Many companies are allowing staff to work from home and remote indefinitely, raising questions about how they can protect work data on personal or uncontrolled devices.
As IT experts for working remote Gold Coast IT Support offer the following information to help.
Because we can lose company data in a variety of ways across different devices, we need to apply a variety of protection measures. Let’s take a look at the features in Microsoft 365 that can allow companies to protect their data while users are working remotely.
Use Mobile Application Management
Despite the name, mobile application management doesn’t just apply to mobile devices, it can also protect Windows 10 devices. Mobile Application Management policies can protect company data on both managed and unmanaged devices.
It works by applying protections to the apps your teams use to access company data, like Outlook, Teams, OneDrive and SharePoint.
You can enforce restrictions on these apps to prevent data being saved, cut, copied or pasted.
You can also require a PIN when the app starts or block the app from running on a jailbroken phone or tablet.
This feature can be used to selectively wipe company data from a users device, without affecting their personal files. This is handy for organisations where staff use their personal computers and mobile devices to access company information remotely.
Set up conditional access policies
We can use Conditional Access to enforce restrictions on non-compliant or unmanaged devices. Such as blocking access entirely, or preventing particular actions like stopping users from saving attachments in Outlook on the web or syncing files to OneDrive
We can apply these protections in other ways to apps like OneDrive and SharePoint. Preventing users from syncing data to their personal devices by either blocking access or only allowing limited web only access
Expert IT advice for working remotely
Use Cloud App Security to protect data on third-party apps
These protections don’t just relate to Microsoft 365 apps like OneDrive, SharePoint and Outlook; we can use Microsoft Cloud App Security to apply additional protections to apps like Dropbox Business too. Applying protection to a third-party app like Dropbox Business can prevent users from downloading your company data to unmanaged devices.
Apps like Dropbox Business also provide their own security measures, allowing you to block access and wipe company data when a device next comes online.
Configure idle session time outs
To lessen the likelihood of the wrong people accessing company information on a shared device, we can configure idle session time outs. These will sign users out after a period of inactivity, just like your bank does.
Get alerts on suspicious activities
Cloud App Security includes built-in alerts that trigger on potentially suspicious activities. We can use these to get notified about things like mass deletions, mass downloads and unusual volumes of external sharing
Protect sensitive data with Data Loss Prevention
We can use data loss prevention to restrict or impose conditions on the sharing of sensitive information. These policies can trigger on certain keywords like project names or sensitive information types like credit card numbers, driver’s license details or tax file information. Once a file containing this info is detected, it can display a warning, be blocked from being sent or have encryption applied.
Using Cloud App Security, we can apply additional data loss prevention measures to third party apps like Box and Dropbox Business
Use Sensitivity Labels
But what happens if this all fails, and someone downloads company data to a personal, unmanaged device. To protect against this, we can apply sensitivity labels. These labels define how sensitive a particular piece of content is and in turn can enforce protections on our data. What’s more, these protections apply no matter where it ends up. These baked-in protections can limit who can access the file and what they can do with it. Preventing the wrong people from opening, copying, saving, forwarding or printing sensitive documents or emails.
In many cases, these protections can be applied automatically by scanning for those same keywords and sensitive information types that data loss prevention uses.
As you can probably tell by now, there’s a lot you can do to protect your sensitive data when people are working from home. If you need help with any of this, reach out to us below.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-04-14 10:26:382021-04-15 10:27:27How do I protect company data when my team works from home?
Org-Wide Teams in Microsoft Teams let you create a single Microsoft Team that includes all internal users in your organisation. However, Microsoft recommends that you make some changes to the team’s settings to cut down on excess noise and notifications.
What is an Org-Wide Microsoft Team?
An Org-Wide team in Microsoft Teams is just a team that includes everybody in your organisation. Its member list will automatically update as users come and go, and while it currently supports up to 1000 users, there are plans to increase this limit.
How do you create an Org-Wide Microsoft Team?
Creating an org-wide team is quite simple, just choose the Org-Wide team option from the drop-down when creating a new team at https://teams.microsoft.com
What are some best practices for Org-Wide Microsoft Teams?
If you have a lot of users in your organisation, these types of teams could quickly become very noisy and distracting.
To reduce excess notifications and noise, Microsoft have some best practice recommendations.
Only let team owners post on the General channel
You do this under Manage team
Click Settings, then Member permissions, then select Only owners can post messages.
Disable @mentions for the whole team
You’ll probably want to disable @mentions for the whole team, since that can send a notification to up to a thousand people at once.
You can do this do this under Settings, @mentions, Show members the option to @team or @[team name].
Automatically favorite important channels
Switch to the channels tab and tick Auto-favorite on the channels you would like to show up by default.
Also note that while the video above states that the feature is still in development, it has since been marked as launched.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-04-07 12:20:072021-04-08 12:20:30Org-Wide teams in Microsoft Teams
The recently implemented Notifiable Data Breaches scheme imposes an obligation for entities to notify individuals whose personal information was exposed in a data breach if they’re at risk of serious harm.
If you don’t comply with the requirements of the scheme, the penalties can be quite severe. The Office of the Australian Information Commissioner can impose fines of up to $1.8 million for organisations, and $360 000 for company directors.
To find out how to assess a breach, as well as how to correctly notify any affected individuals, see this resource on the OAIC Website .
Which businesses need to comply?
While all businesses should take the privacy and security of customer data seriously, not every one needs to adhere to the NDB scheme.
If your business meets any of the following criteria, you’ll need to make sure you’re aware of the new requirements. Please note that this is not an exhaustive list. See the OAIC website for more information.
Any business with an annual turnover over $3 million dollars
Entities that are Tax File Number recipients, such as:
solicitors
tax agents
accountants
share registries and agents of ESS providers
Entities that provide any health services, such as:
traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
gyms and weight loss clinics
complementary therapists, such as naturopaths and chiropractors
child care centres and private schools.
Organisations or small businesses that provide credit, such as:
a bank
a building society, finance company or a credit union
a retailer that issues credit cards in connection with the sale of goods or services
an organisation or small businesses that supplies goods and services where payment is deferred for seven days or more, such as telecommunications carriers, and energy and water utilities
certain organisations or small busineses that provide credit in connection with the hiring, leasing, or renting of goods.
Entities related to an APP (Australian Privacy Principles) entity.
Entities that trade in personal information. These are businesses buy or sell personal information for a benefit, service or advantage.
Employee associations registered under the Fair Work (Registered Organisations) Act 2009
How to make sure your business is protected
If your organisation is covered by the Notifiable Data Breaches scheme, it’s important to make sure you are taking appropriate steps to protect your customers data.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-03-23 10:28:322021-03-24 11:20:04Which Australian businesses are affected by the Notifiable Data Breaches scheme?
In the past couple of weeks I’ve uploaded a few scripts to help manage Office 365 customer environments in bulk via delegated administration. These scripts work well for us, though they only work when they’re initiated by a delegated administrator here. Sure, we could set them up on a server as a scheduled task, though in the interest of keeping things in the cloud, we’re moving them to Azure Functions.
If you’re interested, the scripts I’ve posted so far regarding Delegated Administration are here:
The Azure Functions service is Microsoft’s Function as a Service offering (FaaS). It’s similar to Hook.io, Google Cloud Functions or AWS Lambda if you’ve used any of those. Basically it lets you run standalone scripts or functions of a program in the cloud. One of Azure Functions’ benefits is that you don’t have to look after the underlying infrastructure, you can just add in your code and you’re pretty much done. You can start an Azure function using a HTTP or Azure Storage Queue trigger, or just set it to run on a timer. Azure Functions can run a variety of languages, though in this scenario, we’ll convert a simple Office 365 PowerShell script into a timer trigger function that runs each weekday.
Consumption Plan vs App Service Plan
For the number of functions we’ll be running, Azure functions are pretty much free with a Consumption Plan. This plan gives you a grant of 1 million executions and 400,000 GB-s of bandwidth, which we’ll be well under. However, Azure functions can also run on top of a paid Azure App Service Plan – which we’ll be taking advantage of.
Why pay for an Azure App Service Plan to run Azure Functions?
One of the limitations of the (almost) free version of Azure Functions is that it’s executions have a 5 minute limit, after which time they are terminated automatically. Apparently this is because the underlying virtual machines that run the functions are regularly recycled. Since some of our scripts have the potential to run longer than five minutes, we need to provision a small Azure App Service resource and then run our Azure functions on top of this. The VM that runs our App service runs continuously and will support long running functions
Here’s what we want to achieve:
Set up an Azure Function App running on an App Service Plan
Connect an Azure Function to Office 365
Modify an existing PowerShell script to run on an Azure function
In another post we’ll look at connecting Azure Functions to Azure Storage to use in reporting via Power BI, and triggers for Microsoft Flow.
Click the Green + button on the left menu, search for Functions, then click Function App
Click Create on the bottom right
Complete the required fields for the Function App
Choose to create a new Resource Group and Storage Account. For the Hosting Plan option, choose App Service Plan, then select an existing subscription or create a new one. In my case, I chose an S1 Plan, which is probably overkill. You’ll be able to get by with something much smaller.
Once you’ve completed the required fields, click Create and wait for it to complete deployment
After it’s finished deploying, open your function app and click the + button to create a new function.
Choose Custom function at the bottom
On the dropdown on the right, choose PowerShell
Choose TimerTigger-PowerShell and enter a name for your Azure Function.
For the Schedule, enter a cron expression. There used to be documentation at the bottom of the page on how to format these, though at the time of writing it hasn’t appeared. For a function that runs Monday to Friday at 9:30 AM GMT time, enter the following:
0 30 9 * * 1-5
Click Create, you’ll be greeted with an almost blank screen where you can start to enter your PowerShell script. Before we do this, we’ll set up the Azure function to connect to Office 365, and secure your credentials within the function app.
Set up your Azure Function to connect to Office 365
In this step, we’ll be doing the following:
Define and retrieve your FTP Details
The FTP Details of the Azure Function are needed to upload resources that the Azure Function requires to connect to Office 365.
Download, then upload the MSOnline PowerShell Module via FTP
Azure Functions have a lot of PowerShell Modules installed by default, though they don’t have the MSOnline module that lets us connect to Office 365. We’ll need to download the module on our local computer, then upload it into the Azure function. This method was borrowed from this article by Alexandre Verkinderen.
Secure your Office 365 Credentials within the Function App
Right now, Azure Functions don’t integrate with the Azure Key Vault service. While we can store credentials within the function, these credentials are stored in plain text where anyone with access to the function can view them. This method was borrowed from this article by Tao Yang.
How to define and retrieve the FTP credentials for your Azure function app
Click on the name of your function on the left menu.
Click Platform Features at the top, then click Deployment Credentials
Define a username and password for your FTP Credentials
Next under General Settings, click Properties.
Copy the FTP Host Name and make a note of it. You’ll need it to connect to the function’s storage via FTP and upload the MSOnline Module
Download, then upload the MSOnline PowerShell Module via FTP
Open PowerShell on your computer, then run the following command. Make sure there’s a folder called ‘temp’ in your C:\ drive.
Wait for it to download, then make sure it exists within C:\temp
Open Windows Explorer, and connect to your function via FTP using the FTP Hostname and credentials we retrieved earlier.
Navigate to site/wwwroot/YourFunctionName then create a new folder called bin
Open the bin directory, and upload the MSOnline folder from your C:\Temp Directory
Secure your Office 365 Credentials within the Azure Function App
On your computer, open PowerShell again and run the following commands. When you’re asked for your password, enter the password for the delegated admin account that you’ll use to manage your customers Office 365 environments. Make sure you press Enter again to run the final command to output the EncryptedPassword.txt file.
This will create two files on in your C:\temp folder. An EncryptedPassword text file and a PassEncryptKey file. Be sure to delete the EncryptedPassword file once we’re done.
Return to the FTP connection and create a directory called keys under the bin directory
Upload the PassEncryptKey file into the keys directory.
Return to your Azure Function Platform Settings, then open Application Settings.
Under Application Settings, create two new Key-Value pairs. One called user, which contains the username of your delegated admin account, and another called password, which contains the contents of your EncryptedPassword.txt file. Once you’ve added this, be sure to delete the EncryptedPassword.txt file from your computer.
Before you leave Application settings, update the Platform from 32 bit to 64 bit.
Wait for the settings to apply, then return to the Develop Section of your Azure Function
Modify your Office 365 PowerShell script for Azure Functions
Update the variables at the top of the script to ensure they match the function name, Module Name and Module Version.For your existing scripts, you may need to update your Write-Host references to Write-Output.This sample script is a modified version of this one. It will set the default password expiration policy for all of your customers’ domains to never expire.You can use this one or create your own script under the # Start Script comment
https://gcits.com/wp-content/uploads/ConnectAzureFunctionsToOffice365Featured.png330780Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-03-22 14:04:272021-03-24 11:33:34Connect an Azure Function to Office 365
On April 21, 2020, Microsoft rebranded it’s small and medium business Office 365 products to Microsoft 365. This resulted in a name change for the popular Microsoft 365 Business product as well, which is now called Microsoft 365 Business Premium. GCITS provide Office 365 Support on the Gold Coast and Brisbane.
Note that the pricing and makeup of the plans haven’t changed, just the names.
Previously called
Now called
What it has
Office 365 Business Essentials
Microsoft 365 Business Basic
Cloud Services
Office 365 Business Premium
Microsoft 365 Business Standard
Cloud services and desktop apps
Microsoft 365 Business
Microsoft 365 Business Premium
Cloud services, desktop apps and advanced security
We’ve been advocates of Microsoft 365 Business Premium for a while now. We believe it’s the best value Microsoft 365 product around for businesses with under 300 users. As providers of Micorsoft 365 support here on the Gold Coast and Brisbane, we can assist you in the easy management of this terrific resource.
Want to know how to protect your data in Microsoft 365 Business Premium? Download our free guide to learn what features to switch on.
So why do we think you should go with Microsoft 365 Business Premium over Basic or Standard?
For us, it comes down to the Microsoft 365 Business Premium’s advanced security and compliance features.
Security and Compliance features of Microsoft 365 Business Premium
Microsoft 365 Business Premium includes advanced security features that are not present in the lower tier plans. These include:
Malware and Phishing protection with Office 365 Advanced Threat Protection
Microsoft 365 Safe Links and Safe Attachment policies protect against known and zero-day malware. Anti-Phishing policies protect users against phishing attacks using mailbox intelligence and machine-learning enhanced sender reputation checks.
Enhanced security for identities with Conditional Access
Conditional Access policies help balance security and productivity by applying the right security measures at the right time. For instance, if Microsoft 365 detects a risky sign-in from an unexpected location or non-compliant device, it can prompt for multi-factor authentication or block access to the user.
Enforce encryption on devices using Microsoft Intune
We can use Microsoft Intune to protect data on devices in the event of loss or theft. Microsoft Intune can configure Windows BitLocker, Apple’s File Vault, and encryption settings on Android and iOS devices.
Classify and protect confidential information with Azure Information Protection
Azure information protection helps companies use sensitivity labels and policies to classify and protect data. Built-in labels include Personal, Public, General, Confidential and Highly Confidential.
Depending on what label is applied, a policy can be used to protect it. These policies can enforce encryption, apply watermarks, prevent it from leaving your organisation and more.
Control company data on PCs with Windows Information protection
Many people use the same computer for both work and personal tasks. Windows Information protection tags files as ‘Work’ if they are generated by, or saved from, a corporate app. Files tagged as ‘Work’ are subject to the controls defined in your Information Protection policies. These files can:
be encrypted
prevented from being uploaded or shared via unmanaged apps
remotely wiped without affecting personal data.
Control access to sensitive emails with Information Rights Management
Information Rights Management allows your team to apply restrictions like “Do Not Copy” for specific documents and emails. When a recipient receives the email or document, they’ll be unable to forward, save, print or copy it.
Prevent sharing of sensitive info with Data Loss Prevention
Data Loss Prevention policies monitor the types of data that are uploaded to and shared outside your company. This info could be tax file numbers, credit card information, drivers license details and many more. When sensitive information is detected, the Data Loss Prevention policy can encrypt the message, notify the sender, alert an admin or block the message from being sent or file uploaded.
Remotely wipe company data and enforce security on devices with Microsoft Intune
Microsoft Intune lets us enforce security requirements on the devices that access company data. These could include requiring a strong password and encryption on phones and only allowing access via company-approved apps. When employees leave the company, Microsoft 365 can remotely wipe company data from the device without affecting personal info.
Unlimited archive for email
Microsoft 365 Business Premium provides practically unlimited storage for your email. Alongside the standard 50GB mailbox, users can access an unlimited archive of their email in Outlook.
Office 365 Support Gold Coast and Brisbane
Our expert assessment will have you supported the right way.
Want to enable advanced security in Microsoft 365 Business Premium?
While you get all the above features with Microsoft 365 Business Premium, you still need to configure them to suit your business and requirements. You can outsource the security of your cloud environment to GCITS. Get in touch for an expert assessment, and we can ensure the ongoing state management of these essential security policies.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-03-21 12:11:132021-03-22 09:49:10What is Microsoft 365 Business Premium?
Skykick automates the migration of email from other platforms onto Office 365, though occasionally it needs a bit of help.
This is especially true when moving from Google Apps or Google for Work to Office 365. These mailboxes can bloat in size due to how both systems manage email folders.
Office 365 (Microsoft Exchange) stores email in folders, while Google gives email labels. The difference is, in Exchange an email can be in only one folder, while in Google an email can have multiple labels. When migrating from Google for Work to Office 365, SkyKick will create Exchange folders for every Google label, and migrate emails that are assigned multiple labels into multiple folders.
This results in a bunch of duplication on the destination system.
When you’re using Skykick to migrate large mailboxes from Google for Work, you may occasionally receive a message advising that the mailbox may exceed the storage limits on Office 365. While this message appears, synchronisation will be paused.
In order to resume the migration for this mailbox you’ll need to do the following:
Confirm you’re using the right retention policy
Enable archiving on the mailbox.
Ensure the archive is running.
Mark the alert as completed.
What are Exchange Retention Policies?
In Exchange, each mailbox is assigned a Retention Policy that contain the retention settings for mail within the mailbox. Retention policies are made up of Retention Policy Tags.
Retention Policy Tags outline how long Exchange is going to keep a user’s mail before performing a specific action on it. For Retention Policy Tags, this action can be PermanentlyDelete, DeleteAndAllowRecovery or MoveToArchive.
When archiving is enabled on a mailbox, the default policy is to archive anything older than two years. This may be enough to get the migration running again, but just in case it’s not, you can create a new Retention Policy Tag with a shorter archive time limit, apply it to a new Retention Policy, then apply the policy to the user you want to archive mail for.
Alternatively, you can edit the default policy (known as Default MRM Policy) or its tags, though this will affect all users that have archiving enabled.
You can create a new Retention Policy and Retention Policy Tags via PowerShell or via the Exchange Control Panel. In Exchange Control Panel, these actions are performed under Compliance Management. In this tutorial we’ll be working in PowerShell.
Setting up a Retention Policy in PowerShell
This new Retention Policy will move any mail older than 1 year into a users archive. It will have one tag.
Connect to Exchange Online via PowerShell as an Exchange Online Administrator
Run the following PowerShell cmdlet
New-RetentionPolicyTag "1 year move to archive" -Type All -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction MoveToArchive
Create the new Retention Policy and link the tags
New-RetentionPolicy "One Tag Policy" -RetentionPolicyTagLinks "1 year move to archive"
Assign a retention policy to a user
Set-Mailbox -Identity UserAliasOrEmail -RetentionPolicy "One Tag Policy"
Confirm the Retention Policy was applied correctly by running:
Get-Mailbox -Identity UserAliasOrEmail | ft Name,RetentionPolicy
Enable Archiving on a mailbox.
Once you’ve assigned the policy, you can enable archiving on the user’s mailbox. This can be done in the Exchange Control Panel under Recipients, Mailboxes on the right menu.
In Powershell, you can run the following cmdlet while connected to Exchange Online.
The default cmdlet return is to display the Name, ItemCount, StorageLimitStatus and LastLogonTime of the mailbox. To see more info, append ‘| fl *‘ (minus the quotations) to the cmdlet.
Your archive will probably be empty right now. To start the archive, run the following cmdlet.
Start-ManagedFolderAssistant UserAliasOrEmail
Now, if you run the Get-MailboxStatistics cmdlet a few times more, you’ll see the ItemCount increasing. Providing of course, that there’s email older than a year in the mailbox.
You can also append ‘| fl *‘ to the end of the cmdlet to get the available statistics for the user’s mailbox too. Try it a few times and watch it reduce as items are archived.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2021-03-21 11:35:252021-03-24 11:35:56Working with archive policies in Office 365 and SkyKick
Improvements to Azure AD Identity Protection have launched, making it easier to identify and manage identity risks in your organization.
What is Azure Active Directory Identity Protection?
Azure AD Identity Protection uses machine learning to identify signs of suspicious activity or issues that might cause you to have a compromised identity in your organization. We can use Azure Identity Protection to configure policies that impose conditions on sign-ins or users that are deemed risky by Microsoft 365. We can also use it to manage, investigate and remediate risk alerts when a suspicious sign-in or user is detected.
Azure Identity Protection can generate alerts based on the following risk events:
Atypical travel
Anonymous IP
Unfamiliar sign in properties
Malware linked IP addresses
Leaked credentials
Azure AD Threat intelligence (activities that match known attack patterns)
The leaked credential alert is especially useful because it will let you know whether some of your users have credentials that are exposed on the dark web or in another breach. We use this in conjunction with the Have I Been Pwned API to alert our customers to compromised credentials.
Where can I find Azure Active Directory Identity Protection?
What’s new in Azure Active Directory Identity Protection?
Azure Identity Protection has been updated with new controls for managing, investigating and remediate issues with our identities.
We can use these improved controls to manage risk events in bulk, easily confirming a compromised user or dismissing alerts. These new controls are handy for larger organisations who generate many alerts each day.
For each alert, we can drill down and see more information on the user’s recent activities. We can see other user sign-ins and risk detections, as well as reset passwords, confirm compromise, block access and investigate further in Azure ATP. Choosing to investigate further opens up Cloud App Security, providing more insight into the user’s recent activities that contributed to the alert.
What license do I need for Azure Identity Protection?
Azure Identity Protection is included in Azure AD Premium P2 license. Azure AD Premium P2 is available under the following licenses:
https://gcits.com/wp-content/uploads/DJStringer_microsoft2.png9642057Chris Caulfieldhttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngChris Caulfield2020-06-04 10:42:032021-07-07 11:43:22Real estate company combats data security threats and increases efficiency with Microsoft 365
https://gcits.com/wp-content/uploads/Oculus_microsoft2.png10122092Chris Caulfieldhttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngChris Caulfield2020-06-03 10:53:132021-07-07 11:45:04Financial services group banks on Microsoft 365 to better safeguard data
Phishing emails are fake messages, designed to look legitimate.
They cost businesses around the world billions of dollars each year. And they get opened by about 30% of people. These emails will generally impersonate a person or company that you trust or deal with, and attempt to trick you using one of three things:
They’ll use a fake person – someone pretending to be someone you know, so that you share information or transfer money into an attacker’s bank account.
They’ll set up a fake site – So that you enter your private information, like passwords or credit card details, or provide a rogue app with permission to access your data.
They’ll create fake attachments – attackers will disguise malware in fake invoices and shipping notification to remotely access your computer or encrypt your files.
How can I prevent phishing emails with Microsoft 365?
To give our teams the best chance of avoiding phishing emails, not only do we need to make people aware of the methods above, we need to configure the features in Microsoft 365 that address them. Starting with Office 365 Advanced Threat Protection
Start with Office 365 Advanced Threat Protection
This is your companies primary defence against phishing emails. While all Office 365 plans come with a built-in anti-phish policy, it’s not even close to what’s offered in Office 365 Advanced Threat Protection, also known as Office 365 ATP.
Once you’ve purchased Office 365 ATP, you should jump into the Security and Compliance centre and check out your anti-phishing policy.
Its default controls are pretty good for detecting phishing emails that impersonate your users, your domains and external contacts. It develops an understanding of how your users and their contacts interact, the addresses and sending infrastructure they use, and identifies anything out of the ordinary. If it detects an impersonation attempt, the message is either quarantined or delivered with a warning.
You can enhance your protection by adding users in roles like CEO or CFO to the targeted user protection feature. You can also add external domains, that you frequently interact with, to the targeted domains feature.
Use a mail transport rule to warn on external impersonation
You can configure a mail rule that applies a warning to messages where an external sender uses a display name that matches someone internally in your company. We have an example rule on our website that has been pretty popular amongst smaller organisations.
So that helps address fake senders, how about fake attachments and fake websites? Office 365 ATP addresses these with the Safe Attachments and Safe Links policies.
Detect malicious attachments with Safe Attachments policy
The safe attachments policy can protect your users from malware sent by phishing emails, like the COVID-19 phishing campaign that used Excel files to install a malicious remote access tool. The Safe Attachments feature analyses your attachments in a separate environment, running a bunch of checks for malware then blocking the email or removing the unsafe attachment.
Detect malicious websites with a Safe Links Policy
The Safe links policy scans your URLs in emails for links to malicious sites. If a malicious website is detected, Safe Links blocks users from visiting it.
Remove phishing emails from mailboxes after delivery
These tools work by analysing messages for known malware, bad links or untrusted senders and stopping them arriving. But what happens if a bad email gets through, and the system doesn’t realise until later?
You should configure Zero Hour Auto Purge. Zero Hour Auto purge removes bad messages from your mailboxes retroactively and sends them junk, quarantine or deleted items.
Set up Office 365 ATP and Exchange Online Protection with recommended best practices
I’ve just discussed four different security policies in a few minutes. If you’ve spent any time looking at ATP or Exchange Online Protection policies, you’ll probably notice there’s a lot of policies, and most of them are already set up. Should you change anything or leave them as they are?
It would help if you changed them, and Microsoft has two levels of recommended best practices that they say will prevent most unwanted messages from reaching your team.
These two levels are called Strict and Standard. In our experience, Strict is very strict, but it’s a good starting point that you can enable first, and adjust later.
Test users by simulating a phishing campaign
Once your policies are set up, you should test your users. If you purchase Office 365 ATP Plan 2, you can run attack simulations against your team. Attack Simulations can help you identify and find vulnerable users before a real attack impacts them.
Protect your accounts if your team gives up their credentials
But what happens when messages get through? What happens when users get duped and provide their login details to attackers?
Protect your accounts. If a user enters their credentials into a fake website, we need to make sure an attacker can’t use these credentials alone to log in. All Office and Microsoft 365 plans allow you to configure multi-factor authentication; this will ensure that attackers can’t log in without having access to an additional form of verification such as a phone or authentication token.
If you have a plan that includes Azure Identity Protection, you should set up a sign-in risk policy to monitor for unusual logins. These policies use machine learning to detect suspicious activity and can temporarily block sign-ins and accounts if something’s amiss.
Monitor for unusual applications with access to your users’ data.
Now that accounts are getting more secure by default, attackers are requesting access to user data via apps. And it’s worse if they manage to trick an admin user because then attackers can have longstanding access to an entire organisation that persists even when passwords are changed.
It can be challenging to detect if a user clicks a phishing link and provides a rogue app with access to their mailbox, OneDrive or SharePoint data. So you use Microsoft Cloud App Security to get alerted to unusual oAuth applications with access to your teams’ information.
Be extra vigilant if your data has been exposed in the past
Take extra care if you, or companies you regularly interact with, have been breached before. If attackers have had access to your company data and know who usually communicates with who, and for what purposes, they will try to exploit that information by setting up fake emails to hold their fake conversations with their fake invoices to get your real money.
Need help with phishing in Office 365 or Microsoft 365?
If you need assistance setting-up these policies in your organisation or need a hand cleaning up after a successful phishing attack in Microsoft 365, we’d be happy to help. Reach out to us via chat, or using the form below.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2020-05-27 17:33:392020-07-09 09:37:42How do I stop phishing emails?
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them:
How do I protect company data when my team works from home?
Cyber security, Data Loss Prevention, Microsoft 365, Microsoft Cloud App Security, SharePointMany companies are allowing staff to work from home and remote indefinitely, raising questions about how they can protect work data on personal or uncontrolled devices.
As IT experts for working remote Gold Coast IT Support offer the following information to help.
Because we can lose company data in a variety of ways across different devices, we need to apply a variety of protection measures. Let’s take a look at the features in Microsoft 365 that can allow companies to protect their data while users are working remotely.
Use Mobile Application Management
Despite the name, mobile application management doesn’t just apply to mobile devices, it can also protect Windows 10 devices. Mobile Application Management policies can protect company data on both managed and unmanaged devices.
It works by applying protections to the apps your teams use to access company data, like Outlook, Teams, OneDrive and SharePoint.
You can enforce restrictions on these apps to prevent data being saved, cut, copied or pasted.
You can also require a PIN when the app starts or block the app from running on a jailbroken phone or tablet.
This feature can be used to selectively wipe company data from a users device, without affecting their personal files. This is handy for organisations where staff use their personal computers and mobile devices to access company information remotely.
Set up conditional access policies
We can use Conditional Access to enforce restrictions on non-compliant or unmanaged devices. Such as blocking access entirely, or preventing particular actions like stopping users from saving attachments in Outlook on the web or syncing files to OneDrive
We can apply these protections in other ways to apps like OneDrive and SharePoint. Preventing users from syncing data to their personal devices by either blocking access or only allowing limited web only access
Expert IT advice for working remotely
Use Cloud App Security to protect data on third-party apps
These protections don’t just relate to Microsoft 365 apps like OneDrive, SharePoint and Outlook; we can use Microsoft Cloud App Security to apply additional protections to apps like Dropbox Business too. Applying protection to a third-party app like Dropbox Business can prevent users from downloading your company data to unmanaged devices.
Apps like Dropbox Business also provide their own security measures, allowing you to block access and wipe company data when a device next comes online.
Configure idle session time outs
To lessen the likelihood of the wrong people accessing company information on a shared device, we can configure idle session time outs. These will sign users out after a period of inactivity, just like your bank does.
Get alerts on suspicious activities
Cloud App Security includes built-in alerts that trigger on potentially suspicious activities. We can use these to get notified about things like mass deletions, mass downloads and unusual volumes of external sharing
Protect sensitive data with Data Loss Prevention
We can use data loss prevention to restrict or impose conditions on the sharing of sensitive information. These policies can trigger on certain keywords like project names or sensitive information types like credit card numbers, driver’s license details or tax file information. Once a file containing this info is detected, it can display a warning, be blocked from being sent or have encryption applied.
Using Cloud App Security, we can apply additional data loss prevention measures to third party apps like Box and Dropbox Business
Use Sensitivity Labels
But what happens if this all fails, and someone downloads company data to a personal, unmanaged device. To protect against this, we can apply sensitivity labels. These labels define how sensitive a particular piece of content is and in turn can enforce protections on our data. What’s more, these protections apply no matter where it ends up. These baked-in protections can limit who can access the file and what they can do with it. Preventing the wrong people from opening, copying, saving, forwarding or printing sensitive documents or emails.
In many cases, these protections can be applied automatically by scanning for those same keywords and sensitive information types that data loss prevention uses.
As you can probably tell by now, there’s a lot you can do to protect your sensitive data when people are working from home. If you need help with any of this, reach out to us below.
Org-Wide teams in Microsoft Teams
Microsoft 365, Microsoft Teams, Office 365, Office 365 Roadmap UpdatesOrg-Wide Teams in Microsoft Teams let you create a single Microsoft Team that includes all internal users in your organisation. However, Microsoft recommends that you make some changes to the team’s settings to cut down on excess noise and notifications.
What is an Org-Wide Microsoft Team?
An Org-Wide team in Microsoft Teams is just a team that includes everybody in your organisation. Its member list will automatically update as users come and go, and while it currently supports up to 1000 users, there are plans to increase this limit.
How do you create an Org-Wide Microsoft Team?
Creating an org-wide team is quite simple, just choose the Org-Wide team option from the drop-down when creating a new team at https://teams.microsoft.com
What are some best practices for Org-Wide Microsoft Teams?
If you have a lot of users in your organisation, these types of teams could quickly become very noisy and distracting.
To reduce excess notifications and noise, Microsoft have some best practice recommendations.
Only let team owners post on the General channel
Disable @mentions for the whole team
You’ll probably want to disable @mentions for the whole team, since that can send a notification to up to a thousand people at once.
Automatically favorite important channels
Switch to the channels tab and tick Auto-favorite on the channels you would like to show up by default.
Also note that while the video above states that the feature is still in development, it has since been marked as launched.
Which Australian businesses are affected by the Notifiable Data Breaches scheme?
NewsThe recently implemented Notifiable Data Breaches scheme imposes an obligation for entities to notify individuals whose personal information was exposed in a data breach if they’re at risk of serious harm.
If you don’t comply with the requirements of the scheme, the penalties can be quite severe. The Office of the Australian Information Commissioner can impose fines of up to $1.8 million for organisations, and $360 000 for company directors.
To find out how to assess a breach, as well as how to correctly notify any affected individuals, see this resource on the OAIC Website .
Which businesses need to comply?
While all businesses should take the privacy and security of customer data seriously, not every one needs to adhere to the NDB scheme.
If your business meets any of the following criteria, you’ll need to make sure you’re aware of the new requirements. Please note that this is not an exhaustive list. See the OAIC website for more information.
How to make sure your business is protected
If your organisation is covered by the Notifiable Data Breaches scheme, it’s important to make sure you are taking appropriate steps to protect your customers data.
Our Security First Managed Services offering is designed to help address the requirements of the NDB and the incoming EU General Data Protection Regulation. Find out how.
Connect an Azure Function to Office 365
Azure Functions, Office 365In the past couple of weeks I’ve uploaded a few scripts to help manage Office 365 customer environments in bulk via delegated administration. These scripts work well for us, though they only work when they’re initiated by a delegated administrator here. Sure, we could set them up on a server as a scheduled task, though in the interest of keeping things in the cloud, we’re moving them to Azure Functions.
If you’re interested, the scripts I’ve posted so far regarding Delegated Administration are here:
What are Azure Functions?
The Azure Functions service is Microsoft’s Function as a Service offering (FaaS). It’s similar to Hook.io, Google Cloud Functions or AWS Lambda if you’ve used any of those. Basically it lets you run standalone scripts or functions of a program in the cloud. One of Azure Functions’ benefits is that you don’t have to look after the underlying infrastructure, you can just add in your code and you’re pretty much done. You can start an Azure function using a HTTP or Azure Storage Queue trigger, or just set it to run on a timer. Azure Functions can run a variety of languages, though in this scenario, we’ll convert a simple Office 365 PowerShell script into a timer trigger function that runs each weekday.
Consumption Plan vs App Service Plan
Why pay for an Azure App Service Plan to run Azure Functions?
One of the limitations of the (almost) free version of Azure Functions is that it’s executions have a 5 minute limit, after which time they are terminated automatically. Apparently this is because the underlying virtual machines that run the functions are regularly recycled. Since some of our scripts have the potential to run longer than five minutes, we need to provision a small Azure App Service resource and then run our Azure functions on top of this. The VM that runs our App service runs continuously and will support long running functions
Here’s what we want to achieve:
In another post we’ll look at connecting Azure Functions to Azure Storage to use in reporting via Power BI, and triggers for Microsoft Flow.
How to set up a new Azure Function App
Set up your Azure Function to connect to Office 365
In this step, we’ll be doing the following:
Define and retrieve your FTP Details
The FTP Details of the Azure Function are needed to upload resources that the Azure Function requires to connect to Office 365.
Download, then upload the MSOnline PowerShell Module via FTP
Azure Functions have a lot of PowerShell Modules installed by default, though they don’t have the MSOnline module that lets us connect to Office 365. We’ll need to download the module on our local computer, then upload it into the Azure function. This method was borrowed from this article by Alexandre Verkinderen.
Secure your Office 365 Credentials within the Function App
Right now, Azure Functions don’t integrate with the Azure Key Vault service. While we can store credentials within the function, these credentials are stored in plain text where anyone with access to the function can view them. This method was borrowed from this article by Tao Yang.
How to define and retrieve the FTP credentials for your Azure function app
Download, then upload the MSOnline PowerShell Module via FTP
Secure your Office 365 Credentials within the Azure Function App
This will create two files on in your C:\temp folder. An EncryptedPassword text file and a PassEncryptKey file. Be sure to delete the EncryptedPassword file once we’re done.
Modify your Office 365 PowerShell script for Azure Functions
Write-Output "PowerShell Timer trigger function executed at:$(get-date)"; $FunctionName = 'SetPasswordExpirationPolicy' $ModuleName = 'MSOnline' $ModuleVersion = '1.1.166.0' $username = $Env:user $pw = $Env:password #import PS module $PSModulePath = "D:\home\site\wwwroot\$FunctionName\bin\$ModuleName\$ModuleVersion\$ModuleName.psd1" $res = "D:\home\site\wwwroot\$FunctionName\bin" Import-module $PSModulePath # Build Credentials $keypath = "D:\home\site\wwwroot\$FunctionName\bin\keys\PassEncryptKey.key" $secpassword = $pw | ConvertTo-SecureString -Key (Get-Content $keypath) $credential = New-Object System.Management.Automation.PSCredential ($username, $secpassword) # Connect to MSOnline Connect-MsolService -Credential $credential # Start Script $Customers = Get-MsolPartnerContract -All $PartnerInfo = Get-MsolCompanyInformation Write-Output "Found $($Customers.Count) customers for $($PartnerInfo.DisplayName)" foreach ($Customer in $Customers) { Write-Output "-----------------------------------------------" Write-Output " " Write-Output "Checking the Password Expiration Policy on each domain for $($Customer.Name)" Write-Output " " $domains = Get-MsolDomain -TenantId $Customer.TenantId | Where-Object {$_.Status -eq "Verified"} foreach($domain in $domains){ $domainStatus = Get-MsolPasswordPolicy -TenantId $Customer.TenantId -DomainName $domain.Name if($domainStatus.ValidityPeriod -eq 2147483647){ Write-Output "Password Expiration Policy is set for $($domain.name) already" $PasswordsWillExpire = $false $MsolPasswordPolicyInfo = @{ TenantId = $Customer.TenantId CompanyName = $Customer.Name DomainName = $domain.Name ValidityPeriod = $domainStatus.ValidityPeriod NotificationDays = $domainStatus.NotificationDays PasswordsWillExpire = $PasswordsWillExpire } } if($domainStatus.ValidityPeriod -ne 2147483647){ Write-Output "Setting the Password Expiration Policy on $($domain.Name) for $($Customer.Name):" Write-Output " " Set-MsolPasswordPolicy -TenantId $Customer.TenantId -DomainName $domain.Name -ValidityPeriod 2147483647 -NotificationDays 30 $PasswordPolicyResult = Get-MsolPasswordPolicy -TenantId $Customer.TenantId -DomainName $domain.Name if($PasswordPolicyResult.ValidityPeriod -eq 2147483647){ $PasswordsWillExpire = $false Write-Output "Password policy change confirmed working" } if($PasswordPolicyResult.ValidityPeriod -ne 2147483647){ $PasswordsWillExpire = $true Write-Output "Password policy change not confirmed yet, you may need to run this again." } $MsolPasswordPolicyInfo = @{ TenantId = $Customer.TenantId CompanyName = $Customer.Name DomainName = $domain.Name ValidityPeriod = $PasswordPolicyResult.ValidityPeriod NotificationDays = $PasswordPolicyResult.NotificationDays PasswordsWillExpire = $PasswordsWillExpire } } } }What is Microsoft 365 Business Premium?
Microsoft 365, Office 365On April 21, 2020, Microsoft rebranded it’s small and medium business Office 365 products to Microsoft 365. This resulted in a name change for the popular Microsoft 365 Business product as well, which is now called Microsoft 365 Business Premium. GCITS provide Office 365 Support on the Gold Coast and Brisbane.
We’ve been advocates of Microsoft 365 Business Premium for a while now. We believe it’s the best value Microsoft 365 product around for businesses with under 300 users. As providers of Micorsoft 365 support here on the Gold Coast and Brisbane, we can assist you in the easy management of this terrific resource.
Want to know how to protect your data in Microsoft 365 Business Premium? Download our free guide to learn what features to switch on.
So why do we think you should go with Microsoft 365 Business Premium over Basic or Standard?
For us, it comes down to the Microsoft 365 Business Premium’s advanced security and compliance features.
Security and Compliance features of Microsoft 365 Business Premium
Microsoft 365 Business Premium includes advanced security features that are not present in the lower tier plans. These include:
Malware and Phishing protection with Office 365 Advanced Threat Protection
Microsoft 365 Safe Links and Safe Attachment policies protect against known and zero-day malware. Anti-Phishing policies protect users against phishing attacks using mailbox intelligence and machine-learning enhanced sender reputation checks.
Enhanced security for identities with Conditional Access
Conditional Access policies help balance security and productivity by applying the right security measures at the right time. For instance, if Microsoft 365 detects a risky sign-in from an unexpected location or non-compliant device, it can prompt for multi-factor authentication or block access to the user.
Enforce encryption on devices using Microsoft Intune
We can use Microsoft Intune to protect data on devices in the event of loss or theft. Microsoft Intune can configure Windows BitLocker, Apple’s File Vault, and encryption settings on Android and iOS devices.
Classify and protect confidential information with Azure Information Protection
Azure information protection helps companies use sensitivity labels and policies to classify and protect data. Built-in labels include Personal, Public, General, Confidential and Highly Confidential.
Depending on what label is applied, a policy can be used to protect it. These policies can enforce encryption, apply watermarks, prevent it from leaving your organisation and more.
Control company data on PCs with Windows Information protection
Many people use the same computer for both work and personal tasks. Windows Information protection tags files as ‘Work’ if they are generated by, or saved from, a corporate app. Files tagged as ‘Work’ are subject to the controls defined in your Information Protection policies. These files can:
Control access to sensitive emails with Information Rights Management
Information Rights Management allows your team to apply restrictions like “Do Not Copy” for specific documents and emails. When a recipient receives the email or document, they’ll be unable to forward, save, print or copy it.
Prevent sharing of sensitive info with Data Loss Prevention
Data Loss Prevention policies monitor the types of data that are uploaded to and shared outside your company. This info could be tax file numbers, credit card information, drivers license details and many more. When sensitive information is detected, the Data Loss Prevention policy can encrypt the message, notify the sender, alert an admin or block the message from being sent or file uploaded.
Remotely wipe company data and enforce security on devices with Microsoft Intune
Microsoft Intune lets us enforce security requirements on the devices that access company data. These could include requiring a strong password and encryption on phones and only allowing access via company-approved apps. When employees leave the company, Microsoft 365 can remotely wipe company data from the device without affecting personal info.
Unlimited archive for email
Microsoft 365 Business Premium provides practically unlimited storage for your email. Alongside the standard 50GB mailbox, users can access an unlimited archive of their email in Outlook.
Office 365 Support Gold Coast and Brisbane
Our expert assessment will have you supported the right way.
Want to enable advanced security in Microsoft 365 Business Premium?
While you get all the above features with Microsoft 365 Business Premium, you still need to configure them to suit your business and requirements. You can outsource the security of your cloud environment to GCITS. Get in touch for an expert assessment, and we can ensure the ongoing state management of these essential security policies.
Working with archive policies in Office 365 and SkyKick
Exchange, Office 365Skykick automates the migration of email from other platforms onto Office 365, though occasionally it needs a bit of help.
This is especially true when moving from Google Apps or Google for Work to Office 365. These mailboxes can bloat in size due to how both systems manage email folders.
Office 365 (Microsoft Exchange) stores email in folders, while Google gives email labels. The difference is, in Exchange an email can be in only one folder, while in Google an email can have multiple labels. When migrating from Google for Work to Office 365, SkyKick will create Exchange folders for every Google label, and migrate emails that are assigned multiple labels into multiple folders.
This results in a bunch of duplication on the destination system.
When you’re using Skykick to migrate large mailboxes from Google for Work, you may occasionally receive a message advising that the mailbox may exceed the storage limits on Office 365. While this message appears, synchronisation will be paused.
In order to resume the migration for this mailbox you’ll need to do the following:
What are Exchange Retention Policies?
In Exchange, each mailbox is assigned a Retention Policy that contain the retention settings for mail within the mailbox. Retention policies are made up of Retention Policy Tags.
Retention Policy Tags outline how long Exchange is going to keep a user’s mail before performing a specific action on it. For Retention Policy Tags, this action can be PermanentlyDelete, DeleteAndAllowRecovery or MoveToArchive.
You can also create Retention Policy Tags that only affect a specific type of folder, for example DeletedItems or JunkEmail. For a full list of options, see this Technet Article: https://technet.microsoft.com/en-us/library/dd335226(v=exchg.160).aspx
Why create your own Retention Policy?
When archiving is enabled on a mailbox, the default policy is to archive anything older than two years. This may be enough to get the migration running again, but just in case it’s not, you can create a new Retention Policy Tag with a shorter archive time limit, apply it to a new Retention Policy, then apply the policy to the user you want to archive mail for.
Alternatively, you can edit the default policy (known as Default MRM Policy) or its tags, though this will affect all users that have archiving enabled.
You can create a new Retention Policy and Retention Policy Tags via PowerShell or via the Exchange Control Panel. In Exchange Control Panel, these actions are performed under Compliance Management. In this tutorial we’ll be working in PowerShell.
Setting up a Retention Policy in PowerShell
This new Retention Policy will move any mail older than 1 year into a users archive. It will have one tag.
Enable Archiving on a mailbox.
Once you’ve assigned the policy, you can enable archiving on the user’s mailbox. This can be done in the Exchange Control Panel under Recipients, Mailboxes on the right menu.
Ensure the Archive is running.
Mark the alert as complete
Once your archive has begun processing, you can return to SkyKick and mark the alert as complete. The migration for the mailbox will kick off again.
Managing identity risks with Azure Active Directory Identity Protection
Azure Active Directory, Cyber security, Identity, Microsoft 365, Microsoft 365 UpdatesImprovements to Azure AD Identity Protection have launched, making it easier to identify and manage identity risks in your organization.
What is Azure Active Directory Identity Protection?
Azure AD Identity Protection uses machine learning to identify signs of suspicious activity or issues that might cause you to have a compromised identity in your organization. We can use Azure Identity Protection to configure policies that impose conditions on sign-ins or users that are deemed risky by Microsoft 365. We can also use it to manage, investigate and remediate risk alerts when a suspicious sign-in or user is detected.
Azure Identity Protection can generate alerts based on the following risk events:
The leaked credential alert is especially useful because it will let you know whether some of your users have credentials that are exposed on the dark web or in another breach. We use this in conjunction with the Have I Been Pwned API to alert our customers to compromised credentials.
Where can I find Azure Active Directory Identity Protection?
What’s new in Azure Active Directory Identity Protection?
Azure Identity Protection has been updated with new controls for managing, investigating and remediate issues with our identities.
We can use these improved controls to manage risk events in bulk, easily confirming a compromised user or dismissing alerts. These new controls are handy for larger organisations who generate many alerts each day.
For each alert, we can drill down and see more information on the user’s recent activities. We can see other user sign-ins and risk detections, as well as reset passwords, confirm compromise, block access and investigate further in Azure ATP. Choosing to investigate further opens up Cloud App Security, providing more insight into the user’s recent activities that contributed to the alert.
What license do I need for Azure Identity Protection?
Azure Identity Protection is included in Azure AD Premium P2 license. Azure AD Premium P2 is available under the following licenses:
You get some limited reporting on risky users, risky sign-ins and risk detections in Azure AD Premium P1, which is included in Microsoft 365 Business Premium.
Since Microsoft licensing can change, see here for up to date licensing requirements.
Real estate company combats data security threats and increases efficiency with Microsoft 365
Case Study, Microsoft 365, Office 365Financial services group banks on Microsoft 365 to better safeguard data
Case Study, Microsoft 365, Office 365How do I stop phishing emails?
Exchange, Malware and Security Threats, Microsoft 365, Microsoft Cloud App SecurityWhat are phishing emails?
Phishing emails are fake messages, designed to look legitimate.
They cost businesses around the world billions of dollars each year. And they get opened by about 30% of people. These emails will generally impersonate a person or company that you trust or deal with, and attempt to trick you using one of three things:
They’ll use a fake person – someone pretending to be someone you know, so that you share information or transfer money into an attacker’s bank account.
They’ll set up a fake site – So that you enter your private information, like passwords or credit card details, or provide a rogue app with permission to access your data.
They’ll create fake attachments – attackers will disguise malware in fake invoices and shipping notification to remotely access your computer or encrypt your files.
How can I prevent phishing emails with Microsoft 365?
To give our teams the best chance of avoiding phishing emails, not only do we need to make people aware of the methods above, we need to configure the features in Microsoft 365 that address them. Starting with Office 365 Advanced Threat Protection
Start with Office 365 Advanced Threat Protection
This is your companies primary defence against phishing emails. While all Office 365 plans come with a built-in anti-phish policy, it’s not even close to what’s offered in Office 365 Advanced Threat Protection, also known as Office 365 ATP.
Once you’ve purchased Office 365 ATP, you should jump into the Security and Compliance centre and check out your anti-phishing policy.
Its default controls are pretty good for detecting phishing emails that impersonate your users, your domains and external contacts. It develops an understanding of how your users and their contacts interact, the addresses and sending infrastructure they use, and identifies anything out of the ordinary. If it detects an impersonation attempt, the message is either quarantined or delivered with a warning.
You can enhance your protection by adding users in roles like CEO or CFO to the targeted user protection feature. You can also add external domains, that you frequently interact with, to the targeted domains feature.
Use a mail transport rule to warn on external impersonation
You can configure a mail rule that applies a warning to messages where an external sender uses a display name that matches someone internally in your company. We have an example rule on our website that has been pretty popular amongst smaller organisations.
So that helps address fake senders, how about fake attachments and fake websites? Office 365 ATP addresses these with the Safe Attachments and Safe Links policies.
Detect malicious attachments with Safe Attachments policy
The safe attachments policy can protect your users from malware sent by phishing emails, like the COVID-19 phishing campaign that used Excel files to install a malicious remote access tool. The Safe Attachments feature analyses your attachments in a separate environment, running a bunch of checks for malware then blocking the email or removing the unsafe attachment.
Detect malicious websites with a Safe Links Policy
The Safe links policy scans your URLs in emails for links to malicious sites. If a malicious website is detected, Safe Links blocks users from visiting it.
Remove phishing emails from mailboxes after delivery
These tools work by analysing messages for known malware, bad links or untrusted senders and stopping them arriving. But what happens if a bad email gets through, and the system doesn’t realise until later?
You should configure Zero Hour Auto Purge. Zero Hour Auto purge removes bad messages from your mailboxes retroactively and sends them junk, quarantine or deleted items.
Set up Office 365 ATP and Exchange Online Protection with recommended best practices
I’ve just discussed four different security policies in a few minutes. If you’ve spent any time looking at ATP or Exchange Online Protection policies, you’ll probably notice there’s a lot of policies, and most of them are already set up. Should you change anything or leave them as they are?
It would help if you changed them, and Microsoft has two levels of recommended best practices that they say will prevent most unwanted messages from reaching your team.
These two levels are called Strict and Standard. In our experience, Strict is very strict, but it’s a good starting point that you can enable first, and adjust later.
Test users by simulating a phishing campaign
Once your policies are set up, you should test your users. If you purchase Office 365 ATP Plan 2, you can run attack simulations against your team. Attack Simulations can help you identify and find vulnerable users before a real attack impacts them.
Protect your accounts if your team gives up their credentials
But what happens when messages get through? What happens when users get duped and provide their login details to attackers?
Protect your accounts. If a user enters their credentials into a fake website, we need to make sure an attacker can’t use these credentials alone to log in. All Office and Microsoft 365 plans allow you to configure multi-factor authentication; this will ensure that attackers can’t log in without having access to an additional form of verification such as a phone or authentication token.
If you have a plan that includes Azure Identity Protection, you should set up a sign-in risk policy to monitor for unusual logins. These policies use machine learning to detect suspicious activity and can temporarily block sign-ins and accounts if something’s amiss.
Monitor for unusual applications with access to your users’ data.
Now that accounts are getting more secure by default, attackers are requesting access to user data via apps. And it’s worse if they manage to trick an admin user because then attackers can have longstanding access to an entire organisation that persists even when passwords are changed.
It can be challenging to detect if a user clicks a phishing link and provides a rogue app with access to their mailbox, OneDrive or SharePoint data. So you use Microsoft Cloud App Security to get alerted to unusual oAuth applications with access to your teams’ information.
Be extra vigilant if your data has been exposed in the past
Take extra care if you, or companies you regularly interact with, have been breached before. If attackers have had access to your company data and know who usually communicates with who, and for what purposes, they will try to exploit that information by setting up fake emails to hold their fake conversations with their fake invoices to get your real money.
Need help with phishing in Office 365 or Microsoft 365?
If you need assistance setting-up these policies in your organisation or need a hand cleaning up after a successful phishing attack in Microsoft 365, we’d be happy to help. Reach out to us via chat, or using the form below.