The firm's direction has been to use Microsoft's integrated security. The experience is more seamless and transparent than vendor services, such as Mimecast's URL Protection which rewrites URLs using a proprietary method that prevents other email security services from applying complementary scanning. Especially in the case of after-the-fact delivery of emails with malicious URLs, we have, so far, relied on Mimecast to update their scanning engines. When Mimecast has failed to do this quickly, other services like Umbrella have caught malicious URLs that Mimecast has delivered to us. Therefore, for this and other reasons related to keeping in touch with Microsoft's security and compliance (deemed Purview and Defender) set of O365 and Azure tools, H&F will shift toward using the Microsoft Defender and SafeLinks toolsets.
Reference:
SafeLinks
SafeLinks in Microsoft Defender for Office365
Managing SafeLinks and Allow/Block Lists
Comprehensive Information on creating "safe senders" in Exchange Online
Microsoft 365 Defender - Microsoft submission site for analysis
Area 1 Design Docs
https://hf.app.box.com/file/845348700968
Microsoft Defender Connected APIs (Abnormal Security API, Exchange Admin API, Area 1 API)
Microsoft Defender Quarantine
https://security.microsoft.com/quarantine?viewid=Email&tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Microsoft Defender Email Explorer (explore email delivery origins and verdicts, open email for review, geolocate email, trace clicked URLs, phishing campaigns, and more)
https://security.microsoft.com/threatexplorer?tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Microsoft Defender Advanced Hunting (see, Email and Collaboration section)
https://security.microsoft.com/v2/advanced-hunting?tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Microsoft Threat Protection Policies and Rules (Threat Policies, Alert Policies, Advanced Alerts, Activity Alerts)
https://security.microsoft.com/securitypoliciesandrules?tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Microsoft Defender Cloud Discovery (see messaging statistics, and discovered business and personal messaging apps)
https://security.microsoft.com/cloudapps/discovery?tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Microsoft Defender Mailbox Audit (see who did what and when, requires digging)
https://security.microsoft.com/auditlogsearch?tid=3e86eed3-6eb7-45cf-b283-d0546b8575f6
Email Tracking
Abnormal Security
Area 1 Security
https://horizon.area1security.com/users/login
Exchange Online (Cloud)
Exchange Admin Center (New) - https://admin.exchange.microsoft.com/#/
Old ECP - https://outlook.office365.com/ecp/?rfr=Admin_o365&exsvurl=1&mkt=en-US&Realm=hf.com
Exchange Online Hybrid
Public Folder Management & Permissioning
https://admin.exchange.microsoft.com/#/publicfolders
M365 Health
Health Dashboard - https://admin.microsoft.com/AdminPortal/Home#/healthoverview
Service Health - https://admin.microsoft.com/AdminPortal/Home#/servicehealth
M365 Directory Sync Status (are things synching to the cloud or not)
https://admin.microsoft.com/AdminPortal/Home#/dirsyncmanagement
M365 Upcoming Changes (ignore at your own risk)
https://admin.microsoft.com/AdminPortal/Home#/MessageCenter
M365 to Outlook Integrated Apps/Addins
https://admin.microsoft.com/AdminPortal/Home#/Settings/IntegratedApps
SafeLinks: What can users expect to see?
SafeLinks and Microsoft Defender (via Area 1 tagging) are services that are already in place, On the administrator's side, it was announced two years ago the email headers may be tagged as either Malicious or Suspicious by Area 1.
Email tagged as Malicious or Suspicious by Area 1, are handled out to the Microsoft Defender Quarantine by transport rules in Exchange Online. In addition, IT is notified when these transport rules fire and either Block or Quarantine the email.
Please refer to the Warnings from SafeLinks section of the SafeLinks in Microsoft Defender site
Malicious Links
Suspicious Links
Phishing Email Link is clicked
IT Blocks URL via a Microsoft Submission
Link cannot be scanned (IT to check and validate in Virus Total)
Microsoft SafeLinks
Microsoft SafeLinks is part of a Microsoft Defender Threat Protection policy.
The full path to the Microsoft SafeLinks Microsoft submission queue is: https://security.microsoft.com/reportsubmission
To submit a link, click the URLs tab and click the "Submit to Microsoft for analysis" button.
For Phishing emails where SafeLinks has rendered a false positive or a correct phishing verdict, please submit the email via the Emails tab.
Attachments can be submitted as well by clicking the Email Attachments tab*
* Security Warning: Refer to the Data Governance section 2.2 of the WISP to seek approval from a BPO before submitting Confidential or Restricted data to Microsoft.
Microsoft does have a signed NDA with H&F but it is important that we provide transparency to the BPO that a submission is necessary.
After clicking the "Submit..." button, a fly out window appears on the right hand side.
1. Click the drop down to select the submission type. e.g. URL
2. Enter the URL
3. Select whether or not the URL should or should not have been blocked
4. Select whether or not the URL was Phish, Malware, or Spam
5. Select the amount of time for the block.
Note:
Microsoft uses this information not just for H&F but for all of its customers. Microsoft may expire blocks it deems are incorrect, and where the business justification is insufficient.
Important
Because Microsoft manages allow entries for you, unneeded URL allow entries will be removed. This behavior protects your H&F and helps prevent misconfigured allow entries. If we disagree with the verdict, you will need to open a support case to help determine why a URL is still considered bad.
Tenant Allow Block Lists
There are cases where a domain must be blocked tenant-wide, and where you need to manually override a Microsoft Defender verdict. This is where Tenant Allow Block and allow lists come in. Important to note that while Microsoft labels this as a Tenant Allow Block list. You can only now use the submission portal (above) to enter an allow request. Use the Tenant Allow Block List website to see the status of domains Microsoft has cleared, and to manually submit blocks to Microsoft (in addition to the submission process above) where an override is required for something that was allowed in by Microsoft. The link for this is here: https://security.microsoft.com/tenantAllowBlockList
So what gives? Do you use the Microsoft Defender SafeLinks submission portal or the Tenant Wide Block list?
To clarify, this is exactly what you should expect to happen when using the Microsoft Submission portal and the Tenant Wide Block List feature:
Microsoft Submission Portal (It’s H&F User submission, with a potential of making the big-time Microsoft Worldwide block list)
1. The Microsoft Submission Portal is for teaching Microsoft.
2. An allow or block entry is automatically created and it appears on the Files or URLs tab in the Tenant Allow/Block List.
a. Microsoft learns from what you submit. If Microsoft has not learned from an Allow submission for which you have selected to expire in 30 days, Microsoft will automatically add another 30 days to the expiry to continue trying to learn why it should allow the submission. It will repeat that after another 30 days, and if it has not b. learned to allow the submission upon the 90th day, Microsoft will expire the allow entry and will again start blocking it. At this point, there is extremely high confidence that what you are seeking to block is likely just unwanted email, but is not malicious in any way. There are transport rules, and other tools chat can be used c. to process such blocks, and end users can also direct unwanted email to Junk automatically by right clicking the email and selecting Send to Junk to instruct Outlook.
3. If this was a Phishing attempt, and the user received a phishing policy pop-up, then the email was automatically blocked by domain or for user impersonation and an entry will appear in the Anti-Phishing portal under the Trusted Senders and Domains section here: https://security.microsoft.com/antiphishing
4. For all other reasons, including IT entries in the Microsoft Submission Portal, your entries can be seen in the Domains & Addresses tab of the Tenant Allow Block List.
5. The block entry should start working immediately 99.999% of the time. For the rest, it could take up to 24 hours.
6. Blocks at this level (as with Anti-Spam and Anti-Phishing) are H&F user targeted submissions.
Tenant Allow Block List (It’s a Microsoft Worldwide block submission)
1. The Tenant Allow Block List is for attempting to override Microsoft. Not all entries in this list will be accepted, and you may be directed to the Microsoft Submission portal by the Tenant Allow Block List when attempting to make an entry.
2. Microsoft will look at these entries at a global vs. user level to determine their global filters should be modified for all Microsoft customers.
3. As with Microsoft Submission Portal, your entries here should be set to expire in 30 days.
H&F Recommendations for ordering submissions:
1. Microsoft Submission Portal: Block and allow entries submitted to the Microsoft Submission Portal for end user reports.
2. Tenant Allow Block List: For domains, URLs, files, where IT has reviewed and determined a worldwide block is in order, submit block entries for domains and email addresses (including spoofed senders) in the Tenant Allow/Block List.
3. Outlook Junk Folder entry: Create Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox).
4. Anti-Spam Policy: Blocked sender lists or blocked domain lists in anti-spam policies.
5. Exchange Online Protection: Create Mail flow rules also known as transport rules.
6. Firewall or Endpoint Manager: Block IPs or use Conditional access to block via connection filtering at the Azure or Palo Alto Firewall, or Endpoint Manager level.
Area 1
Area 1's Exchange Online transport rules are:
AREA 1 BEC Protection (on for IT only)
This rule (as seen when Daniel Li emails us) will warn users that the email sender is not who they appear to be. What this means that that impersonation of display name or the displayed sending address doesn't match vs. the underlying email domain (potential spoof)..
Notify on AREA 1 Malicious Messages
This rule will check for an Area 1 tag in the email for the 'X-Area1Security-Disposition' = MALICIOUS verdict. When this verdict is detected, the email is blocked outright. There is no recovery from Exchange Online for such emails. They must be resent. To clear them within Area 1, click the Gear icon, Allow List, and add a pattern that escapes the TLD or subdomain in the sending address. For instance, clearing user@domain.com would be user@domain\.com. Clearing the domain would be *.@domain\.com.
Block AREA 1 Malicious Messages
This transport rule will blocked based on the aforementioned 'MALICIOUS' verdict see in the Area 1 disposition header.
AREA 1 Preserve Spam Tagging
This transport rule ensures that there is no further modification of spam scoring placed within the header by Area 1 via the 'X-Forefront-Antispam-Report-Untrusted' header. Other Exchange Online spam rules are in place to mark emails as trusted (SCL = -1). This rule ensures that the SCL -1 does not override the spam verdict rendered by Area 1/
AREA 1 Spam Tag Send to Quarantine
This transport rule works off of Area1's spam verdict in the header where X-Area1Security-Disposition' is comes in with a verdict of 'SPAM'.
A quick word regarding mail flow. Mail flow follows this path exactly:
Legend
| Abnormal Security API |
| Area1 Security Inline & API |
| Exchange Online |
| Mimecast |
| Outlook Trust Center & Microsoft Edge Security |
Internet > Mimecast > [verdict header tagging] Area 1 Security (Inline) > Exchange Online (if MALICIOUS, block] ) - [if SPAM or SUSPICIOUS, Quarantine] Exchange Online to Windows Defender Quarantine > Abnormal Security API - [if SUSPICIOUS] Windows Defender Quarantine > [if SPAM or a SUSPICIOUS] Outlook JUNK Folder > Outlook Trust Center & Microsoft Edge Security - Outlook Mailbox
Future State :
(Once transitioned off of Mimecast)
Internet - Exchange Online (transport rules) > Abnormal Security API - [if SUSPICIOUS] Windows Defender Quarantine - Abnormal Security [if SPAM or a SUSPICIOUS] > Outlook JUNK Folder Outlook Trust Center & Microsoft Edge Security - Outlook Mailbox > Area 1 API [verdict header tagging] > Area 1 API Post Delivery Email Retraction based on Spear Phishing Analysis