Any messaging administrator will tell you that it’s hard to fight against spam. As we read about most cybersecurity incidents starting with (spear)phishing attacks, it also becomes increasingly clear messaging administrators in small and medium-sized business need to work harder or smarter to protect their colleagues.
Messaging in the modern age
Many organizations started their cloud journey by bringing their messaging functionality to the cloud. Organizations that were previously using Microsoft Exchange Server opted to migrate to Business Processes Online Suite (BPOS), rebranded to Office 365 in 2011, and currently referred to as Microsoft 365.
When creating their business cases, many organizations calculated that the technical maintenance of the solution would be on Microsoft’s plate, whereas the functional maintenance of the solution would remain with the organization or a third party. Today, you can ask the question whether fighting spam, phishing and malware is a purely technical issue, a purely functional issue or a little bit of both.
I feel it’s a little bit of both. I feel that’s also the hardest answer, because it begs the follow-up question:
Who does what?
Organizations using Exchange Online as part of Microsoft 365 have come to realize that it’s their responsibility to configure:
- Sender Policy Framework (SPF) records,
- DomainKeys Identified Mail (DKIM) signatures, and
- Domain-based Message Authentication, Reporting and Conformance (DMARC).
Microsoft provides the TXT DNS record for SPF from the get-go. DKIM rules can be configured in the Microsoft 365 Security & Compliance portal and Valimail offers a sublime free DMARC reporting tool.
From within the Microsoft 365 platform, Microsoft also provides messaging security features. The default anti-malware policy, anti-phishing policy (augmented with optional tenants allowed or blocked for/from spoofing) and Exchange Online’s default inbound, outbound and connection filter anti-spam policies offer some relief and ways to fight the worst unwanted messages.
While Microsoft is not a pure information security company, they offer solutions beyond the built-in features in the platform. Their Microsoft Defender suite of products and services offer more granular and more robust information security measures. Unfortunately, these solutions are only available to organizations who opted for the most expensive Microsoft cloud licenses and add-ons.
Hornetsecurity’s 365 Threat Monitor to the rescue!
To close the gap between what Microsoft offers with Office 365 E3 and what organizations need to do, Hornetsecurity now offers its 365 Threat Monitor service.
Microsoft’s default policies and rules do not offer adequate protection, allowing phishing and spam messages to enter the organization’s mailboxes. 365 Threat Monitor detects any threats that breach the built-in Office 365 security policies. Once it identifies a malicious email, it sends a phone and mail alert to admins so they can instantly delete the suspicious and/or malicious message to prevent any damage in near real time.
Is it a bird? Is it a plane? It’s an app.
365 Threat Monitor is a mobile app that is available for iOS, iPadOS and Android.
The idea of a mobile app is genius and inventive. With Microsoft’s plethora or portals, a portal with important messages can be easily overlooked. Messages via mail run the risk of being intercepted straight after compromise and for most admins I know they lack urgency. I think a mobile device is the only device that an admin has on him or her all the time and where notifications are seldomly missed.
Registering the 365 Threat Monitor service on a mobile device has its challenges, though:
- The Threat Monitor App by service principal is easily registered in Azure AD. For many admins, it’s already unclear how some apps integrate with their Azure AD tenants and achieving this level of integration from within a mobile app feels hazardous.
- When an admin would create documentation of the registration process, it would consist of a couple of mobile screenshots. Threat Monitor’s API permissions are displayed in the language of the device. In multi-language teams, this language barrier might lead to inadequate understanding of what the service does.
- The registration process works even with multi-factor authentication enabled for the entire tenant. However, multi-factor authentication on the same device doesn’t feel as out-of-band when compared to performing MFA when accessing the portal in a desktop browser.
The entire registration process is lightning fast, though.
What happens under the hood when you configure the app
The way 365 Threat Monitor works is by registering an enterprise application in Azure AD and assigning it:
- The Cloud App Administrator role in Azure AD
- The Reports Reader role in Azure AD
- The delegated Sign in and read user profile permission to the Microsoft Graph API
- The Read and write all applications application permission to the Microsoft Graph API
- The Read directory data application permission to the Microsoft Graph API
- The Manage app permission grants and app role assignments application permission to the Microsoft Graph API
- The Read and write all directory RBAC settings application permission to the Microsoft Graph API
- The Exchange Service Administrator role in Azure AD
- The Manage Exchange As Application permission in Exchange Online.
These last two permissions are achieved through a temporary Hornetsecurity Automation service principal. After its work is done, the Hornetsecurity Automation service principal is removed from Azure AD.
The above API permissions require admin consent. This consent is asked when the first admin configures the app. Any additional admin is just added as a user to the Threat Monitor App by enterprise application in Azure AD.
Because 365 Threat Monitor works as an enterprise application, the organization does not need to change MX records in DNS. The flow of inbound and outbound messages does not change, as is the case when you install and use many other third-party solutions.
Filtering and detection
I’ll admit that I was skeptical at first: an organization like Hornetsecurity outperforming Microsoft at the game that Microsoft has been playing since cc:Mail? I must’ve sounded like the typical naysayer before the David vs. Goliath battle. Yet, not long after the initial registration, 365 Threat Monitor issued its first app notification and sent me its first message giving me a heads up on a message flagged as high threat level. Clicking on the app notification took me to the Alerts list within the app. It was indeed a suspicious message that Microsoft 365 did not detect. I deleted it instantly … straight from the mobile app.
Threat statistics and reporting at your fingertips
Before that, I could also see messages in people’s mailboxes flagged with the moderate threat level. The 365 Threat Monitor app started displaying meaningful information and statistics after the initial registration. It helped me get a grip on the current messaging security status of the Microsoft 365 tenant. Its Top targets list is something I was craving for some time, as it’s nearly impossible to educate everybody within the organization on proper message hygiene. I can see how specifically targeting these people with additional messaging on how to cope with suspicious and malicious messages could pay off in a big way in the long run.
The Protection that 365 Threat Monitor delivers
Of course, the proof is in the pudding. Since the configuration of the 365 Threat Monitor app, the app has reported and notified of messages including:
- Malware, including ransomware, viruses and spyware,
- Spoofed sender identities and content, and
- Spam and unwanted advertisements.
Yes, I also encountered some false positives. Currently, the mobile app does not offer a way to flag these messages as false positives, so they’ll remain visible in the Alerts list, as long as the alert fits the selected time frame at the top of the list.
Hornetsecurity offers its 365 Threat Monitor service for free to the first 10,000 Microsoft 365 admins who sign up for the service.
Combined with SPF, DKIM and DMARC, it should help you fight spam, phishing and malware throughout your Microsoft 365 messaging infrastructure.
365 Threat Monitor and 365 Total Protection
Hornetsecurity’s 365 Threat Monitor is part of the larger 365 Total Protection packages, starting at USD 2 per user per month. While 365 Threat Monitor is a free tool, it is also limited. The ability to delete messages from user’s mailboxes is limited. Whenever you delete a message, a pop-up informs you of the number of allowed deletes left. Of course, the pop-up windows provides an Upgrade now! button for your convenience.