Operate Defender for Office like a Pro

Phishing and email scams continue to be significant security concerns for organizations of all sizes and across all industries. These attacks are designed to trick recipients into divulging sensitive information or performing actions that can compromise the security of an organization’s network or data.

Email is a common channel for these attacks because it is widely used and often considered a trusted means of communication. Phishing emails can be difficult to detect, as they may appear to come from a legitimate source and contain convincing language and graphics.

To protect against phishing and email scams, organizations should implement email security measures that include spam filters, antivirus software, and email encryption. Additionally, it is essential to train employees to recognize and report suspicious emails and avoid clicking on links or opening attachments from unknown sources. Regular security awareness training can go a long way in helping employees become more vigilant and aware of the risks associated with phishing and email scams.

Overall, protecting an organization’s email layer is critical to reducing the risk of phishing attacks and ensuring the security of sensitive data. It requires a combination of technology, employee education, and best practices to create a strong defense against these types of threats.

Business email compromise (BEC) schemes, also known as email account compromise (EAC), are a type of phishing attack that specifically targets employees with access to financial and sensitive information.

In a BEC attack, the attacker will send an email that appears to come from a trusted source, such as a colleague or a senior executive within the organization. The email will often contain a sense of urgency, asking the recipient to perform an action, such as transferring funds or sharing sensitive information. If the employee falls for the scam and takes the requested action, the attacker can gain access to the organization’s financial accounts, steal sensitive data, or install spyware or ransomware on the network.

BEC attacks are especially dangerous because they are highly targeted and often use social engineering tactics to gain the trust of the recipient. In many cases, the attacker will research the targeted organization and employees to make the email seem more legitimate and convincing.

To protect against BEC attacks, organizations should implement email security measures such as two-factor authentication, email encryption, and sender authentication protocols such as DMARC, DKIM, and SPF. Additionally, regular employee education and training on the latest phishing tactics and how to identify and report suspicious emails can help mitigate the risk of BEC attacks.

When it comes to the defense, we must perform routine checks because of incompatible and incorrect settings issues, even when we have set something right. Still, we may not be more appropriate, or another setting has caused a security hole.

MDO Recommendations

From time to time, Microsoft released many recommendations about protecting and defending Office ATP and Exchange Online Protection (EOP). Recently, Microsoft released the Recommended settings for EOP and Office 365 ATP security.

There are many ways to know what is the status of your Office ATP. The most relevant is with Azure Sentinel and the tool Microsoft released recently to analyze Office ATP and EOP configuration, the ORCA tool.

About ORCA

ORCA (Office 365 ATP Recommended Configuration Analyzer) is a tool developed by Microsoft that can help organizations identify configuration issues in their Microsoft Defender for Office 365 environment. Microsoft Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection) is a cloud-based email filtering service that helps protect against advanced email threats such as phishing and malware attacks.

Phishing and email scams continue to be significant security concerns for organizations of all sizes and across all industries. These attacks are designed to trick recipients into divulging sensitive information or performing actions that can compromise the security of an organization’s network or data.

Email is a common channel for these attacks because it is widely used and often considered a trusted means of communication. Phishing emails can be difficult to detect, as they may appear to come from a legitimate source and contain convincing language and graphics.

To protect against phishing and email scams, organizations should implement email security measures that include spam filters, antivirus software, and email encryption. Additionally, it is essential to train employees to recognize and report suspicious emails and avoid clicking on links or opening attachments from unknown sources. Regular security awareness training can go a long way in helping employees become more vigilant and aware of the risks associated with phishing and email scams.

Overall, protecting an organization’s email layer is critical to reducing the risk of phishing attacks and ensuring the security of sensitive data. It requires a combination of technology, employee education, and best practices to create a strong defense against these types of threats.

Business email compromise (BEC) schemes, also known as email account compromise (EAC), are a type of phishing attack that specifically targets employees with access to financial and sensitive information.

In a BEC attack, the attacker will send an email that appears to come from a trusted source, such as a colleague or a senior executive within the organization. The email will often contain a sense of urgency, asking the recipient to perform an action, such as transferring funds or sharing sensitive information. If the employee falls for the scam and takes the requested action, the attacker can gain access to the organization’s financial accounts, steal sensitive data, or install spyware or ransomware on the network.

BEC attacks are especially dangerous because they are highly targeted and often use social engineering tactics to gain the trust of the recipient. In many cases, the attacker will research the targeted organization and employees to make the email seem more legitimate and convincing.

To protect against BEC attacks, organizations should implement email security measures such as two-factor authentication, email encryption, and sender authentication protocols such as DMARC, DKIM, and SPF. Additionally, regular employee education and training on the latest phishing tactics and how to identify and report suspicious emails can help mitigate the risk of BEC attacks.

When it comes to the defense, we must perform routine checks because of incompatible and incorrect settings issues, even when we have set something right. Still, we may not be more appropriate, or another setting has caused a security hole.

MDO Recommendations

From time to time, Microsoft released many recommendations about protecting and defending Office ATP and Exchange Online Protection (EOP). Recently, Microsoft released the Recommended settings for EOP and Office 365 ATP security.

There are many ways to know what is the status of your Office ATP. The most relevant is with Azure Sentinel and the tool Microsoft released recently to analyze Office ATP and EOP configuration, the ORCA tool.

About ORCA

ORCA (Office 365 MDO Recommended Configuration Analyzer) is a tool developed by Microsoft that can help organizations identify configuration issues in their Microsoft Defender for Office 365 environment. Microsoft Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection) is a cloud-based email filtering service that helps protect against advanced email threats such as phishing and malware attacks.

ORCA scans an organization’s Office 365 ATP configuration, which includes Microsoft Defender for Office 365 settings, and compares it to Microsoft’s recommended best practices. The tool provides a detailed report highlighting any configuration issues or potential areas for improvement, along with guidance on addressing these issues.

By using ORCA to optimize their Microsoft Defender for Office 365 configuration, organizations can improve their protection against advanced email threats. The tool can help ensure the security settings are properly configured and aligned with industry best practices.

You can use ORCA to Check Office ATP and EOP Settings, such as:

• Configuration in EOP which can impact ATP
• SafeLinks configuration
• SafeAttachments configuration
• Antiphish and anti-spoof policies

The idea behind ORCA is that you can run a PowerShell cmdlet to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by EOP in an Office 365 tenant.

Most values are gained if you have licenses for ATP because more settings exist to be reviewed against best practices.

The idea behind ORCA is that you can run a simple PowerShell cmdlet (Get-ORCAReport) to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by Exchange Online Protection (EOP) in an Office 365 tenant. Most value is gained if you have Advanced Threat Protection (ATP) licenses because more settings must be checked against best practices. Or at least the best way as it exists in the minds of the ORCA team.

ORCA runs many security configuration tests :

• Spam action set to Move message to Junk Email Folder
• Change High Confidence Spam action to Quarantine message.
• Bulk action set to Move message to Junk Email Folder
• The Bulk Complaint Level threshold is between 4 and 6
• The bulk is marked as spam.
• Advanced Spam filter options are runoff.
• Outbound spam filter policy settings are configured.
• No IP Allow Lists have been configured.
• Domains are not being whitelisted in an unsafe manner.
• Change Phish action to Quarantine message.
• High Confidence Phish action set to Quarantine message
• Safety Tips are enabled.
• Set up DKIM signing to sign your emails
• DNS Records have been set up to support DKIM
• Domains are not being whitelisted in an unsafe manner.
• Zero Hour Autopurge is Enabled
• Zero Hour Autopurge is Enabled
• Zero Hour Autopurge is Enabled
• Supported filter policy action used.
• Unified Audit Log is enabled.
• External Sender notifications are disabled.
• A common attachment type filter is enabled.
• Safe Links Policies track when the user clicks on safe links.
• Safe Attachments are enabled for SharePoint and Teams.
• Safe Links is enabled for Office ProPlus, Office for iOS, and Android.
• Safe Links is enabled intra-organization
• Safe Links Synchronous URL detonation is enabled.
• The Advanced Phish filter Threshold level is adequate.
• Mailbox intelligence is enabled in anti-phishing policies.
• Domain Impersonation action is set to move to Quarantine.
• Anti-phishing policy exists, and EnableAntiSpoofEnforcement is true.
• Safe Attachments are not bypassed.
• Safe Links are not bypassed.
• User impersonation action is set to move to Quarantine.
• Your policy is configured to notify users with a tip.

How to use ORCA

Running ORCA is very simple, and you need to install the module, start an Exchange Online PowerShell session log in with an administrator account, and run the Get-ORCAReport cmdlet.

ORCA cmdlet checks for the Connect-EXOPSSession command presence, which means that you need to have either the REST module installed or connect to Exchange Online with MFA.

All Office 365 administrator accounts should use MFA, but you don’t need to use MFA to use ORCA.

Running ORCA

To run ORCA, you need to do the following actions:

• Install the ORCA PowerShell module
• Connect Exchange Online PowerShell
• Run ORCA report
• Then analyze your mail configuration issues.

Running the required ORCA PowerShell commands.

Then ORCA will perform all Office ATP and EOP tests.

Once the script has finished running, we will receive a report, With two main parts of proper settings and recommendations: Recommendations and OK and the number of configurations.

Later in the report, we will get details about the settings that have been tested with all relevant areas.

for example:

It’s recommended to configure the Phish detection action to Quarantine so that these emails are not visible to the end-user from within Outlook.
The ORCA report will describe the configuration issue, the risk, the configuration, and the action needed and link to the policy. 

More misconfiguration with ORCA report

In conclusion

The magic is in the report generated by ORCA because it’s here that comparisons and checks are made against the settings in an Office 365 tenant and the values recommended by Microsoft.

Useful links

• ORCA Project on Github
• Recommended settings for EOP and Office 365 ATP security
• RunORCA on GitHub

The next article will be focused on how to monitor Office ATP and EOP with Azure Sentinel

scans an organization’s Office 365 ATP configuration, which includes Microsoft Defender for Office 365 settings, and compares it to Microsoft’s recommended best practices. The tool provides a detailed report that highlights any configuration issues or potential areas for improvement, along with guidance on how to address these issues.

By using ORCA to optimize their Microsoft Defender for Office 365 configuration, organizations can improve their protection against advanced email threats. The tool can help ensure that the security settings are properly configured and aligned with industry best practices.

ORCA is a report you can run in your environment, highlighting known configuration issues and improvements that can impact your experience with Office 365 Advanced Threat Protection (ATP).

You can use ORCA to Check Office ATP and EOP Settings, such as:

• Configuration in EOP which can impact ATP
• SafeLinks configuration
• SafeAttachments configuration
• Antiphish and anti-spoof policies

The idea behind ORCA is that you can run a PowerShell cmdlet to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by EOP in an Office 365 tenant.

Most values are gained if you have licenses for ATP because more settings exist to be reviewed against best practices.

The idea behind ORCA is that you can run a simple PowerShell cmdlet (Get-ORCAReport) to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by Exchange Online Protection (EOP) in an Office 365 tenant. Most value is gained if you have Advanced Threat Protection (ATP) licenses because more settings must be checked against best practices. Or at least the best way as it exists in the minds of the ORCA team.

ORCA runs many security configuration tests :

• Spam action set to Move message to Junk Email Folder
• Change High Confidence Spam action to Quarantine message.
• Bulk action set to Move message to Junk Email Folder
• The Bulk Complaint Level threshold is between 4 and 6
• The bulk is marked as spam.
• Advanced Spam filter options are runoff.
• Outbound spam filter policy settings are configured.
• No IP Allow Lists have been configured.
• Domains are not being whitelisted in an unsafe manner.
• Change Phish action to Quarantine message.
• High Confidence Phish action set to Quarantine message
• Safety Tips are enabled.
• Set up DKIM signing to sign your emails
• DNS Records have been set up to support DKIM
• Domains are not being whitelisted in an unsafe manner.
• Zero Hour Autopurge is Enabled
• Zero Hour Autopurge is Enabled
• Zero Hour Autopurge is Enabled
• Supported filter policy action used.
• Unified Audit Log is enabled.
• External Sender notifications are disabled.
• A common attachment type filter is enabled.
• Safe Links Policies track when the user clicks on safe links.
• Safe Attachments are enabled for SharePoint and Teams.
• Safe Links is enabled for Office ProPlus, Office for iOS, and Android.
• Safe Links is enabled intra-organization
• Safe Links Synchronous URL detonation is enabled.
• The Advanced Phish filter Threshold level is adequate.
• Mailbox intelligence is enabled in anti-phishing policies.
• Domain Impersonation action is set to move to Quarantine.
• Anti-phishing policy exists, and EnableAntiSpoofEnforcement is true.
• Safe Attachments are not bypassed.
• Safe Links are not bypassed.
• User impersonation action is set to move to Quarantine.
• Your policy is configured to notify users with a tip.

How to use ORCA

Running ORCA is very simple, and you need to install the module, start an Exchange Online PowerShell session log in with an administrator account, and run the Get-ORCAReport cmdlet.

ORCA cmdlet checks for the Connect-EXOPSSession command presence, which means that you need to have either the REST module installed or connect to Exchange Online with MFA.

All Office 365 administrator accounts should use MFA, but you don’t need to use MFA to use ORCA.

Running ORCA

To run ORCA, you need to do the following actions:

• Install the ORCA PowerShell module
• Connect Exchange Online PowerShell
• Run ORCA report
• Then analyze your mail configuration issues.

Running the required ORCA PowerShell commands.

Then ORCA will perform all Office ATP and EOP tests.

Once the script has finished running, we will receive a report, With two main parts of proper settings and recommendations: Recommendations and OK and the number of configurations.

Later in the report, we will get details about the settings that have been tested with all relevant areas.

for example:

It’s recommended to configure the Phish detection action to Quarantine so that these emails are not visible to the end-user from within Outlook.
The ORCA report will describe the configuration issue, the risk, the configuration, and the action needed and link to the policy. 

More misconfiguration with ORCA report

In conclusion

The magic is in the report generated by ORCA because it’s here that comparisons and checks are made against the settings in an Office 365 tenant and the values recommended by Microsoft.

Useful links

• ORCA Project on Github
• Recommended settings for EOP and Office 365 ATP security
• RunORCA on GitHub

The next article will be focused on how to monitor Office ATP and EOP with Azure Sentinel