Coverage of the standard Office 365 features
Microsoft Defender for Office 365 offers good protection, however …
In the first article of our series on protection of collaboration platforms, we outlined the importance of protecting platforms such as Office 365. In this part of the series, we will introduce to you the standard Office 365 features. Our next article will continue with an overview of the available additional options to build reliable protection beyond the standard functions.
Malware protection has always been a critical topic for the IT administration. In August 2021, the independent institute AV-Test recorded a further annual increase in detected malware and potentially unauthorized applications.
Microsoft Defender for Office 365
For this reason, Microsoft is constantly working on enhancing its solutions for malware protection. For protecting Office 365, Microsoft offers the solution Microsoft 365 Defender, also formerly known as “Advanced Threat Protection”. Microsoft 365 Defender is a solution for the detection and prevention as well as the investigation and reaction of endpoints, identities, emails and applications (apps). The solution is divided into four services:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Microsoft Cloud App Security
The service for Office 365 provides protection against malicious threats that enter through emails, references or Office 365 apps, such as SharePoint, OneDrive or Teams. The service has the following three components:
- Exchange Online Protection (EOP)
- Microsoft Defender for Office 365 Plan 1 (MDO P1)
- Microsoft Defender for Office 365 Plan 2 (MDO P2)
While Exchange Online Protection aims to prevent volume-based, known attacks, the other two components are designed to protect against zero-day threats, phishing and the compromising of business emails (Plan 1). Plan 2 complements this protection with options that can be implemented after such threats have already occurred.
The availability of Microsoft Defender for Office 365 depends on the licenses. Plan 1 is included in the “Microsoft 365 Business Premium” licence and Plan 2 in the “Office 365 E5”, “Office 365 A5” and “Microsoft 365 E5” licences. However, both plans can also be integrated into other licenses as paid add-ons.
Protection of files in SharePoint Online, OneDrive and Teams
Plan 1 is also required for securing SharePoint Online, OneDrive for Business and Teams. With it, files uploaded in these Office 365 apps can be checked by the built-in malware protection. This protection is not activated by default and must first be enabled by the administrator.
If the built-in malware protection is activated and a potential threat is found in a file, the user is notified of this in SharePoint via an additional icon next to the file name, unless the classic user guidance has been activated. Nevertheless, the user can still download the file in order to clean it with a locally installed tool, for example. The administrator has the option to prevent this download and to block the file. Microsoft provides a PowerShell script for this purpose. Alternatively, the administrator can also create a policy to prevent the download and other activities with the file.
Specifics of Microsoft Defender
Although the infected files remain in SharePoint, OneDrive or Teams, the malicious files are displayed in the quarantine along with the malicious emails in the Microsoft 365 Defender portal. However, this is only accessible to the administrator. From here, the administrator can determine how to proceed with the files – download the files, release them again, remove them from the quarantine or block the sender.
Still, not every file uploaded to SharePoint, OneDrive or Teams is checked by the built-in malware protection. Microsoft uses appropriate heuristics to check whether a file poses a potential risk. Only if the heuristics confirm the risk, the file is sent to a scanner for checking. On the other hand, the files are not scanned immediately after uploading. This happens asynchronously and the administrator cannot influence when the scan takes place. It should also be noted that the user can often decide for themselves whether they want to work with the classic user guidance in SharePoint or not. With the classic user guidance, there is no visual indication that the file may pose a threat.
For further information see „Safe Attachments for SharePoint, OneDrive, and Microsoft Teams“.
Providing comprehensive security for Office 365 is an extensive and complex task. This is why Microsoft has published a security roadmap with recommendations specifying when a company should deal with certain security functions and regulations.
In the next part of our series, we will present iQ.Suite 360, an alternative solution for the protection of Office 365. This solution is based on the proven iQ.Suite technology, which has been implemented in numerous companies for over 20 years providing security for email platforms such as Microsoft SMTP, Microsoft Exchange, HCL Domino and Microsoft Exchange Online. In 2020, iQ.Suite 360 even brought GBS recognition as a Leader in “Cyber Security Solutions & Services” by the renowned German ISG Provider Lens™ study.
If you would like to learn more about Office 365 protection, simply contact us directly!
Author: Dr. Rolf Kremer