Pretend for a moment that I am a marketing agency you just hired, and invite me as a guest to a team in Microsoft Teams to collaborate. What happens if that guest’s account gets compromised and a bad actor gains access to your team in Microsoft Teams? Your organization is having sensitive conversations there, uploading sensitive files, and if that data were to be publicly disclosed, could do damage to the organization. More importantly, a bad actor can post hyperlinks to “phishing” web sites, and upload malicious files into Microsoft Teams – from there users can open the links or run the files, posing a serious threat to your organization’s security.
How do we help to protect against phishing attacks and malicious files in Microsoft Teams? Office 365 Advanced Threat Protection is here to help. In fact, Office 365 ATP can also help to protect against phishing and malware in not just Microsoft Teams, but Exchange Online, SharePoint, and OneDrive! More information in the Service Description here.
To configure, once the appropriate licenses have been purchased and assigned to each user, open the Office 365 Security & Compliance Center (protection.office.com) -> Threat Management -> Policy and click on ATP Safe Attachments:
Check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:
Now, when a malicious file is uploaded to Microsoft Teams, Office 365 ATP will perform a detonation of the file (following this process). Here we have files in Microsoft Teams, are they malicious?
If the file is indeed malicious, when the user attempts to execute the file in Microsoft Teams, they will receive the following message:
Safe Attachments stops the user in their tracks, and never gives them the opportunity to launch the file. This same behavior also occurs when the file is executed directly from SharePoint. If using Office 365 Alerts (in the Security & Compliance center), and alert can be configured to notify the admin that malware was uploaded to Microsoft Teams:
Here’s what the alert looks like:
(Note, if using Microsoft Cloud App Security an SMS notification can be sent, and MCAS also offers integration into your SIEM.)
What about phishing links in Microsoft Teams? If the ATP Safe Links policy is correctly configured (more information here), then when a phishing hyperlink is posted, the user will receive a blocking message when attempting to click on the hyperlink. Let’s take a loot at this below, here’s a hyperlink in a team conversation in Microsoft Teams:
When the user clicks on the link, ATP Safe Links and the Intelligent Security Graph goes into action to provide protection. ATP recognized the website is malicious, and stops the user in their tracks, not giving them the opportunity to click through to the original website. (Although, that can be changed in the policy).
Office 365 Advanced Threat Protection provides protection against advanced thread such as phishing and malware for not only your email in Office 365, but also Microsoft Teams! What if everyone had this enabled? The world might just be a safer place! Enjoy!
How well do you trust your employees? What about your vendors? I’m constantly coming across organizations that are storing intellectual property and other sensitive data in Microsoft Teams, so they can collaborate with that data in a centralized manner. I’m also learning that most of those organizations are enabling guest access, and allowing outside vendors to have access to that data and the resources within the team. A good example of this is an outside marketing agency that you contract with for event marketing, online marketing, etc. What if a guest of that team (or employee), accidently (or intentionally) uploads malware to the team (but masks it as a file called MarketingRoadmap.pptx), and an employee of the organization opens the file? The malware could now spread throughout your environment.
This is where Office 365 Advanced Threat Protection (ATP) comes in. ATP can help to safeguard your organization from this threat by “detonating” (executing) files uploaded to Microsoft Teams (specifically the SharePoint/Office 365 Group on the back-end) to validate it is a legitimate file and contains no malicious code that can do harm. This feature comes with Microsoft 365 E5, Office 365 E5, or available as an add-on to an existing Office 365 subscription.
Too Long Don’t Read (TLDR):In this blog, I’m going to describe how to enable this feature, perform a test, and show you alerting. For details on how Office 365 Advanced Threat Protection for SharePoint, Microsoft Teams, OneDrive works and it’s architecture, see the below diagram – and read the following article: Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams
Office 365 Advanced Threat Protection Architecture:
How to enable Office 365 Advanced Threat Protection:
Note: I will not be discussing Office 365 ATP for Exchange Online.
To enable, simply browse to the Office 365 Security & Compliance Center (protection.office.com) -> Threat Management -> Policy and click ATP Safe Attachments:
Once in ATP Safe Attachments, check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:
IMPORTANT: Review the Safe Attachment policies and configure as appropriate. Consider running Set-SPOTenant to DisallowInfectedFileDownload in PowerShell for the SharePoint tenant
to ensure the malicious files cannot be downloaded. For more information see Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams
If a malicious file is uploaded, and detected by ATP, the user will be unable to open the file. If the user browses to the Office 365 Group or SharePoint site where the file is stored, and attempts to run from there, they will be presented with the following:
Setting up an alert:
As the admin, I want to be notified when this activity occurs. Using Office 365 Alerts I will create an Alert Policy to notify me so I can take action:
When the alert notification arrives via email, here is an example of what it looks like:
Clicking Investigate will launch the alert in Office 365 Alerts (notice I can suppress, or notify users):
Accessing the event via Threat Explorer gives me access to additional details and advanced analysis that could be helpful in my investigation of the threat:
Office 365 Advanced Threat Protection is one of the many layers in your defense in depth approach to cyber security, and with it’s ease of administration and use, it can be a valuable tool to protect your organization. Enjoy! –Matt Soseman