Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

New Office 365 Feature Provides Detailed Information on Email Attack Campaigns

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Microsoft this week announced a new feature in Office 365 Advanced Threat Protection (ATP) meant to provide more visibility into cyber-attacks targeting organizations via email.

Such assaults usually employ a large number of messages carefully tailored not only to trick the intended victims, but also to bypass defenses. These waves of emails, however, typically feature a common pattern or template — with only slight modifications — which defines the specific campaign.

With the newly introduced public preview of campaign views in Office 365 ATP, Microsoft aims to provide customers with increased visibility and additional context when looking to defend their environments, by identifying individual emails that belong to the same campaign.

The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack.

This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).

Email campaigns aren’t always easy to stop, especially since the attackers can easily change the sending infrastructure, IPs, domains, names and addresses, and URLs, and even the hosting infrastructure.

“It’s critically important that the defenses and built-in protections in mail flow, the detections and the alerts they generate are powerful and durable enough to act on individual email messages. It is equally important for the solution to correlate information from across the attack into a campaign view so security teams can assess how well their organization is protected,” Microsoft says.

Campaign views also help with the remediation process, which should start with ensuring that compromised or vulnerable users have been secured, Microsoft says.

In some cases, even if users click on URLs, Safe Links may block the attacks, but in others the user may override the block. These users, the tech company points out, might have already revealed their login credentials to the attackers.

Thus, security teams should first limit the compromise by resetting users’ credentials and ensuring that multi-factor authentication is enabled. They should also check the users’ devices for anomalous alerts.

An All email view option in Office 365 ATP Threat Explorer allows security teams to investigate other messages sharing the same IOCs, and take remediation actions.

Microsoft has made campaign views available for customers on Office 365 Advanced Threat Protection Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5. The capability is rolling out in public preview and should become available to customers within days or weeks, the company says.

Related: Microsoft Announces New Security Capabilities Across Platforms

Related: Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...