Compliance: Advanced Threat Protection

Demo Guide

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2016 Microsoft. All rights reserved.

1

Contents

Prerequisites

Demo home page and login

User Accounts

First-time Post-Install Steps

Pre-demo Setup Steps

Advanced Threat Protection

Advanced Threat Protection Demo Steps

Introduction

Email Content Filtering

Advanced Threats

The Information Worker Experience

URL Trace

Conclusion

Reset Instructions

Advanced Threat Protection

Post-Install Steps

Advanced Threat Protection

Prerequisites

Demo home page and login

You will need a Microsoft Office Demo (MOD) Office 365 tenant to complete this demo. You can obtain a demo environment at

User Accounts

Megan Bowen (alias MeganB) is the typical account used in MOD Hero demo modules. If this MOD Hero module requires a different account for logon or if additional logon accounts are needed, the information is provided in the Pre-demo Setup Steps.

  • Office 365 tenant:
  • User name:MeganB@<Tenant>.onmicrosoft.com
  • Password:Your password can be located within the details section of your tenant on demos.microsoft.com

First-time Post-Install Steps

If this is the first time you are using the demo environment, complete the Post-Install Steps at the end of this document.

Pre-demo Setup Steps

Advanced Threat Protection

The hero for this demo is Lidia Holloway.

  • User name:LidiaH@<Tenant>.onmicrosoft.com
  • Password:Your password can be located within the details section of your tenant on demos.microsoft.com

The following steps are required prior to each presentation of the demo:

  1. Start a browser session and log into Outlook in Office 365 as Lidia Holloway (alias LidiaH) using the credentials above.

URL:

  1. Start a new browser session and log into the Office 365 tenant as the tenant administrator (alias admin) using the same password above.
  2. Click App Launcher, and then click Admin.
  3. If prompted to update your admin contact info, click cancel.
  4. In the left navigation, click Admin centers area, and then select Security & Compliance.
  5. In the left navigation, click Threat management, and then select Mail filtering.

Advanced Threat ProtectionDemo Steps

Introduction

Speaker Script / Click Steps
Microsoft has made great investments for Office 365 in the area of compliance.

Email Content Filtering

Speaker Script / Click Steps
Exchange Online Protection has been in place for a while in Office 365. In the Security & Compliance Center, administrators can create filtering policies for different types of content.
Spam filtering
The default spam filter settings in Exchange Online Protection will meet the needs of many organizations. But for a more tailored approach, administrators can customize their filter settings.
For example, they can use risk levels to enhance their organizations’ bulk email protection capabilities. The higher the threshold is set, the more bulk email can get through to users.
Connection filtering
IP addresses can also be blocked. Of course, administrators cannot possibly identify every potentially harmful IP address, so Microsoft provides them with a safe list, a growing list of IP addresses that are known to be benign.
Malware filtering
Administrators can also implement policies that detect malware in individual email messages, whether intentional or not. As a response to detection, the email messages can be deleted, or they can be delivered without attachments. Malware notifications can be sent to internal and external senders, as well as administrators. /
  1. Start as Admin in the Security & Compliance Center, with the Threat ManagementMail filtering page displayed.
  1. On the Standard tab, point to the default settings for the spam filter (Spam action, Bulk threshold…).
  2. Click the Custom tab, then beside Custom settings, click the slider to turn the settings On.
  3. Beside the Defaultspam filter policy, click thedown arrow, and then click Edit Policy.
  4. On the right, expand the Spam and bulk options section, scroll down to Select the threshold, and show the options in the dropdown.
  5. Click Cancel to close the spam filter options.
  6. Collapse the Default spam filter policy section, then expand the Connection filter policy section, and then click Edit policy.
  7. Point to the IP Allow List and IP Block List areas, and then point to the Turn on safe list check box.
  8. Click Cancel to close the policy pane.
  9. In the left navigation, click Anti-malware.
  10. Double-click the Default policy, and then click settings.
  11. In the Malware Detection Response area, point to the different options.
  12. Scroll down and in the Notifications area, show the Sender Notifications and Administrator Notifications options.
  13. Click Cancel.

Advanced Threats

Speaker Script / Click Steps
Advanced Threat Protection (ATP) expands on existing content filtering capabilities, further hardening the company’s email environment.
Safe attachments
Malware filtering policies work great for threats that are known by anti-virus programs and that have corresponding signature files. ATP goes even further by using Safe Attachments to detect threats that are unknown by anti-virus programs. With Safe Attachments, messages containing attachments are routed through a detonation chamber, where they are analyzed for potentially malicious behavior.
If, for example, an email attachment is trying to access a user’s registry, a Safe Attachment policy can block that attachment, replace it, or simply monitor the scan results. Additionally, administrators can redirect blocked, replaced, or monitored attachments to a specific email address. /
  1. In the left navigation, click Safe attachments.
  1. Double-click Safe Attachment Policy – Block, and then click settings.
  2. In the Safe attachments unknown malware response area, point to the different options (Block, Replace, Monitor).
  1. In the Redirect attachment on detection area, point to Enable redirect and email address.
  2. Click Cancel.

Safe links
ATP also uses Safe Links to scan email messages and detect potentially malicious URLs, like those from phishing scams. Safe Link policies check URLs against a list of known malicious links. A link can then be rewritten so that, when clicked, users are redirected to a protective shell and notified that the original URL has been classified as malicious.
Administrators can track user clicks to these links and allow users to click through to the original URLs. Administrators can also identify a list of URLs that should not be rewritten, should they happen to inadvertently end up on the list of known malicious links. /
  1. In the left navigation, click Safe links.
  1. Double-click Safe Link Policy, and then click settings.
  2. Point to the first section that enables or disables rewriting URLs.
  3. Point to the options for tracking user clicks and allowing users to click through to the original URL.
  4. Point to the area where administrators can specify a list of URLs that are not to be rewritten.
  5. Click Cancel.

The Information Worker Experience

Speaker Script / Click Steps
Safe attachments
The information worker experience for ATP is all about protection. Alex sent Lidia a Statement of Work message with an attachment. The organization’s Safe Attachment policy detected unverified signatures in the attachment and thus blocked it.
Lidia still has access to the original message body, but the malware threat was removed. Meanwhile, the attachment was redirected to the administrator for further analysis. /
  1. Maximize the browser session logged in as LidiaH in Office 365 Outlook.
  2. Click the message from Alex Wilber with the subject Litware Statement of Work.
  3. Point to the attachment, which displays Malware Alert Text.txt indicating a threat was detected.
  4. Click the attachment to display the message indicating that it was blocked.
  5. On the right, point to the message body Here is the SOW file.
  6. At the top, click the X to close the message.

Safe links
Lidia can also feel secure knowing that the Safe Links policies are in place. In this message about cheap flights, she clicks a known phishing link. The organization’s Safe Link policy found that link to be malicious and rewrote it. Lidia is now redirected to a protective shell, which alerts her about the classification of that URL.
The policy is selective enough to remove only malicious links. Even within a single email with both safe and malicious links, only the malicious links will be removed. Within that same message about cheap flights, Lidia clicks the link in the signature line and navigates to Bing.com as expected. / NOTE: The Cheap Flights message from Alex Wilber’s Yahoo account may be in the Spam or Junk Email folder.
  1. In Outlook, click the Cheap Flights message from Alex.
  1. In the message body, click the site link.
  2. Point to the protective shell tab that opens, indicating that the website has been classified as malicious.
  3. Within that protective shell, click Close this page and, if prompted, click Yes to confirm closing the tab.
  4. In the same Cheap Flights email from Alex, in the message body, click the Bing link.
  5. Point to the Bing tab that opens.

URL Trace

Speaker Script / Click Steps
Note to presenter:
The URL trace query may show no results. It is recommended you test the query before a live demo; if no results are displayed, show how to provision the search variables, but do not click search.
URL Trace
Back in the Exchange admin center, administrators can review a report that tracks individual user clicks of malicious URLs in email messages. The report contains URL traces from the previous seven days. These traces can be filtered by date and time, by recipients, or by a list of exact URLs.
The administrator filters Lidia as the recipient to see her recent trace activities, which includes the URLs that were rewritten. /
  1. Maximize the browser session logged in as the administrator in the Security & ComplianceCenter.
  1. Click App Launcher, and then select Admin.
  2. In the Admin center left navigation, click Admin centers, and then select Exchange.
  3. In the Exchange admin center left navigation, click mail flow, and then in the top navigation, click the url trace.
  4. Point to the date, time, recipient, and URL filters.
  5. In the Recipient area, click add recipient.
  6. Double-click Lidia Holloway, and then click OK.
  7. In the lower right, click search.
  8. In the Url Trace Results page, point to the list of activities, if available.

Conclusion

Speaker Script / Click Steps
As shown in this demo, Microsoft has made great investments in the Exchange admin center to expand threat protection in Office 365.

Reset Instructions

Advanced Threat Protection

This demo has no reset steps.

Post-Install Steps

Advanced Threat Protection

Complete the following post-install steps once for your demo environment:

  1. Create default policy for Safe Attachments:
  2. Log into the Office 365 tenant as the administrator (alias admin).
  3. Click App Launcher, and then click Admin.
  4. If prompted to update your admin contact info, click cancel.
  5. In the left navigation, click Admin Centers, then click Exchange.
  6. In the Exchange admin center, in the left navigation, click advanced threats.
  7. At the top, ensure the safe attachments link is highlighted.
  8. Click + icon to create a new policy.
  9. In the Name field, type Safe Attachment Policy – Block.
  10. Under Safe attachments unknown malware response, select Replace – Block the attachments with detected malware, continue to deliver the message.
  11. Under Redirect attachment on detection, check the box next to Enable redirect.
  12. In the redirect email address field, type the tenant admin account (admin@<Tenant>.onmicrosoft.com).
  13. Ensure that the box next to Apply the above selection if malware scanning is checked.
  14. Under Applied to (you may need to scroll down), in the If drop-down, select The recipient domain is.
  15. In the window that appears, ensure the tenant domain is selected and then click add - >.
  16. Click OK.
  17. Click Save.
  18. Create default policy for Safe Links:
  19. While still in the advanced threats section of Exchange admin center, at the top, click safe links.
  20. Click the + icon to create a new policy.
  21. In the Name field, type Safe Link Policy.
  22. Under Select the action…, select On – URLs will be rewritten and checked against a list of known malicious links when user clicks on the link.
  23. Check the box next to Do not allow users to click through to the original URL.
  24. Under Applied to, in the If drop-down, select The recipient domain is.
  25. In the window that appears, ensure the tenant domain is selected and then click add - >.
  26. Click OK.
  27. Click Save.
  28. Create email message from AlexW to LidiaH with a malicious attachment:

NOTE: You must create the policies above before sending any emails or Exchange will not flag the malicious attachments and links.

  1. To create the attachment:
  2. Download SonarBadMaker.exe from

NOTE: You must have a Microsoft Internal Account to download the SonarBadMaker.exe.

  1. Open a command prompt.
  2. Change the directory to where you stored the file by entering cd and the path to the executable.

Example: If you downloaded the SonarBadMaker.exe to your desktop:

cd C:\Users\<USERNAME>\desktop

  1. At the next prompt, type SonarBadMaker.exe Litware_SOW.doc.
  2. NOTE: Entering the file name (in the example, “Litware_SOW.doc”) is crucial here. You will need to create a new file (with a new name) each time you run the demo so that Safe Attachments will continue to see it as a new threat.
  1. Log in to the Office 365 tenant as Alex Wilber (alias AlexW).
  2. Click App Launcher, and then click Mail.
  3. Click New.
  4. In the To: field, type Lidia and when the name resolves, select Lidia Holloway.
  5. Click Add a subject and type Litware Statement of Work.
  6. Click Add a message and type Here is the SOW file.
  7. At the top, click Attach.
  8. In the left navigation, click Computer.
  9. Navigate to and select the file Litware_SOW.doc.
  10. Click Open.
  11. Click Attach as a copy.
  1. Click Send.
  1. Create an email message from Alex Wilber’s Yahoo account to LidiaH with both a malicious link and a benign link:
  2. In a browser session, navigate to Yahoo.com and if necessary, sign up for a new account for Alex Wilber.
  3. If you’ve already signed up for an account, sign in to Yahoo with the correct account.
  4. In Yahoo, navigate to Mail.
  5. In Mail, click Compose.
  6. In the To: field, type LidiaH@<Tenant>.onmicrosoft.com.
  7. In the Subject field, type Cheap Flights.
  8. In the body, copy and paste the following text (the links should paste as well):

Hello Lidia,

Someone forwarded methis site. It looks like we can book all our flights for the next few months here.

Cheers,

Alex

IBingdo you...

  1. Click Send.

1