11. Threats & Mail Flow
_______________________________
In This Chapter
Introduction
Threat Management
Mail Flow
Quarantine
_______________________________
Introduction
There are no specific PowerShell cmdlets for the Threat Management section of the Security and Compliance Center. This feature is revealed purely in the web page for the SCC. As such, we will briefly review what we can discern from the website, but we will not dive too deep as we cannot access it via PowerShell. If any cmdlets are added for the features, we’ll add them to a future edition of the book.
Now, the Threat Management portion of the SCC consists of many pieces. Some of these features require an E5 and some also rely on Office 365 Advanced Threat Protection (ATP) Plan 1 or 2. So be aware that your tenant may not have these features exposed if you do not have the correct licensing.
Quick Summary of Threat Management:
Dashboard - Provides a quick overview of the Threat Management feature in the SCC.
Investigations - Brand new feature added to the SCC and is in Preview as of now. Will be an automated feature to help you with well-known threats.
Explorer - An ATP feature that allows you to investigate and respond to threats.
Submissions - Allows tenant admin to submit suspicious items (email, URL or file) for Microsoft to analyze.
Attack Simulator - Customer can simulate Phish Attacks, Brute Force and Password Spray attacks.
Review - Reporting center for Incidents, Quarantines, Restricted Users and other trends.
Policy - Configuring ATP -Phish, Safe Attachments, Safe Links, Anti-Spam/Malware and DKIM .
Threat Tracker - Let’s an admin explore some well known attack campaigns as well as self-submitted ones.
Mail Flow and the Security and Compliance Center
This portion of the SCC provides a review of the current Mail Flow in your tenant as well as access to a new Message Trace tool that is in contrast to the one in Exchange Online. Similar to the Threat Management feature, Mail Flow provides a dashboard to help the administrator quickly assess some facts and findings for email flowing through their tenant. This section of the SCC has recently changed so we will go over the new look.
Threat Management
Dashboard
Our first exposure to Threat Management is the Dashboard. The Dashboard provides what you would expect from a Dashboard - a quick view of important issues relating to threats. We have information on Investigations, ATP threat prevention, Malware Trends, Global views and more. It is a good place to start and content here should be reviewed often for your Office 365 tenant. Add this page to your daily checklist for reviewing your tenant:
Investigations
This is a new feature that appeared recently in the SCC as of the writing of this book. The feature is in Preview and there isn’t a lot of information about it on Microsoft Docs at the moment either. Look for an update in future editions of the book.
Explorer
The Explorer part of Threat Management is like a mini-dashboard where an administrator can explore items that relate to email - Malware, Phishing, self-submitted Items, all email issues as well as Malware Content (outside of email). There are options to make new Submissions for Microsoft to review as well as exporting any of the reports to CSV files.
There are a plethora of filtering options as well to help an admin narrow down the source or target of these email/content issues. We also have configuration settings for Windows Defender ATP Connections settings:
Submissions
Submissions is intended for admins to report issues they have found or are experiencing in order to help Microsoft keep up with any email, URL or content related issues they are experiencing. We can see this new interface is an option under Threat Management as well:
Creating a new submission here is as simple as clicking on the button, choosing the type [Email, URL or Attachment], supplying the information required for a particular submission and then click Save.
After a submissions is made, it can be tracked on this same page and they can be exported post submission.
Attack Simulator
Attack Simulator is a place where Microsoft provides a tenant with tools with which to perform some penetration tests like Phishing, Brute Force Password and Password Spray attack. These can be initiated straight from this section as seen on the next page:
Each of the three attack simulations is well described above. Make sure to have MFA enabled as well:
Review
This is another dashboard-like page that is focused on Incidents, Quarantine, blocked users, and some trends like Malware, your submissions and user-reported messages.
Policy
Policy is where we can configure ATP features - Anti-Phishing, Safe Attachments, SafeLinks, Ant-Spam, DKIM and Anti-Malware.
Threat Tracker
Lastly we have the Threat Tracker tab. Here is where we can see malware campaigns Microsoft is tracking and their potential impact as well as queries we perform and any trending campaigns.
Mail Flow
Within the Security and Compliance Center, many improvements have been made to the interface for the Mail Flow section. However, there are no real cmdlets for the Mail Flow feature in the SCC. So for this section of the book we will briefly look at the Mail Flow page for the SCC. Mail Flow is essentially another dashboard for the Security and Compliance Center that highlight Mail Flow stats, top domains and even alerts for your Mail Flow:
Mail Flow Map
The Mail Flow Map is interactive and we can get further details by clicking it and setting the pull-down to ‘Detail’:
Detailed Mail Flow Map information:
Message Traces
Instead of performing a message trace in Exchange, we now have access to a similar amount of functionality. We do have some default, pre-built queries that Microsoft provides for us. The advantage of this is that we do not need access to the Exchange Online Admin page, but we can perform similar functions with the Mail Flow Admin role, within the Security and Compliance Center.
We can also create our own custom queries and save them as well as download reports for completed or pending ones. To create a new Query, we click on Start a Trace and we get this window below:
We have quite a few options to choose from - To and from, as well as what time range the messages appeared in and then we can also choose a report type for the query.
However, certain output will be restricted to reports that are not available instantly:
We can choose a few options for the reports, like delivered, quarantined and failed which could help in troubleshooting where an email went to. If no messages are found, we get this:
Once a query is created, it appears in your search results like so:
We can then export these results to a CSV file for later analysis:
That’s it in a nutshell for the Mail Flow portion of the Security and Compliance Center.
Quarantine
Quarantine Message cmdlets help the administrator deal with the back-end issue of quarantined emails. The messages that the cmdlets work with are held for numerous reasons. Let’s see what we have to work with and the work with the cmdlets to remove, release and otherwise manage our quarantined messages.
Get-Command *Quarantine*
We see this provides a list of six cmdlets:
Delete-QuarantineMessage
Export-QuarantineMessage
Get-QuarantineMessage
Get-QuarantineMessageHeader
Preview-QuarantineMessage
Release-QuarantineMessage
These cmdlets are available in the Security and Compliance Center as well as Exchange Online. Microsoft generally recommends working on items in the SCC first as it holds preference over Exchange Online.
First, we will start off with a general Get-QuarantineMessage. Sample results:
A really cool feature of these cmdlets is that we can take the results of Get-QuarantineMessage and pipe it Get-QuarantineMessageHeader and this will display the actual header from the message that was quarantined:
Get-QuarantineMessage | Get-QuarantineMessageHeader
First section, we can see the path of the message:
In the last section we see the analysis EOP has performed and recorded in the Message Header:
We can see that this email has been determined to be a Phish email and thus it is held in Quarantine. We can decide to manually delete it now, or let the normal Quarantine process remove the message at a later date. We could also release emails as well if we determine that it is not a Phish email.
We can also preview the email like so: (The Identity listed below can be found in the initial Get-QuarantineMessage, Identity property)
Preview-QuarantineMessage -Identity 06082c0f-cf03-4b87-5d00-08d796d212a7e2b3bdd4-63f8-197d-1e8c-6426351142e9
We can also take the HTML code listed in the Body property, save it to an HTML file and then open up the email in a web browser:
Would you want to do this for every email? No. But you may want to check out a sample of emails to determine if they truly are SPAM or Phish emails. Notice that there is also an attachment connected to this Phish email. In our case, we want to remove this email because it looks like a bad email:
Remove-QuarantineMessage -Identity 06082c0f-cf03-4b87-5d00-08d796d212a7e2b3bdd4-63f8-197d-1e8c-6426351142e9
One cmdlet we did not experiment with was the Export-QuarantineMessage, what does this do?
With another email, for an example, we can export the entire message to an EML if we want. This is now stored in the EML property below:
The entire email message is shown in the ‘Eml’ property with a Base64 encoding.