Author Topic: Office 365 to Block Harmful Content Regardless of Custom Configs  (Read 438 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35122
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Office 365 to Block Harmful Content Regardless of Custom Configs
« on: February 05, 2020, 02:13:33 PM »
Microsoft is currently working on new features designed to block malicious content in Office 365 regardless of the custom configurations set up by administrators or users unless manually overridden.

This change was prompted by the fact that some settings allow for Office 365 Exchange Online Protection/Advanced Threat Protection detonation verdicts to be bypassed and inadvertently allow malicious content to reach the customers' inboxes.

Once the new features will be enabled, Office 365 will automatically honor EOP/ATP detonation — malware analysis — verdicts to block known malicious files and URLs regardless of custom configurations.

Quote
We see lots of cases where the configuration of our protection stack has enabled malicious content to be inadvertently delivered to end-users. We’re working on a few features that will help address this problem. Our first phase includes Honoring detonation verdicts. All too frequently, URLs and files that have been flagged as malicious are allowed through to the inbox due to transport rules and domain allows. - Microsoft

The domain allows and transport rules are the ones most commonly responsible for content flagged by Office 365 EoP or ATP as malicious still being delivered to the end-users.

"We’re updating our filters to ensure that malicious files and URLs are not delivered regardless of configuration unless manually overridden," says the features' entry on the Microsoft 365 Roadmap.

The "Office 365 ATP, Secure by Default" update is currently under active development according to the roadmap and comes with an estimated release date set for February 2020, to be generally available in all environments.

Office 365 end-users urged no to bypass spam filters

Microsoft previously warned Office 365 admins and users against bypassing the built-in spam filters in June 2019, as part of a support document that also provides guidelines for cases when this can't be avoided.

As Redmond says, Office 365 end-users should avoid enabling Allow or Block lists within the Spam Filter policies, as well as skipping Transport Rules scanning. Microsoft also urges Outlook or Outlook on the Web users and admins not to toggle on Safe and Blocked senders.

"We recommend that you do not use these features because they may override the verdict that is set by Office 365 spam filters," says Microsoft.

Microsoft advises all Office 365 users and admins who choose to override the spam filters anyway to:

Quote
   • Never put domains that you own onto the Allow and Block lists.

   • Never put common domains, such as microsoft.com and office.com, onto the Allow and Block lists.

   • Not keep domains on the lists permanently unless you disagree with the verdict of Microsoft.

Microsoft recommends Office 365 customers to report junk email messages using the Microsoft Junk Email Reporting Add-in "to help reduce the number and effect of future junk email messages," while Outlook users can employ the Report Message add-in to report junk email.

"If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through," the support document says.

"Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time."

More Office 365 security-focused updates

Microsoft's development team previously announced the rollout of the Office 365 Advanced Threat Protection (ATP) Campaign Views feature in public preview in December 2019 designed to provide security teams with a summary of the attack flow behind phishing attacks against their orgs.

Redmond is also working on including recommended security profiles to Office 365 ATP and Exchange Online Protection (EOP) as revealed in December.

One month earlier, in November, Redmond released the Office 365 ATP enhanced compromise detection and response feature in public preview to help Security Operations (SecOps) teams detect breaches, as well as automatically identify and investigate suspicious users and remediate hacked accounts.

The company also included Authenticated Received Chain (ARC) to all for Office 365 hosted mailboxes in October, a new feature to improve anti-spoofing detection and examine authentication results.

source