Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Office 365 Feature Provides Detailed Information on Email Attack Campaigns

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Such assaults usually employ a large number of messages carefully tailored not only to trick the intended victims, but also to bypass defenses. These waves of emails, however, typically feature a common pattern or template — with only slight modifications — which defines the specific campaign.

With the newly introduced public preview of campaign views in Office 365 ATP, Microsoft aims to provide customers with increased visibility and additional context when looking to defend their environments, by identifying individual emails that belong to the same campaign.

The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack.

This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).

Email campaigns aren’t always easy to stop, especially since the attackers can easily change the sending infrastructure, IPs, domains, names and addresses, and URLs, and even the hosting infrastructure.

“It’s critically important that the defenses and built-in protections in mail flow, the detections and the alerts they generate are powerful and durable enough to act on individual email messages. It is equally important for the solution to correlate information from across the attack into a campaign view so security teams can assess how well their organization is protected,” Microsoft says.

Campaign views also help with the remediation process, which should start with ensuring that compromised or vulnerable users have been secured, Microsoft says.

Advertisement. Scroll to continue reading.

In some cases, even if users click on URLs, Safe Links may block the attacks, but in others the user may override the block. These users, the tech company points out, might have already revealed their login credentials to the attackers.

Thus, security teams should first limit the compromise by resetting users’ credentials and ensuring that multi-factor authentication is enabled. They should also check the users’ devices for anomalous alerts.

An All email view option in Office 365 ATP Threat Explorer allows security teams to investigate other messages sharing the same IOCs, and take remediation actions.

Microsoft has made campaign views available for customers on Office 365 Advanced Threat Protection Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5. The capability is rolling out in public preview and should become available to customers within days or weeks, the company says.

Related: Microsoft Announces New Security Capabilities Across Platforms

Related: Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.