If you would like to read the first part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 1).
Introduction
In the first part of this short series on Microsoft’s add-on to Exchange Online Protection – Advanced Threat Protection, we examined how this functionality will solve problems our example organization faces, then walked through the decisions we need to make before implementing the feature. In the final part of this series we’ll walk through the implementation steps and look briefly at the reporting functionality available.
Defining Safe Links Policies
With the decisions made it is time to create a safe links policy. Navigate to the Exchange Admin Center, and then choose the Advanced Threats section of the EAC. Click the Safe Links tab to examine all existing Safe Links policies:
Figure 1: Navigating to Safe Links in our Exchange Admin Center
After navigating to the Safe Links policy page, choose the Add button (+) to create a new policy. The New Safe Links Policy window opens.
In the resulting window we’ll be presented with the options available for creating our new Safe Links policy. As you’ll see this maps to the questions we answered in the previous section of this article:
Figure 2: Creating the basic Safe Links policy
In Name enter an appropriate, unique, name that describes this policy. In the description enter some text that provides a little more detail for anyone trying to make sense of the options selected here.
Next we’ll choose the action to take for URLs. We can leave this Off, if for example we are creating a policy to exclude a group of users that would otherwise be affected by another Safe Links policy.
The checkbox Do not track user click can be selected if you do not wish to use the reporting functionality available at a later date. This is a key feature when understanding which users clicked a link that was later found to be a threat, so be careful about choosing to disable user click tracking.
Our final check box provides options for click-through is a link is found to be dangerous. In some circumstances you may trust users to click-through links, or they may request the ability to do so. In most circumstances you will not want a user to click-through the malicious link.
Some URLs, such as those for internal addresses or even trusted partners, may not require re-writing. Enter these URLs here.
Finally, we will select the scope for the rule under the Applied to section.
Using similar conditions to transport rules we can select who this rule applies to including:
- Individual recipients
- Recipient domains
- Members of distribution groups
The same conditions can be used for exceptions. When you have configured your rule, choose Save.
Figure 3: Viewing the list of Safe Links policies including the new one
After saving the new Safe Links rule it will be shown in the EAC list. Just like Transport Rules, you can use the Enabled column to enable or disable the Safe Links policy.
If you have multiple Safe Links policies, you can also re-order the policies to define which takes precedence.
As you might expect the Safe Links policy also includes a comprehensive set of PowerShell cmdlets available.
To make use of these commands, we must first connect to Exchange Online PowerShell. To perform this step, use the following three lines of PowerShell to enter the credentials of an Exchange Administrator, then create a new PowerShell session and finally import the cmdlets received into the local environment.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session |
You’ll see this in action in the example below:
Figure 4: Connecting to Exchange Online Powershell
After connecting to Exchange Online, we can use the New-SafeLinksPolicy and New-SafeLinksRule cmdlets to create a new policy and then associate it with an appropriate rule. The polices created either by PowerShell or the EAC have a one-to-one relationship with the rules. You cannot have a single policy and then associated multiple rules with it.
In the example below we’ll create a new safe links policy with settings to AllowClickThrough set to False, TrackClicks set to True and a list of to WhiteListedURLs. Next we create a safe links rule, and associate it with the same policy. We’ll use the SentTo parameter to specify a number of recipients:
New-SafeLinksPolicy -Name ‘LJD Safe Links’ -AdminDisplayName $null -IsEnabled:$true -AllowClickThrough:$false -TrackClicks:$true -WhiteListedUrls ‘http://www.lisajanedesigns.co.uk’
New-SafeLinksRule -Name ‘LJD Safe Links’ -SafeLinksPolicy ‘LJD Safe Links’ -SentTo @(‘[email protected]’,’[email protected]’) |
You’ll see this in action below:
Figure 5: Creating a new Safe Links policy and rule using Powershell
If instead we wanted to apply this policy to domains, rather than specific recipients, we can use the RecipientDomainIs parameter to specific one or more domains, as shown below.
New-SafeLinksRule -Name ‘LJD Safe Links’ -SafeLinksPolicy ‘LJD Safe Links’ -RecipientDomainIs @(‘goodmanuk.com’,’stevieg.org’,’theucarchitects.com’) |
Defining Safe Attachments Policies
The overall theory of Safe Attachments policies is similar to Safe Links policies. In the next few steps we’ll walk through the equivalent process. To begin, navigate to the Safe Attachments tab. You’ll see a list of any existing policies and a toolbar providing similar options to Safe Links. Choose Add (+) to create a new policy:
Figure 6: Navigating to Safe Attachment policies in the Exchange Admin Center
The New Safe Attachments Policy window opens:
Figure 7: Creating a Safe Attachment policy
Referring back to the previous part of this series we’ll go through each of the options and select the options that correspond to the decisions we made.
We’ll first define the name and description. Under the Safe attachments unknown malware response option we’ll select the appropriate action to take with an attachment caught by this rule.
Under the Redirect attachment on detection option we can specify the appropriate email address to redirect the message to if it has an unsafe attachment. This is likely to be your security team or potentially a mailbox used for temporary quarantine.
Finally within this section we’ll select what should happen if there is an error or time-out when scanning a message. By default, the option to treat the message as if it is unsafe is selected.
Choose Save to create the new policy with the options chosen.
We can of course create Safe Attachment policies using Exchange Online Powershell as we’ve been able to with Safe Link policies above. This time we’ll use the New-SafeAttachmentPolicy and New-SafeAttachmentRule cmdlets.
In the example below we will create a policy that applies to a single recipient and replaces any unusual attachments that are discovered:
New-SafeAttachmentPolicy -Name ‘Safe Attachments’ -AdminDisplayName $null -Action ‘Replace’ -ActionOnError:$true -Redirect:$false -Enable:$true
New-SafeAttachmentRule -Name ‘Safe Attachments’ -SafeAttachmentPolicy ‘Safe Attachments’ -SentTo @(‘[email protected]’) |
You’ll see this in action in the screenshot below:
Figure 8: Creating a Safe Attachment Policy and Rule using Powershell
Testing Policies
We’ve created a number of policies that will affect both the content of messages received by the organisation, change the potential experience when clicking on links in messages and also potentially delay inbound messages with attachments for the greater good.
It’s therefore important to test the policies in place and ensure you understand how this works within your organisation. As careful as you might be, it’s easy to miss something important or add a wider scope than you intend.
Safe Links can be viewed on inbound emails easily by hovering over links in messages received in Outlook, as shown below.
Figure 9: Viewing a Safe Link in an email message
You will notice in the example above the Safe Links URL includes a domain name that starts with EMEA. This will be different based on where your Office 365 tenant is based but should match your region. Our tenant is based in Europe so it’s EMEA, it may be NA if the tenant is based in North America and so forth.
To view the delay on inbound messages covered by Safe Attachment policies, either send an inbound test message with an attachment from an external email address and time how long it takes to reach the mailbox, or view the message headers. You will see the delay noted by a longer gap in time between initial hops. This gap in time should represent the time taken to test the attachment.
Tracking down Phishing Victims
Safe Link policies will not always catch every malicious link. When a link contained within a message is opened by a user, the online service does not evaluate whether an unknown threat is a danger. If it did, it might breach user or organisation privacy or risk invalidating common one-time links like password reset links. Instead it works on intelligence from Microsoft honey pots and other sources of reputation data.
This means that usually by the time a user attempts to access a link it will be blocked, but there is a window in which a user may get infected and require attention. The reporting functionality is aimed at providing access to this data. To view reports, navigate to the Exchange Admin Center and under the Advanced Threats heading click on Safe Links, then select the Report button. This provides access to the reporting functionality, shown below, which will allow you to select and download detailed reports.
Figure 10: Viewing the reporting capabilities in ATP
Summary
In this two part series we have identified the need for and implemented the newest feature to Exchange Online – Advanced Threat Protection. We’ve configured it to block both unsafe links and unsafe attachments for groups of users, either via the EAC or PowerShell. We have also tested it and looked at the basic reporting functionality.
If you would like to read the first part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 1).
Thanks for this series!