Implementing Exchange Online Advanced Threat Protection (Part 2)

If you would like to read the first part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 1).

Introduction

In the first part of this short series on Microsoft’s add-on to Exchange Online Protection – Advanced Threat Protection, we examined how this functionality will solve problems our example organization faces, then walked through the decisions we need to make before implementing the feature. In the final part of this series we’ll walk through the implementation steps and look briefly at the reporting functionality available.

Defining Safe Links Policies

With the decisions made it is time to create a safe links policy. Navigate to the Exchange Admin Center, and then choose the Advanced Threats section of the EAC. Click the Safe Links tab to examine all existing Safe Links policies:

Image
Figure 1: Navigating to Safe Links in our Exchange Admin Center

After navigating to the Safe Links policy page, choose the Add button (+) to create a new policy. The New Safe Links Policy window opens.

In the resulting window we’ll be presented with the options available for creating our new Safe Links policy. As you’ll see this maps to the questions we answered in the previous section of this article:

Image
Figure 2: Creating the basic Safe Links policy

In Name enter an appropriate, unique, name that describes this policy. In the description enter some text that provides a little more detail for anyone trying to make sense of the options selected here.

Next we’ll choose the action to take for URLs. We can leave this Off, if for example we are creating a policy to exclude a group of users that would otherwise be affected by another Safe Links policy.

The checkbox Do not track user click can be selected if you do not wish to use the reporting functionality available at a later date. This is a key feature when understanding which users clicked a link that was later found to be a threat, so be careful about choosing to disable user click tracking.

Our final check box provides options for click-through is a link is found to be dangerous. In some circumstances you may trust users to click-through links, or they may request the ability to do so. In most circumstances you will not want a user to click-through the malicious link.

Some URLs, such as those for internal addresses or even trusted partners, may not require re-writing. Enter these URLs here.

Finally, we will select the scope for the rule under the Applied to section.

Using similar conditions to transport rules we can select who this rule applies to including:

  • Individual recipients
  • Recipient domains
  • Members of distribution groups

The same conditions can be used for exceptions. When you have configured your rule, choose Save.

Image
Figure 3: Viewing the list of Safe Links policies including the new one

After saving the new Safe Links rule it will be shown in the EAC list. Just like Transport Rules, you can use the Enabled column to enable or disable the Safe Links policy.

If you have multiple Safe Links policies, you can also re-order the policies to define which takes precedence.

As you might expect the Safe Links policy also includes a comprehensive set of PowerShell cmdlets available.

To make use of these commands, we must first connect to Exchange Online PowerShell. To perform this step, use the following three lines of PowerShell to enter the credentials of an Exchange Administrator, then create a new PowerShell session and finally import the cmdlets received into the local environment.

$UserCredential =   Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

You’ll see this in action in the example below:

Image
Figure 4: Connecting to Exchange Online Powershell

After connecting to Exchange Online, we can use the New-SafeLinksPolicy and New-SafeLinksRule cmdlets to create a new policy and then associate it with an appropriate rule. The polices created either by PowerShell or the EAC have a one-to-one relationship with the rules. You cannot have a single policy and then associated multiple rules with it.

In the example below we’ll create a new safe links policy with settings to AllowClickThrough set to False, TrackClicks set to True and a list of to WhiteListedURLs. Next we create a safe links rule, and associate it with the same policy. We’ll use the SentTo parameter to specify a number of recipients:

New-SafeLinksPolicy -Name ‘LJD Safe Links’ -AdminDisplayName $null -IsEnabled:$true -AllowClickThrough:$false -TrackClicks:$true -WhiteListedUrls ‘http://www.lisajanedesigns.co.uk’

New-SafeLinksRule -Name ‘LJD Safe Links’ -SafeLinksPolicy ‘LJD Safe Links’ -SentTo @(‘[email protected]’,’[email protected]’)

You’ll see this in action below:

Image
Figure 5: Creating a new Safe Links policy and rule using Powershell

If instead we wanted to apply this policy to domains, rather than specific recipients, we can use the RecipientDomainIs parameter to specific one or more domains, as shown below.

New-SafeLinksRule -Name ‘LJD Safe Links’ -SafeLinksPolicy ‘LJD Safe Links’ -RecipientDomainIs @(‘goodmanuk.com’,’stevieg.org’,’theucarchitects.com’)

Defining Safe Attachments Policies

The overall theory of Safe Attachments policies is similar to Safe Links policies. In the next few steps we’ll walk through the equivalent process. To begin, navigate to the Safe Attachments tab. You’ll see a list of any existing policies and a toolbar providing similar options to Safe Links. Choose Add (+) to create a new policy:

Image
Figure 6: Navigating to Safe Attachment policies in the Exchange Admin Center

The New Safe Attachments Policy window opens:

Image
Figure 7: Creating a Safe Attachment policy

Referring back to the previous part of this series we’ll go through each of the options and select the options that correspond to the decisions we made.

We’ll first define the name and description. Under the Safe attachments unknown malware response option we’ll select the appropriate action to take with an attachment caught by this rule.

Under the Redirect attachment on detection option we can specify the appropriate email address to redirect the message to if it has an unsafe attachment. This is likely to be your security team or potentially a mailbox used for temporary quarantine.

Finally within this section we’ll select what should happen if there is an error or time-out when scanning a message. By default, the option to treat the message as if it is unsafe is selected.

Choose Save to create the new policy with the options chosen.

We can of course create Safe Attachment policies using Exchange Online Powershell as we’ve been able to with Safe Link policies above. This time we’ll use the New-SafeAttachmentPolicy and New-SafeAttachmentRule cmdlets.

In the example below we will create a policy that applies to a single recipient and replaces any unusual attachments that are discovered:

New-SafeAttachmentPolicy -Name ‘Safe Attachments’ -AdminDisplayName $null -Action ‘Replace’ -ActionOnError:$true -Redirect:$false -Enable:$true

New-SafeAttachmentRule -Name ‘Safe Attachments’ -SafeAttachmentPolicy ‘Safe Attachments’ -SentTo @(‘[email protected]’)

You’ll see this in action in the screenshot below:

Image
Figure 8: Creating a Safe Attachment Policy and Rule using Powershell

Testing Policies

We’ve created a number of policies that will affect both the content of messages received by the organisation, change the potential experience when clicking on links in messages and also potentially delay inbound messages with attachments for the greater good.

It’s therefore important to test the policies in place and ensure you understand how this works within your organisation. As careful as you might be, it’s easy to miss something important or add a wider scope than you intend.

Safe Links can be viewed on inbound emails easily by hovering over links in messages received in Outlook, as shown below.

Image
Figure 9: Viewing a Safe Link in an email message

You will notice in the example above the Safe Links URL includes a domain name that starts with EMEA. This will be different based on where your Office 365 tenant is based but should match your region. Our tenant is based in Europe so it’s EMEA, it may be NA if the tenant is based in North America and so forth.

To view the delay on inbound messages covered by Safe Attachment policies, either send an inbound test message with an attachment from an external email address and time how long it takes to reach the mailbox, or view the message headers. You will see the delay noted by a longer gap in time between initial hops. This gap in time should represent the time taken to test the attachment.

Tracking down Phishing Victims

Safe Link policies will not always catch every malicious link. When a link contained within a message is opened by a user, the online service does not evaluate whether an unknown threat is a danger. If it did, it might breach user or organisation privacy or risk invalidating common one-time links like password reset links. Instead it works on intelligence from Microsoft honey pots and other sources of reputation data.

This means that usually by the time a user attempts to access a link it will be blocked, but there is a window in which a user may get infected and require attention. The reporting functionality is aimed at providing access to this data. To view reports, navigate to the Exchange Admin Center and under the Advanced Threats heading click on Safe Links, then select the Report button. This provides access to the reporting functionality, shown below, which will allow you to select and download detailed reports.

Image
Figure 10: Viewing the reporting capabilities in ATP

Summary

In this two part series we have identified the need for and implemented the newest feature to Exchange Online – Advanced Threat Protection. We’ve configured it to block both unsafe links and unsafe attachments for groups of users, either via the EAC or PowerShell. We have also tested it and looked at the basic reporting functionality.

If you would like to read the first part in this article series please go to Implementing Exchange Online Advanced Threat Protection (Part 1).

1 thought on “Implementing Exchange Online Advanced Threat Protection (Part 2)”

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top