Let’s talk about Office 365 Advanced Threat Protection


Warning: Illegal string offset 'width' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'height' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'autoplay' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'theme' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'loop_video' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_title' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_youtube_icon' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_annotations' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'show_progress_bar_color' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'autohide_parameters' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Cannot assign an empty string to a string offset in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'disable_keyboard' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 61

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 66

Warning: Illegal string offset 'set_initial_volume' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 66

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 68

Warning: Illegal string offset 'autoplay' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 71

Warning: Illegal string offset 'loop_video' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 73

Warning: Illegal string offset 'enable_fullscreen' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 74

Warning: Illegal string offset 'show_title' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 75

Warning: Illegal string offset 'show_youtube_icon' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 76

Warning: Illegal string offset 'show_annotations' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 77

Warning: Illegal string offset 'show_progress_bar_color' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 78

Warning: Illegal string offset 'autohide_parameters' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 79

Warning: Illegal string offset 'disable_keyboard' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 80

Warning: Illegal string offset 'width' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 88

Warning: Illegal string offset 'height' in /homepages/17/d119946931/htdocs/blog/exchange/wp-content/plugins/youtube-video-player/fornt_end/front_end.php on line 88

english-castle-on-the-waterIn April of 2015, Microsoft announced Advanced Threat Protection (or, ATP), an enhancement to Exchange Online Protection focused on the analysis of known and ‘zero day’ threats contained in email attachments and an interception method to prevent click-through to compromised links.

Here’s a ‘Microsoft Mechanics’ video, explaining the technical details of ATP:

And here’s information about how to get ATP.

So far, so good.  But what is it like to deploy ATP in your Office 365 tenant and configure it?

 

Let’s take a look.

ATP is divided into two, distinct categories of action:

  • Safe Attachments (which, as the name implies, is the attachment analysis component)
  • Safe Links (which analyzes links against a list of known bad URLs)

Each area’s actions are configured by ATP policies which you can explore here.

In my experience thus far, the safe links component has proven to be quite aggressive, unhelpfully redirecting benign URLs (when Safelinks is active, URLs are parsed through https://na01/safelinks.protection.outlook.com/?=url to analyze here).

Your outcomes may vary, but within my tenant, Safelinks has been more intrusive than useful and has, therefore, been deactivated (no doubt, that decision will be revisited after further testing).

Safe attachments, on the other hand, has proven to be more effective, preventing 10 zero day threats from reaching end-users in a 5 day period, which is impressive needle-in-a-haystack finding when you consider the many tens of thousands of emails reviewed during that period.

There are additional steps required, I should mention, to determine what action ATP Safe attachments has taken.

Through the O365 admin GUI – Exchange Admin center https://outlook.office365.com/ecp  “advanced threats”  — “safe attachments” ATP does provide a decent visual overview of its activities:

To generate a report, click the icon that resembles a bar graph:

Screen Shot 2016-07-31 at 4.10.51 PM

 

 

 

 

By choosing “Advanced Threat by Disposition” you’ll see a bar chart reporting interface:

Screen Shot 2016-07-31 at 4.17.08 PM

 

 

 

 

 

Next, by choosing the “view pending or completed requests” link (not shown above), you’ll see a listing of the message trace activity that lies behind the reports you see in visual form:

 

ATP-message-trace

 

 

 

 

Now we arrive at a key part of the ATP process – confirming, via reporting, that the ‘hits’ are, in fact, malware.

Earlier, I mentioned that in 5 days, ATP had successfully intercepted 10 zero day threats.  How do I know that?

The answer, unfortunately, isn’t straightforward.

Let’s return to the ATP safe attachments interface:

Screen Shot 2016-07-31 at 4.30.09 PM

 

 

 

 

ATP’s actions flow from policies you create here. By choosing the pencil icon, we can take a look at the configuration for safe attachments:

Screen Shot 2016-07-31 at 4.34.24 PM

 

 

 

And, by selecting “settings” you can configure how ATP will react (or, if it will react) to suspicious attachments:

Screen Shot 2016-07-31 at 4.36.57 PM

 

 

 

 

 

In the policy shown above, ATP is directed to replace a file that’s suspected of being compromised before it reaches a recipient and redirect that file to a mailbox for further analysis.  It will also do the same when processing times out.

To get more detail explaing why ATP red-flagged a file (or if a timeout occurred) I examine what’s sent to the reporting mailbox (a shared mailbox I created for this purpose) .

Looking at the reporting account Inbox, you can see the results of an ATP safe attachments report (sender, recipient, and other details obscured for obvious reasons):

ATP-reports-message

 

 

 

 

 

Using this information, we can perform a message trace to discover why ATP intercepted this attachment:

Screen Shot 2016-07-31 at 5.36.07 PM

 

 

 

Notice the string of deferrals listed?

This means that ATP could not determine whether or not the attachment contained malware and, following policy, removed the file from the email sent to the recipient, redirecting it to our reporting mailbox.

Deferrals can prove challenging to understand since we don’t know if the attachment is compromised and, due to a current lack of detailed information regarding ATP’s performance characteristics, it’s difficult to know what makes one file an analysis hurdle (leading to deferrals) and what makes another simpler to process.

Is it file size? Or perhaps file type? Right now, we don’t know and I’ve yet to see firm information from Microsoft providing guidance (questions posed to the Office 365 Network haven’t been effectively answered).

You should be aware that either way, message delivery can be delayed by ATP:

Email delivery – If the safe attachments policy that applies to a particular recipient has an action of Block, the email will not be delivered until the attachments can be detonated by the safe attachments technology in EOP. Safe attachments will launch a unique hypervisor to open the attachment. This can result in a delivery delay of 5-30 minutes for each mail evaluated by safe attachments.”

[…]

full here

Although the quote above mentioned delays when ATP is configured to block, we’ve also seen latency when the rule is set to redirect.

Let’s take a look at a case of positively identified malware:

Screen Shot 2016-07-31 at 5.57.22 PM

 

 

Here, we see ATP safe attachments identifying malware within an attached file.

Of course, it isn’t sufficient to simply take ATP’s word for it, we need to confirm that the report is accurate.  To do that, we must submit the file for further analysis by a third party such as Virustotal or Malwr.

Reviewing the process so far…

1.) Deploy ATP to your tenant

2.) Configure the safe attachments and safe links policy

3.) Analyze the results and, in the case of safe attachments, submit those results to 3rd party tools to verify ATP’s interception.

Confirmation of findings is pretty labor-intensive and, at some critical points, very manual. It would be nice if the analytical portion was reflected in the ATP reporting interface (including a listing of deferrals vs. positive hits) and if there was a method to submit attachments for confirmation within the workflow.

So far, these options don’t exist.

In the next post, we’ll take a look at safe links and also, the PowerShell cmdlets for managing ATP. We’ll also review how to create a kind of whitelist.