Learn about common threats, including spoofing, malware, spam, phishing attempts, and how features such as DKIM and DMARC can help reduce threat impact.
- [Instructor] With Office 365, there is very little difference between a hosted Cloud service, and your own on-premises infrastructure. Of course, Microsoft have an economy of scale, which makes their cost lower for customers, but their services are still at risk of data loss, from malicious threats. Some of the common threats made against Office 365 data include spoofing, spam, and phishing. Spoofing is the act of sending out communications, made to look as though they originate from a different user or source.
Spam, which is very common, is unwanted communications, such as emails, or newsletters, sent out to either inform, advertise, sell products, or to gain money fraudulently. Software which tries to infect digital devices is known as malware, and this either tries to steal data, or hold data to ransom, in order to extort money. Malware includes viruses, worms, and trojans. Phishing is the act of finding suitable victims. It can be done using the telephone or email, to target people into revealing their personal data, such as their banking or password information.
Office 365 guards against spoofing by adding a Sender Policy Framework, or SPF, text record to your domain, which is then made available via DNS. This protection is only available if you use a custom domain name, and not the default on microsoft.com. The SPF identifies which servers are authorized to send mail, for your domain, on your behalf. When a recipient email system receives mail, it will check the SPF record, to ensure that the email is coming from an authorized email server.
That is, it's being sent from the source, which it claims to have been sent. If you have all of your email fully hosted in Office 365, then the SPF record will look to use the format displayed on screen. To further enhance the Office 365 protection against malicious spoofing, there are two additional advanced trust mechanisms that you could also employ. These are domain keys identified email, or DKIM, and DMARC, which stands for domain based message and authentication reporting and conformance.
DKIM ensures that destination email servers trust messages sent from your custom domain, and should be used in addition to SPF. With DKIM in place, a digital signature is added to the email message header. You then publish your public key in your DNS records, and the receiving email systems use the digital signature to check that the email is from your verified source. This might sound difficult to configure, but thankfully, Office 365 automatically sets up DKIM for the initial domains, using a default policy, but you can configure DKIM for your custom domains.
DMARC provides additional protection against spoofing, and phishing emails, and works with SPF and DKIM. In every email message, there are two "From" addresses. The "Mail from" address, which is part of the mail envelope, and another "From" address, which is displayed in the email application. A spoofed email may try to exploit this vulnerability, since SPF only checks the "Mail from" address. When you implement DMARC, you will use a DMARC.TXT record for your domain, and this identifies your outbound email servers as authorized.
DMARC performs a check against the "From" address. DMARC also helps with what to do with messages that have been sent from your domain, that have failed SPF or DKIM checks. These can be do nothing, quarantine, or reject. When you have an Office 365 subscription, you can host emails in the Cloud. All spam and malware protection is provided by Microsoft Exchange Online services, and all mail that is stored in mailboxes, in Office 365, is automatically protected.
The Microsoft Exchange Online service, within Office 365, includes email connection filtering, spam filtering, outbound filtering, mail flow rules, and spam confidence levels. Connection filtering checks reputation of the sender against a safe sender list, before allowing messages through. You can also create a block list, too. Spam filtering checks message characteristics, to see if a message is consistent with spam.
Filtering can be configured, to check for certain languages, countries, and regions. Outbound filtering checks to ensure that your own mail servers have not been hijacked, and being used to send out spam emails. Mail flow rules, also called transport rules, can be used to create custom rules, based on business policies. In this way, you can block or quarantine messages that match specific conditions. With mail flow rules in place, you can use spam confidence levels, or SCL, to gauge how likely it is that a message contains spam.
For phishing, all inbound email messages will be scrutinized and measured against machine learned models, using advanced algorithms, so that phishing messages can be detected. The anti-phishing protection attempts to detect and alert users whenever coercive emails, or fake websites, impersonating trusted websites are found. The anti-phishing protection is part of the Office 365 Advanced Threat Protection, which we'll cover in more detail, later.
- Implementing Office 365 ATP
- Common Office 365 threats
- Configuring security admin roles
- Creating Safe Attachments policies
- Anti-spam options and settings
- Managing advanced spoofing filters
- Using Office 365 threat intelligence features
- Using the Attack Simulator
- Leveraging ATP reports