This article explains how Office 365 Threat Intelligence can help you research threats against your organization, respond to malware, phishing, and other attacks that Office 365 has detected on your behalf, and search for threat indicators you might have received from user reports, others within the security community, or in the news or other intelligence sources. Threat Intelligence can also help you determine if the attacks you detect are targeted or not. If you have Office 365 Enterprise E5, then you have Threat Intelligence built-in to your Security & Compliance Center.
What is Threat Intelligence?
Office 365 hosts one of the largest enterprise email services and productivity suites in the world, and manages content created on millions of devices. In the course of protecting this information, Microsoft has built a vast repository of threat intelligence data, and the systems needed to spot patterns that correspond to attack behaviours and suspicious activity. Office 365 Threat Intelligence is a collection of these insights used in analyzing your Office 365 environment to help you find and eliminate threats, proactively. Threat Intelligence appears as a set of tools and dashboards in the Security & Compliance Center to understand and respond to threats.
Office 365 Threat Intelligence monitors signals from sources, such as user activity, authentication, email, compromised PCs, and security incidents. This data can be analyzed and displayed so that business decision makers and Office 365 global or security administrators can understand and respond to threats against their users and intellectual property.
You can use the Threat dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what Threat Intelligence has already done to secure your business.
If you are investigating or experiencing an attack against your Office 365 environment, use the Threat explorer to analyze threats. Threat explorer shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.
You can also mark suspicious emails you see in Threat explorer for further investigation, and manage response outcomes in a the list of Incidents, a handy way to keep on-track during an attack.
This dashboard is an excellent resource when you need a summary of threats against your Office 365 environment. It features a color-coded chart of weekly threat detections, and graphs of malware trends and malware families detected, as well as security trends in the industry, and a helpful heat-map of attack origins for your specific environment. This dashboard also shows global and security administrators a quick listing of top targeted users and recent alerts that you can click into for more information, among other helpful panels of information.
The dashboard is an excellent way for technical experts in security to report out to business decisions makers like Chief Executive Officers (CEOs), or Chief Technical Officers (CTOs).
The dashboard is also an entry to Threat explorer, and many of the links connect these two views of your threat intelligence. For example, the Threat investigation panel on Dashboard has links that drill down into Threat explorer:
Show messages removed after delivery
Find malicious messages sent to someone in your organization
This summary panel should be checked daily.
When you open Threat explorer you'll find a color-coded graph that represents attacks that are targeted at your organization. The default view will show malware by threat family. This pane has a tabbed view of top malware families, an email list, and a map of email origins. It also shows you top targeted users.
NOTE Optionally show either All email, or Malware, by sender domain, sender IP, protections status, or caught by technology. And, you can export the chart data and email list.
When you click on a specific top malware family (such as JS/Nemucod), you can see details about how that malware is impacting your organization and what the malware can do. Once its threat pane opens, you can look at the definition of the malware family. The view of each top threat shows the affected users (recipients, sender addresses, IP addresses, and status), along with tabs for Technical details, Global details, and Advanced analysis.
NOTE Any suspicious email messages you see listed on the Users tab can be selected and quickly added into an Incidents investigation for further tracking and analysis. This keeps them from getting lost in the shuffle as a threat emerges.
The Technical details tab shows a document that goes into great detail on the malware threat, so you're well informed about the threat and know what behaviors to look for.
If you're not sure how deep your research should go, or are uncertain of the scope of the attack, take a look at Global details and find out which are the most impacted countries and industries. For example, if your work is in Manufacturing in Japan, or Mining in the USA, these charts can give you context and help you determine a general threat level. Certainly, if you see that your industry, specifically, is increasingly under attack, it's a good indication you need to mobilize your security team, and proactively dive into Threat explorer.
Every file or document attachment that passes through Office 365 Advanced Threat Protection is placed into a sandbox where it can be opened and tested to find behavioral evidence of malicious activity. This can detect potential threats, suspicious macros or new malware. Indicators are extracted from these test runs and any hits can be found on the final tab of a top threat: Advanced Analysis.
The results of testing runs can be seen in Observed behavior. In the example below, a file attachment was tested, failed, and found to have a password stealer inside of a file macro. The IP address and URL that the file is trying to communicate with is under Network traffic. Finally, you can see the malicious executable the macro downloaded during the test—the main reason why this testing takes place in an isolated virtualized environment created to expose threats before they reach your users.
NOTE If you use other security devices or services to filter attacks before they reach your Office 365 site, Threat explorer and its associated telemetry will show only the attacks that the other service or device has missed. Be aware that this may change the results of features such as Global Details and Advanced Analytics.
Use Incidents to track phishing or malware campaigns aimed at your users and trigger remediation actions like deleting attachments, or moving email messages into a junk folder.
To create a new incident, search for messages you've identified as suspicious in the All Email view of Threat explorer. Once you've filtered the email down to those you want to track or remediate, use the Add email to incident button to create a new incident, or add those messages to an existing incident.
Once you've added messages to an incident, you can take a remediation action on those messages. From the Incidents page, select the incident that you created, and then, select your mail submission. In the submission dialog box, choose Move to junk, or Delete attachments. If you mistakenly move email messages to a junk folder, you can recover them by selecting Move to inbox.
You can track the progress of the remediation you started on the Action Logs tab.
The same data that powers the Threat intelligence dashboard and Threat explorer is available through the Security & Compliance Center, and the Office 365 Management Activity API. The feeds contain:
One record for every email that contains a threat targeted at your organization
One record for every message removed by zero-hour auto-purge
To learn more about Threat Intelligence Feeds, see Office 365 Management Activity API
Use the integration between Office 365 and Windows Defender Advanced Threat Protection (Windows Defender ATP) to quickly understand if users’ machines are at risk when investigating threats in Office 365. Once the integration is enabled, security administrators in Office 365 will be able to see which machines are owned by the recipients of an email message and how many recent alerts those machines have in Windows Defender ATP.
The following image shows the Devices tab that you'll see when have Windows Defender ATP integration enabled:
In this example, you can see that the recipients of the email message have four machines and one has an alert in Windows Defender ATP. Clicking the link to a machine opens the machine page in Windows Defender ATP in a new tab.
To enable the integration between Office 365 and Windows Defender ATP:
You must have access to both Office 365 Threat Intelligence and Windows Defender ATP.
Go to Threat explorer.
On the More menu, choose WDATP Settings.
Select Connect to Windows ATP.
After you have changed the settings in Office 365, you must enable the connection from Windows Defender ATP. See Use the Windows Defender Advanced Threat Protection portal.