FACE IT, USERS ARE CLICK-HAPPY. WHEN ATTACHMENTS AND LINKS LOOK INTERESTING, THEY’RE GOING TO OPEN THEM.
It’s not always due to cluelessness. The main perpetrators for these attacks are organized crime syndicates and state-affiliated Actors, who put lots of time into creating clever, legit-looking content.
To keep users’ PCs, laptops, smart phones or bank accounts from being owned by ransomware or phishing attacks, consider turning on Office 365 Advanced Threat Protection. To date, it’s been the most widely deployed feature of Office 365’s E5 bundle, because it solves a real issue facing organizations. It’s also available for only $2/user/month a la carte.
Advanced Threat Protection uses Safe Attachments and Safe Links capabilities to ensure another layer of security for users.
End users aren’t aware of threats and may unknowingly allow viruses or malware to attack their machines. An example of a well-meaning employee eagerly clicking their way into the hurt locker is a salesperson who is sent an email with an attached word document. The email gives vaguely mentions an attached purchase order. Programmed to process POs, the sales rep opens the attached file only to realize that they’ve installed a virus. Or maybe they don’t, and the virus silently installed a keylogger which captures their bank account data next time they enter it. Either way, they’re owned.
Exchange Online Protection does a good job quarantining/cleaning known viruses and malware from email. But if users are sent new/undetected malware that looks legit enough to open, how can the organization stay protected? Advanced Threat Protection (ATP) protects the user and organization at the time of the click, not just at the time of delivery.
Advanced Threat Protection uses machine learning and an advanced analysis/cleansing service to protect against unknown malware and viruses, providing better zero-day protection to email. All inbound email is sent through multiple filters. Those showing characteristics of known exploits are blocked, those showing characteristics of known/safe messages are delivered. If the message falls somewhere in the middle, it’s subjected to the additional filtering of Advanced Threat Protection.
There are three likely means to install malware. Emails with malicious attachments, websites serving up drive-by downloads with each visit, and a hybrid of the two—emails with links to pages with drive-by code installs.
Read on about how Advanced Threat Protection uses Safe Attachments and Safe Links capabilities to ensure another layer of security for users.
Making Attachments Safe
If an attachment is suspicious/unknown, it’s sent to a “detonation chamber” sandbox where it’s assessed for certain principles (.exes, calling registry keys, accessing privileges, etc.). This takes between 7-8 minutes, with a 30 minute SLA to deliver the email. Based on machine learnt past behavior and administrator settings, ATP can block or rewrite the attachments that are suspicious, and redirect to an administrative account (options shown below).
The impact isn’t crippling to end users. If malware is found, and the attachment is stripped or safely changed, notification is still sent to receiver and sender. Admins can see who’s clicked on what links with settings below.
Making Links Safe
Safe links is a feature in Advanced Threat Protection that helps prevent users from following links in email that link to web sites that may be malicious. When URLs are detected within email, they’re checked against the machine-learning databases for suspicious characteristics.
When a user hovers over the URL in the email, they’ll see a prefix on the URL nasafelinks.outlook.com which lets them know that once clicked, Advanced Threat Protection will evaluate that link before allowing it to open. If it’s deemed secure, the page pops up within seconds. If it’s not deemed secure, the link initiates a session in a new protective shell (in an isolated browser window/environment) and alerts the user that there’s danger ahead (as below).
Sometimes, URLs are sent through using known, safe destinations, but sophisticated attackers will go back and change the DNS destination of the malware-infested hyperlinks, so that they’re no longer sensed by some anti-malware apps. With ATP, if the URL has been rewritten, the user tries to click on the hyperlink, ATP checks at that moment, and warn the user from going to that bad link.
These are examples of how ATP protects the user at the time of the click, not just at the time of delivery protection.
Enabling Technologies are experts in securing productivity applications in the cloud. See one recommendation to get educated and start using security within Office 365, or contact us
For other Microsoft Security solutions see our main Security page.