and then select Manage 0 sender(s) to choose the users you want to protect. The feature itself is very useful and will look for emails that are sent from email addresses that look similar to those specified. As I'm sure you are already aware, many phishing and impersonation campaigns often use different letter types, fonts or similar looking domain names to fool those less trained to look for those types of deceptive tactics, for example an impersonation of contoso.com would be cóntoso.com it will also look for top level domains that are similar, such as .co.uk, .biz, etc, you can read more about this feature here: Anti-phishing policies - Office 365 | Microsoft Docs. Although this is a great feature, it's also very easy to end up with false positives, so you should review this periodically and make sure the appropriate user quarantine policies are applied which will help you administer this. I'm going to go ahead and add my one internal user and also an external user that I do regular business with, one which I also regularly swap confidential information with, therefore I want to make sure we have some level of protection against impersonation attempts from their private address, I am also going to protect my internal domain and the domain of the external party. I would start by leaving the trusted senders and domains empty, until you've ran your baseline configuration for a while, you may need to come in here and add users or domains in time.
I would also suggest enabling mailbox intelligence and intelligence for impersonation protection, this will help ensure there are less false positives when you enable the policy, a detailed explanation of the feature can be found here: Anti-phishing policies - Office 365 | Microsoft Docs.
Enable Spoof intelligence, this is especially important if you have a legitimate case for spoofing of either internal or external domains, such as using a third-party service to send bulk emails, you will want to configure the Tenant Allow/Block list for this, unless you are certain on the domains you may need to add here, I would normally leave this blank until you have some sppofing activity after which you can review and amend appropriately. You can read more about the feature here: Spoof intelligence insight - Office 365 | Microsoft Docs.
By this point your policy should look something like the below.
Now we are going to configure the actions we want to take on the messages, this is also where our Quarantine policies will come into play.
Your mileage may vary based on requirements, but I usually find the below settings to be a good starting point, enabling all of the Safety tips and indicators is great for end user awareness.
Once completed, go ahead and submit to create the policy.
Next, we'll move onto creating an Anti-spam policy, so head back to the Threat policies dashboard and select that.
In here you'll see the default policies as provided by Microsoft, my recommendation is to leave these as they are create new ones if you need to override any of the settings, keep in mind that the default outbound policy unless already updated by an admin will have the Automatic forwarding feature set to 'Automatic - System-controlled' enabled, this means that any automatic forwarding rules are disabled and I highly recommend leaving it like this, if you need to allow external forwarding, you can do so by creating a new policy and targeting it to specific users or groups, for now go ahead and create a new inbound policy.
Go ahead and give the policy a name and description, apply it to your users, groups or domains and then configure your threshold and spam properties. As with the previous policy I would advise keeping the recommended default bulk email threshold for the policy to start with and I usually leave all other settings off initially, these can be fine tuned later on.
For the policy actions I usually recommend the below settings to start with.
Zero-hour auto purge (ZAP) is a great feature that will retroactively go and remove spam, phishing or malware messages from your mailboxes if found however, keep in mind if you are required by law say for regulatory reasons, then you may need to untick this option as it will go in and remove emails from mailboxes.
Next is the allow and block list, this should ideally be empty also and almost certainly will be if this is the first time setting this up, here is where you would add any exclusions from the policy or on the flip side, where you would block senders or domains to ensure they are always marked as spam.
Go ahead and create your spam policy to enable it, then move onto Anti-malware.
Anti-malware policies will help protect your organisation against potential viruses, spyware and ransomware and are a great first line of defence, you can find out more about Anti-malware policies here: Anti-malware protection - Office 365 | Microsoft Docs.
As with the other policies, go ahead and create one, provide a name, description and target your users, groups or domains.
When we get to the protection settings you'll notice the common attachment filter is enabled, in order to edit the file types that are included in this filter, select Customise file types underneath.
Here is where you'll want a mixture of common sense and experience in dealing with the types of files your organisation typically sends, receives and stores, there are a lot of different file types in this list so review it carefully, tick the box for those that should be blocked and untick any you know should be allowed through.
Enable ZAP as recommended and configure your quarantine policy, keep in mind here that we are protecting users from potentially serious outside threats and sometimes it's better to keep those kind of messages out of sight so to speak from your end users, the AdminOnly policy may be best for this scenario. Go ahead and configure your notification settings, I usually do not enable the option to notify external senders when messages are quarantined, if a legitimate malware attack has been received, you may not want the sender to know it's been quarantined. It should also be noted that recipient notifications are now configured in the quarantine policy, because we are usng the AdminOnly policy which has notifications disabled, recipients will not receive notifications on messages that get caught by the Anti-malware policy so we will leave that option disabled, you may want to give users the ability to see this but I would not advise allowing them to release these emails themselves!
Go ahead and create the policy to enable it.
Defender for Office 365 is a large part of the XDR stack and has some fantastic features for helping secure your organisation. In part 2 of this series I will explain how to best configure Safe Attachments and Safe Links policies for a good baseline configuration, use the Configuration analyzer to determine if there can be improvements made to your policies and then jump into how to run your own Attack simulation training in your tenant to test your policies and provide some end user awareness.