Threat Explorer and Investigation Important Features for Office 365. However, only if you have Defender Plan 2.
Microsoft announced in September that the old Office 365 Security and Compliance center would be redirected to the new Microsoft 365 Defender portal, which would serve as “the new home for all Office 365 customers who protect their organization’s email and collaboration tools.” It’s a clumsy phrase, but it means that if you use Exchange Online Protection, Microsoft Defender for Office 365 Plan 1, or Plan 2, you’ll go to the Defender portal. This page describes where you can now find features.
Microsoft Defender for Office 365 is a component of the overall Defender suite. Office 365 E3 includes Exchange Online Protection, which is part of Microsoft Defender for Office 365 Plan 1. Plan 1 includes features such as Safe attachments (for email, Teams, SharePoint Online, and OneDrive for Business), Safe links, real-time malware detection, and anti-phishing. Plan 2 entails automation, investigation, and remediation. Plan 1 is worthy and useful, but Plan 2 is where the interesting stuff happens, which is why it’s included in Office 365 E5 and Microsoft 365 E5 (remember, prices increase on March 1). Defender Plan 2 is not the only feature of Office 365 E5. You get a lot of added functionality in that SKU, so this is unlikely to be the deciding factor for a purchase.
Two of Plan 2’s distinct capabilities piqued my interest. The first is Threat Explorer (Figure 1), which is Microsoft’s single pane of glass view of email traffic within an organization presented with the goal of highlighting threats. Because Threat Explorer has access to user data, accounts with specific permissions, such as a global administrator or security administrator, are required to use the capability (see this page for permissions required for Defender).
once Threat Explorer has loaded, the email entity page allows you to view up to 30 days of email traffic details, the URLs contained in the email, which URLs receive clicks, the top users targeted by spammers, where the email comes from (based on geo-location), and so on. Accounts designated as priority users are also highlighted.
Not everything in Threat Explorer works as smoothly as I’d like. For example, the top targeted users view identified several people as being the target of multiple attempts (spam, malware, phishing? ), but the details pane provided no information about the messages labeled as attempts. Large amounts of messages generated by Exchange Online to synchronize public folder hierarchies (you won’t be bothered if the tenant doesn’t have any PFs) clog the view of email; these obvious and well-known system messages should be filtered out. And Threat Explorer moves slowly from one option to the next, most likely due to the volume of data it must handle. That’s not a criticism of the software; rather, it’s a reflection of the amount of processing Threat Explorer does to make sense of email traffic.
If you come across a message that piques your interest, you can view its details in a fly-out window. This is a very useful tool because it gathers a lot of useful information in one place. Consider the message details in Figure 2, which are from a commercial email sent on behalf of a company. We can say this because the P2 sender’s return path is different and redirects responses to a marketing system (Data Loss Prevention policies changed recently to use the P2 sender to focus on the purported sender rather than return-path addresses). The headers are extracted and pasted into Microsoft’s message header analyzer site, which functions similarly to the Outlook Message Header Analyzer add-in.
Figure 2 is devoid of any information about the SCL and BCL scores assigned to the message by Exchange Online Protection. This information did not appear for any of the messages I examined, which could be due to a bug or a misconfiguration in my tenant. What does appear in the Email detection details section is information about email policies that cause messages to be classified as spam. Messages that have been identified as phishing display information under Detection details.
If the message under consideration is in a cloud user mailbox, Threat Explorer can preview or download the content. These options can be found in the upper right-hand corner of Figure 2. Messages that have been flagged as phishing cannot be previewed or downloaded using Threat Explorer.
The preview feature was intriguing because it decrypts messages protected by Office 365 Message Encryption (OME) or sensitivity labels. I assume Exchange Online uses its super-user permission to decrypt messages as they pass through the transport pipeline.
Some people may be concerned about administrator access to user data, especially after learning about the decryption capability. Those investigating an issue, on the other hand, require tools to do their job, and understanding why messages are problematic may necessitate viewing their content. In any case, administrators have other ways to access mailbox data (such as conducting a content search and exporting the results to a PST file), which is why organisations should limit permissions whenever possible and request that administrators use non-permissioned accounts for day-to-day work.
The second section of Defender for Office 365 Plan 2 that piqued my interest was the Investigations section. Administrators often have less time than they would like to deal with threats, so Defender can respond to problems it detects using an automated investigation and response component (AIR). I discovered one active investigation (Figure 3), which was sparked by the arrival of a phishing message addressed to multiple mailboxes.
The evidence gathered to decide that a message is problematic is the most interesting data to consider. When we select the evidence tab, we see seven indicators that there is a problem (Figure 4). Individual strands of evidence such as the type of content (in this case, a notification of direct deposit to a bank account), recipients, attachments, and signs of known malware, when taken together, make the case that this message requires action.
When AIR detects a problem message, it suggests a suitable remediation action, such as removing copies of the message delivered to user mailboxes. AIR does not perform the remediation action until a security administrator approves it. All of the evidence (“entities”) shown in Figure 2 are awaiting approval. To approve, choose one or all of the entities and click the OK button. Defenders, in my experience, take some time to process approved actions, but they do occur eventually. Because the message was a phishing attempt, in this case, the Zero-hour auto purge (ZAP) feature automatically moved all copies of the message to the Junk Email folder without user intervention.
To ensure that ZAP resolved the issue, conduct a content search for copies of the message using its subject and export the search results. Messages that are detected should be placed in the Junk Email folder. If you want to permanently remove these messages, you can perform a purge action on the content search.
Upgrade to Get Defender Plan 2
The capabilities available in Microsoft 365 Defender for Office 365 Plan 2 are insufficient to justify the additional cost of upgrading to Office 365 E5. Because that decision has such a large cost implication for anything other than a small tenant, many factors must come together to create a compelling justification for the expenditure. Every quarter, Microsoft emphasizes its success in moving customers to higher-priced plans, owing largely to customers’ desire to use the compliance and security functionality available to Office 365 E5 and Microsoft 365 E5 tenants. Microsoft 365 Defender for Office 365 Plan 2 is just one of the components that help Microsoft sell upgrades to customers. In that light, it’s a useful tool to have if you can afford it.
Author: Olivia Smith is a Microsoft Office expert and a full-time blogger with 5 years of experience in the technology industry. She has written technical blogs, white papers, and reviews for a variety of websites, including microsoft365.com/setup