Threat Protection (part 1)

 



To read part 2, please click here




Exchange Online Protection (EOP)

All the Microsoft 365 tenants having their mailboxes hosted in Exchange Online depends on the EOP services in order to route inbound as well as outbound mails. However, EOP can also secure your organizations against phishing, spoofing, spam, and malware while offering email security with the help of a combination of techniques like IP and sender reputation, heuristics, spam filtering, malware filtering, machine learning as well as filtering for phishing and spoofing.

When you combine EOP and Microsoft Defender for Office they can readily offer a complete solution for protecting the users against any kind of cyberthreat originating in email.

The Anti-Malware Pipeline in Microsoft 365

As stated above, as the organizations hosting mailboxes in Exchange Online rely on EOP to secure incoming as well as outgoing mails, their administrator must add Microsoft 365 specific MX and TXT records to their domain name in DNS while joining Microsoft 365 because:

  • The MX record ensures that email sent to the tenant's domain will arrive in mailboxes hosted in Exchange Online through the EOP service.

  • The Sender Protection Framework (SPF) record is a special type of TXT record in DNS that identifies a host as a valid sender for their domain.

Whenever a mail passes through the first entry point in Microsoft 365, it is scanned by multiple signature-based anti-virus scanners that can catch up to 80% of commodity malware entering the network.

Now, EOP will scan individual files with the help of Reputation Block technique in which EOP compares file attachments with the results of scans that were previously performed throughout Microsoft 365 along with the specific files or pieces of files that were previously recognized as malicious and appear to match something in an incoming message.

Heuristic Clustering is also used to identify suspicious mail according to an analysis of delivery patterns, after which a sample from a cluster is sent to a hypervisor sandbox environment where the file will be opened for further analysis which includes:

  • Checking for anomalies like changes in memory, the registry, or encryption of the hard drive.

  • Checking for changes in network traffic, like connections to hacker's command and control servers.

  • Identifying when malware tries to obfuscate itself or use evasion techniques.   

After all these signals are collected, the results are run through a Machine-Learning (ML) model and a set of static rules to determine if the file is simply suspicious or truly malicious. 

Once the process of Safe Attachments is complete, the actual body of the message (along with the message headers) is run through EOP's anti-spam, phish, as well as spoof filters and if Defender for Office 365 is enabled in the tenant, then its Safe Links feature will check any links against a list of non-malicious URLs that is updated approximately every 20 minutes.

Finally, Microsoft is also liked with with a team of security analysts, or cyber hunters, who can easily identify new threat campaigns and quickly implement rules to further protect the Microsoft 365 network against any cyber-attacks.

Hence, the anti-malware pipeline consists of both EOP as well as Microsoft Defender for Office 365 that offers security against all types of spam and advanced threats with the help of a multi-layered, defense-in-depth approach to solve email security. 

 









To read part 2, please click here
















Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)