TL;DR Take lessons learned from investigation, such as reviewing how emails evaded existing phishing controls to update anti-malware policies. Configure Defender for Office and Defender for Cloud Apps threat and alert policies to prevent and detect email-based attacks. Don’t rely on out-of-the-box (OOTB) configuration, use KQL to identify noisy polices and adjust rule scope or sensitivity. Introduction This is the last of a three-part series (part one here, part two here) looking at effective investigation, response, and remediation to email threats in M365, with the final blog focussed on native detection and prevention options in M365. BEC attacks typically leverage the compromise of a trusted third party to conduct a phishing attack against a partner organisation. Given that email traffic from this third-party domain is expected, phishing emails can sneak past defensive tools. Once a mailbox has been compromised, attackers often create inbox rules to remain undetected, often launching a new phishing campaign. Having missed the earliest detection opportunities, security teams are then alerted by the affected users noticing unexpected responses to phishing emails sent from their compromised mailbox. Configuring good detection and prevention policies can “raise the bar” for compromise, and alert security teams earlier in the attack chain before significant damage is done. This blog discusses a few options in M365, such as guidance on configuring threat and alert…Read More
