New Security Features in Office 365 Threat Intelligence

Microsoft Office 365 Threat Intelligence gives security teams the insights and tools needed to combat the tactics used by today’s threat actors.

Office 365 Threat Intelligence, part of the Office 365 Enterprise E5 license SKU, gives security analysts various tools to protect their organization’s Office 365 users. Microsoft recently announced a couple of powerful new security features that make O365 Threat Intelligence and E5 worth a closer look, especially if your organization is using third-party tools as part of your security posture.

New Office 365 Threat Intelligence features

Attack Simulator

Attack Simulator allows security analysts to run realistic attack scenarios, as part of a targeted campaign, to help identify and find vulnerable users before a real attack has damaged the organization’s reputation, bottom line, or both. Currently in preview, there are three different attack simulations that you can run. These are:

  • Display name spear-phishing attack
  • Password-spray attack
  • Brute-force password attack

Each of these threats can be simulated against real users in the organization, but in a controlled fashion. For instance, you can create a campaign to simulate a display name spear-phishing attack – a customized form of phishing where some level of reconnaissance has taken place to identify high-profile users, such as CEOs or CFOs. Emails, appearing to come from a high-level officer or manager, are sent to individuals, typically in finance departments. Users who click on spear-phishing links – links that would normally redirect users to a site where their credentials would be stolen – are instead redirected to an informational page, designed by you, to educate the user on how to better identify such attacks in the future.

Privileged Access Management

Microsoft already has Privileged Identity Management (PIM) in Azure AD to protect privileged roles with the Enterprise Mobility + Security suite. EM+S PIM does a great job of protecting your privileged roles by ensuring that administrators who require elevated privileges only acquire them in a “just in time/just enough” framework. However, organizations can now protect critical Office 365 workloads, such as Exchange Online, with Privileged Access Management (PAM), a policy-based scheme that limits administrative tasks that IT has been granted in the organization. It is an effective way to “watch the watchers,” so to speak.

As an example, how would you prevent someone with Exchange Admin privileges from going rogue and enabling a mailbox journal rule on the CEO’s mailbox that copies all emails to a shadow mailbox? Logging the activity is fine, but if no one is monitoring the logs regularly, this type of activity can go unnoticed for days or weeks and can result in the loss of valuable and proprietary corporate data. The new PAM features allow security departments to create approval groups and policies for certain high-risk tasks that ensure that only sanctioned activities are allowed through an approval process and for a limited amount of time. Activities are then logged making them auditable, so that both privileged access requests and approvals can be reviewed and provided for internal reviews and auditor requests.

Want to know more?

The threat landscape continues to evolve, and threat actors are continually finding new and innovative ways to steal credentials, damage reputations and affect the financial health of organizations both large and small. If you would like to find out more about these new features, or the other ways Microsoft and Oxford Computer Group can help your organization combat these threats, please contact us.