Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.
Such assaults usually employ a large number of messages carefully tailored not only to trick the intended victims, but also to bypass defenses. These waves of emails, however, typically feature a common pattern or template — with only slight modifications — which defines the specific campaign.
With the newly introduced public preview of campaign views in Office 365 ATP, Microsoft aims to provide customers with increased visibility and additional context when looking to defend their environments, by identifying individual emails that belong to the same campaign.
The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack.
This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).
Email campaigns aren’t always easy to stop, especially since the attackers can easily change the sending infrastructure, IPs, domains, names and addresses, and URLs, and even the hosting infrastructure.
“It’s critically important that the defenses and built-in protections in mail flow, the detections and the alerts they generate are powerful and durable enough to act on individual email messages. It is equally important for the solution to correlate information from across the attack into a campaign view so security teams can assess how well their organization is protected,” Microsoft says.
Campaign views also help with the remediation process, which should start with ensuring that compromised or vulnerable users have been secured, Microsoft says.
In some cases, even if users click on URLs, Safe Links may block the attacks, but in others the user may override the block. These users, the tech company points out, might have already revealed their login credentials to the attackers.
Thus, security teams should first limit the compromise by resetting users’ credentials and ensuring that multi-factor authentication is enabled. They should also check the users’ devices for anomalous alerts.
An All email view option in Office 365 ATP Threat Explorer allows security teams to investigate other messages sharing the same IOCs, and take remediation actions.
Microsoft has made campaign views available for customers on Office 365 Advanced Threat Protection Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5. The capability is rolling out in public preview and should become available to customers within days or weeks, the company says.