11 Threats & Mail Flow

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

_______________________________

In This Chapter

Introduction

Threat Management

Mail Flow

_______________________________

Introduction

There are no specific PowerShell cmdlets for the Threat Management section of the Security and Compliance Center. This feature is revealed purely in the web page for the SCC. As such, we will briefly review what we can discern from the website, but we will not dive too deep as we cannot access it via PowerShell. If any cmdlets are added for the features, we’ll add them to a future edition of the book.

Now, the Threat Management portion of the SCC consists of many pieces. Some of these features require an E5 and some also rely on Office 365 Advanced Threat Protection (ATP) Plan 1 or 2. So be aware that your tenant may not have these features exposed if you do not have the correct licensing.

Quick Summary of Threat Management:

Dashboard - Provides a quick overview of the Threat Management feature in the SCC.

Investigations - Brand new feature added to the SCC and is in Preview as of now. Will be an automated feature to help you with well-known threats.

Explorer - An ATP feature that allows you to investigate and respond to threats.

Submissions - Allows tenant admin to submit suspicious items (email, URL or file) for Microsoft to analyze.

Attack Simulator - Customer can simulate Phish Attacks, Brute Force and Password Spray attacks.

Review - Reporting center for Incidents, Quarantines, Restricted Users and other trends.

Policy - Configuring ATP -Phish, Safe Attachments, Safe Links, Anti-Spam/Malware and DKIM .

Threat Tracker - Let’s an admin explore some well known attack campaigns as well as self-submitted ones.

Mail Flow and the Security and Compliance Center

This portion of the SCC provides a review of the current Mail Flow in your tenant as well as access to a new Message Trace tool that is in contrast to the one in Exchange Online. Similar to the Threat Management feature, Mail Flow provides a dashboard to help the administrator quickly assess some facts and findings for email flowing through their tenant. This section of the SCC has recently changed so we will go over the new look.

Threat Management

Dashboard

Our first exposure to Threat Management is the Dashboard. The Dashboard provides what you would expect from a Dashboard - a quick view of important issues relating to threats. We have information on Investigations, ATP threat prevention, Malware Trends, Global views and more. It is a good place to start and content here should be reviewed often for your Office 365 tenant. Add this page to your daily checklist for reviewing your tenant:

Investigations

This is a new feature that appeared recently in the SCC as of the writing of this book. The feature is in Preview and there isn’t a lot of information about it on Microsoft Docs at the moment either. Look for an update in future editions of the book.

Explorer

The Explorer part of Threat Management is like a mini-dashboard where an administrator can explore items that relate to email - Malware, Phishing, self-submitted Items, all email issues as well as Malware Content (outside of email). There are options to make new Submissions for Microsoft to review as well as exporting any of the reports to CSV files.

There are a plethora of filtering options as well to help an admin narrow down the source or target of these email/content issues. We also have configuration settings for Windows Defender ATP Connections settings:

Submissions

Submissions is intended for admins to report issues they have found or are experiencing in order to help Microsoft keep up with any email, URL or content related issues they are experiencing. We can see this new interface is an option under Threat Management as well:

Creating a new submission here is as simple as clicking on the button, choosing the type [Email, URL or Attachment], supplying the information required for a particular submission and then click Save.

After a submissions is made, it can be tracked on this same page and they can be exported post submission.

Attack Simulator

Attack Simulator is a place where Microsoft provides a tenant with tools with which to perform some penetration tests like Phishing, Brute Force Password and Password Spray attack. These can be initiated straight from this section as seen on the next page:

Each of the three attack simulations is well described above. Make sure to have MFA enabled as well:

Review

This is another dashboard-like page that is focused on Incidents, Quarantine, blocked users, and some trends like Malware, your submissions and user-reported messages.

Policy

Policy is where we can configure ATP features - Anti-Phishing, Safe Attachments, SafeLinks, Ant-Spam, DKIM and Anti-Malware.

Threat Tracker

Lastly we have the Threat Tracker tab. Here is where we can see malware campaigns Microsoft is tracking and their potential impact as well as queries we perform and any trending campaigns.

Mail Flow

Within the Security and Compliance Center, many improvements have been made to the interface for the Mail Flow section. However, there are no real cmdlets for the Mail Flow feature in the SCC. So for this section of the book we will briefly look at the Mail Flow page for the SCC. Mail Flow is essentially another dashboard for the Security and Compliance Center that highlight Mail Flow stats, top domains and even alerts for your Mail Flow:

Mail Flow Map

The Mail Flow Map is interactive and we can get further details by clicking it and setting the pull-down to ‘Detail’:

Detailed Mail Flow Map information:

Message Traces

Instead of performing a message trace in Exchange, we now have access to a similar amount of functionality. We do have some default, pre-built queries that Microsoft provides for us. The advantage of this is that we do not need access to the Exchange Online Admin page, but we can perform similar functions with the Mail Flow Admin role, within the Security and Compliance Center.

We can also create our own custom queries and save them as well as download reports for completed or pending ones. To create a new Query, we click on Start a Trace and we get this window below:

We have quite a few options to choose from - To and from, as well as what time range the messages appeared in and then we can also choose a report type for the query.

However, certain output will be restricted to reports that are not available instantly:

We can choose a few options for the reports, like delivered, quarantined and failed which could help in troubleshooting where an email went to. If no messages are found, we get this:

Once a query is created, it appears in your search results like so:

We can then export these results to a CSV file for later analysis:

That’s it in a nutshell for the Mail Flow portion of the Security and Compliance Center.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 11 Threats & Mail Flow

Create new playlist

Sign In

Sign Up

Table of Contents for
11 Threats & Mail Flow