Microsoft Defender for Office 365 Product name changes Poll 1 – What percentage of cyber attacks begin with a phishing email? Poll 2 – How many messages did Microsoft scan in 2019? Email is the prevalent attack vector

91% 60% $26B

% 300 20% in 5 min 68 % Why Microsoft Defender for Office 365 ? Service architecture

Sender Exchange Online Protection • Multiple filters • Three anti-virus engines Safe Attachments Attachment detonation chamber • Supported file type (sandbox) • Clean by AV/AS filters Behavioral analysis with • Not in Reputation list machine learning Executable? Registry call? Elevation? Links • Continuously updated lists of malicious URLs Recipient Unsafe Safe Safe Links rewrite Protection across M365 Apply Smart Heuristics

Collaboration signals Secure files Anonymous links Companywide sharing Explicit sharing 1st and 3rd Files in SharePoint Guest user activity party reputation Online, OneDrive for Threat feeds Business, and Teams Malware in email + SPO Windows Defender Windows Defender ATP Suspicious logins Multiple AV Risky IP addresses engines Irregular file activity

Activity watch lists Users IPs Sandboxing On-demand patterns and detonation (e.g., WannaCry) Enhanced anti-phish defense

Content analysis Spoofing Impersonation & detonation

DMARC, DKIM, and SPF User impersonation Malicious attachments Intra-org spoof detection Domain impersonation Malicious URLs Cross-domain detection Brand impersonation Detect text lures Mailbox Intelligence Internal Safe Links Demo Preset security policies Understand policy gaps

Simplified configuration

Enhancing protection for our customers Microsoft Defender for Office 365 offerings

Exchange Online Protection MDO P1 MDO P2

Preventing broad Protecting from Post Breach Investigation, and volume-based zero-day malware, URLs, Response, Automation and & known attacks Business email compromise Simulation/Training A day in the life of Security Operations teams

Alerts Analyze Investigate Assess impact Contain Respond

• An email is • Is the email indeed • What other emails • Which users got • Contain affected • Remove malicious reported as Phish malicious? match this: any such emails? users and devices emails by end user • Are there Indicators • Sender • Did any users click • Apply conditional • Remediate affected of Compromise the URL? • Report triggers • Sending domain access on data devices an alert queued (IoCs)? • Investigate users: access • Sender IP • Clean-up any policy for SOC • What does Have they shown and configuration Microsoft’s latest • Subject any anomalous issues intelligence tell me behavior? • Fingerprint • Block any about it? • Investigate devices: • URL URLs/senders not Are the devices previously blocked still secure?

SOC Tier 1 team investigates email SOC Tier 1 team assesses impact SOC Tier 1/Tier 2 takes/approves mitigation actions Digging deeper into components of Security Playbooks

Submitting email triggers playbook

Root Remediation investigation Assess URL click- Identify URLs Perform user Expansion to Share signal to thrus in email Safe Links health check email clusters other platform clusters did not wrap on click-thrus

Is it Phish? Auto-junk malicious email. Is it Malware? Indicator clustering. Windows Blocked clicks. Assess user. Soft-delete email Which recipients? Similarity clustering. Defender ATP Allowed clicks. Re-assess URLs. from malicious Was it ZAPed? clusters. Analyst verdict? Known campaign? Cumulative Cumulative risk score risk score Cumulative Recommendations risk score Hunting Automated Investigations Campaign Views Demo Threat Explorer Threat Tracker Reporting Priority Account Protection

Demo Microsoft 365 Defender Integration Demo Attack Simulator V2