Microsoft adds anti-phishing ‘campaign views’ to Office 365 ATP – Redmondmag.com
Posey tips and tricks
Microsoft adds anti-phishing “campaign views” to Office 365 ATP
A new feature in the Microsoft Office 365 Advanced Threat Protection service promises to fill the gaps in traditional anti-phishing defenses.
Phishing attacks against organizations are not new; there have been real examples of these attacks since the 90s. Even so, corporate IT has never had what I consider to be a really effective way to deal with phishing attacks.
Make no mistake, I’m not saying the IT department was negligent in trying to stop phishing attacks, but rather that the methods used so far have only been marginally effective.
The loopholes in phishing defenses
Defenses against phishing attacks have traditionally revolved around a filter that attempts to identify phishing messages. Depending on the anti-phishing product used, a suspected phishing message may be deleted, removed from attachments and links, or may be sent to a user’s spam folder.
There are several reasons why I consider this approach to be ineffective. The most obvious is that some phishing messages will inevitably pass through the filter. At the same time, there is also a risk of false positives.
In my opinion, however, the main reason our current defenses against phishing attacks are ineffective is that there is usually an administrative blind spot.
Imagine that your organization is the target of a zero-day phishing attack. As an administrator, you notice that some of the phishing messages appear in your spam filter. The presence of these messages in your spam filter confirms that your phishing defenses have been at least partially successful, but there is a few key pieces of information you don’t know.
For starters, you have no way of knowing if any of the phishing messages actually ended up in a user’s inbox. While there are security and auditing tools that can be used to perform organization-wide search for specific message types, those who carry out phishing attacks have typically designed the attacks to prevent messages from being identical to each other. This makes it difficult to find a specific message.
The other key piece of information that an administrator usually doesn’t know is whether any of their users have been the victim of a phishing attack. Unfortunately, there isn’t a great way to tell if someone has clicked on a malicious link or opened the malicious attachment. In some cases, it may be possible to look at the router logs to see if someone has accessed a particular URL, but again, phishing messages are often constructed so that the destination URL varies from a message to the other.
Enter the Office 365 “Campaign View”
Recently, Microsoft introduced a new tool called “campaign view” for its Office 365 Advanced Threat Protection (ATP) service. To be clear, the campaign view is not a new tool for detecting phishing attacks. The detection process is still handled by the underlying ATP software. Instead, the campaign view is designed to give admins new insight into phishing attacks being carried out against their organization.
The Campaign view works by organizing phishing attacks into campaigns. To do this, the software examines the characteristics of detected phishing messages, then uses this information to determine whether a message is likely to be part of a known phishing attack or if it marks the start of a new attack. phishing. .
Because the campaign view is able to identify individual phishing campaigns that have been launched against an organization, it can use what it knows about the campaign to provide detailed information to administrative staff. Admins can see a campaign timeline showing when it started, when it ended, and the total number of posts that were associated with the campaign.
More importantly, admins will be able to see how many of these messages reached users’ inboxes and how many (and which) users clicked a URL in the message. The Campaign view not only identifies who clicked the links, but it also tells admins the URL associated with the link, when the user clicked the link, and whether or not Office 365 stopped the action.
I’m still waiting for Microsoft to give me access to the campaign view, so I haven’t had a chance to try it out yet. Based on screenshots I’ve seen so far, however, I think the campaign view promises to be an extremely useful tool that can help administrators deal effectively with the consequences of a phishing attack.
Although the new campaign display feature is not yet available for Office 365 customers, Microsoft recently released a public preview. This means that qualified organizations can test the feature in beta before its eventual release.
Brien Posey is a 19-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of computer topics. Prior to becoming independent, Posey was CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the largest insurance companies in the country and for the Department of Defense at Fort Knox. In addition to his continued work in computer science, Posey has spent the last few years actively training as a commercial scientist-astronaut candidate to fly on a cloud study mission. Polar mesospheres from space. You can take his space flight training on his Website.