Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Office 365 Feature Provides Detailed Information on Email Attack Campaigns

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Such assaults usually employ a large number of messages carefully tailored not only to trick the intended victims, but also to bypass defenses. These waves of emails, however, typically feature a common pattern or template — with only slight modifications — which defines the specific campaign.

With the newly introduced public preview of campaign views in Office 365 ATP, Microsoft aims to provide customers with increased visibility and additional context when looking to defend their environments, by identifying individual emails that belong to the same campaign.

The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack.

This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).

Email campaigns aren’t always easy to stop, especially since the attackers can easily change the sending infrastructure, IPs, domains, names and addresses, and URLs, and even the hosting infrastructure.

“It’s critically important that the defenses and built-in protections in mail flow, the detections and the alerts they generate are powerful and durable enough to act on individual email messages. It is equally important for the solution to correlate information from across the attack into a campaign view so security teams can assess how well their organization is protected,” Microsoft says.

Campaign views also help with the remediation process, which should start with ensuring that compromised or vulnerable users have been secured, Microsoft says.

Advertisement. Scroll to continue reading.

In some cases, even if users click on URLs, Safe Links may block the attacks, but in others the user may override the block. These users, the tech company points out, might have already revealed their login credentials to the attackers.

Thus, security teams should first limit the compromise by resetting users’ credentials and ensuring that multi-factor authentication is enabled. They should also check the users’ devices for anomalous alerts.

An All email view option in Office 365 ATP Threat Explorer allows security teams to investigate other messages sharing the same IOCs, and take remediation actions.

Microsoft has made campaign views available for customers on Office 365 Advanced Threat Protection Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5. The capability is rolling out in public preview and should become available to customers within days or weeks, the company says.

Related: Microsoft Announces New Security Capabilities Across Platforms

Related: Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.