Unexpected Security and Compliance Center Changes

Posted on Leave a commentPosted in Advanced Threat Protection, ATP, EOP, malware, Safe Attachments, Safe Links, Security and Compliance Center, Threat Management

In the last few days the layout of the Security and Compliance Center with regard to the Threat Management section appears to have changed.

In the middle of the week just gone, and for a long while previously, you could access Mail Filtering, Anti-malware, and DKIM from Security and Compliance > Threat Management and see these items as entries on a menu:

For example, Advanced Threats


For example, Mail Filtering


But in the last two days there has rolled out across a number of tenants without any notice a change to the Threat Management menus. Now all you see if Review and Policy. The below picture shows the Review area:


Policy area: This contains the previous menu items such as anti-malware, ATP Safe Links etc.


Depending upon your licences, this will appear different. For example the below is what an EOP only tenant would see from today:


How To Run an Advanced Threat Protection Proof of Concept

Posted on Leave a commentPosted in Advanced Threat Protection, ATP, malware, Office, Office 365, Office 365 ProPlus, Proof Of Concept, Safe Attachments, Safe Links

I put the following post together as I was asked this question from Microsoft themselves! This post covers what you need to put in place, and how you can test some of it (as testing the blocking of malware involves sending malware first!)

First, lets take a look at the Advanced Threat Protection steps for a proof of concept (PoC), and then later we will look at the new Office Smart Links feature.

You need to put the following in place:

  • Exchange Online Protection managed tenant. That is MX to EOP is required for simple PoC
  • Hybrid with MX on-premises and then mail flow to cloud is possible for an advanced PoC, but here it depends upon what the customer has in-front of on-premises. If this is the case, then a simple PoC with a new email namespace and MX to EOP is recommended before transitioning to protecting their actual mailbox.
  • Create ATP rules in wizard in Exchange Control Panel for both Safe Attachments and Safe Links. PowerShell is pointless for this, as there is not a lot to do, and there are more steps if do it via PowerShell!
    • Enable ATP for a selected mailbox(es) and not an entire domain. Mailboxes can be cloud or on-premises.
    • Enable Smart Links for same mailboxes. Mailboxes can be cloud or on-premises.
    • Do not enable Smart Links for Office documents (as this is a global setting) (see later)
  • Check if org has rules to block .exe attachments. If they do then exe’s will be blocked by this rule and not processed by ATP.
  • Test. I have sent the .NET Framework installer .exe in email before to test this. But at any given day or time the rules could change as to what is blocked or not. I used to have a “fake macro virus” document (see below), but OneDrive’s built in AV started detecting it and now I do not have the file anymore! The doc I used to test with had an autorun macro that set a regkey that included the words “I download stuff and drop files” or something like that! It might be possible to create your own document, but watch out for AV software and the like blocking it and/or deleting it, or it being filtered out before it arrives at the target mailbox. I did say above this PoC is quite hard to do when trying to send malware for detection!
  • For SafeLinks, send an email from external that contains a URL with www.spamlink.contoso.com in it. The link will be rewritten. Some common links are never rewritten (I think www.google.com falls into this category) and you can whitelist URLs as well company wide. So if you whitelist a URL, send an email from the internet containing that link. That is a useful addition to the PoC as well.
  • ATP now quarantines (or at least its coming soon) the failed attachments, so include that on a demo. I have found that forwarding failed attachments to another mailbox (like a shared mailbox) is a bit temperamental – hasn’t for at least a year in one of my tenants but does in another tenant.
  • If users are on-premises (EOP before an on-premises mailbox) then do not enable dynamic delivery. If PoC mailboxes are both on-premises and cloud then create two ATP rule sets, one rule for each type of mailbox, and enable dynamic delivery for cloud mailboxes only.
    • Dynamic delivery sends the message without attachment to the cloud mailbox and later writes the attachment into the message body. This works in the cloud as Microsoft manage ATP and Mailbox. It cannot work on-premises as Office 365 cannot write the modified message into Exchange Server at a later time.
    • Dynamic delivers the body but not the attachment instantly. Attachment, if safe, follows later (7 or so minutes I tend to find). I understand an option to view the content of the attachment in a web browser but not the attachment is coming, but I have not seen that yet) – suspect the link to this will be inside the “pending attachment notification” in the dynamic email, but am guessing at this.
    • Do not dynamic deliver to on-premises mailboxes.
  • Demo that internal emails do not SafeLink rewrite and attachments are not processed. That is, send an email between two internal mailboxes and show that it is not processed.
  • In hybrid, if the connectors to the cloud are set up correctly then internal email from on-premises to cloud should not rewrite links or process attachments. External emails are marked as such when they arrive on the first Exchange Server and so an external email to on-premises and then via the hybrid connectors to Exchange Online should be processes, as Exchange Online knows it is external!
  • Enable ATP for direct attachment links (i.e. link directly to an exe, pdf etc.). Then email and click that link. ATP with a yellow background will popup saying the file needs to be scanned. After a while (7 minute or so) click the link again and you will get to the file directly.
  • Safelink URLs are geo based. So EMEA tenant (or UK tenant) will get emea01.safelinks.protection.outlook.com rewritten URLs. UK tenants have EOP in EMEA, so the links for UK tenants are the same as EMEA tenants (at this time, not sure if this is changing).
  • Send emails that are both HTML based and Text based, and use the range of clients that the end customer users to see experiences. Rewriting text formatted emails appears different than html formatted emails.

SafeLinks for Office

  • Once you/client is happy enable SafeLinks for Office option. This is a global setting. Though this only works if you have Office Click-to-Run June 2017 Current Branch and later in use. For this create a new document that was never emailed:
    • On a Win10 AAD joined machine, save the file anywhere or just create a new Word doc and do not save it
    • On a Win10 not AAD or legacy Windows client then save the file to OneDrive for Business sync folders or SharePoint sync folders. It needs to be saved to these folders to know that it is a cloud document.
    • Get a demo machine that syncs to multiple tenants and later save a copy of the file OneDrive sync folders for the unprotected tenant. In this scenario you will see a protected document become unprotected (or visa versa) as you change the folder where it is saved to.
  • Once you have the file start creating content in it (typing “=Rand(20)” without quotes is a good way to do this in Word) and then start adding some links to the document. Use the above mentioned test link as well.
  • Click each link.
    • If it is safe, then the webpage will open
    • If it is not, then the alert page will open, or a dialog will popup saying its not safe (I have seen both behaviours)
  • Note that links are not rewritten (unlike in the email client, where you cannot be sure what client is in use, so the link needs rewriting). In Office documents the link is checked at time of click, and only if the document is saved to a cloud location (sync folders included)

Malware Filter Policy Updates in Office 365

Posted on 3 CommentsPosted in EOP, exchange online, Exchange Online Protection, malware, Office 365

In March I wrote a blog post that showed how to take the attachment filter list from Edge Server and add those attachment block types to EOP, as EOP had a very small list of attachments.

Today on one of my client tenants I noticed this precanned list of attachment extension types is now at 96 items, which is a considerable change from the list back in March 2017. The list in March was ace, ani, app, docm, exe, jar, reg, scr, vbe, vbs and still is for some tenants at the time of writing.

But while Microsoft has added new attachment types to the picker UI, there was no notification to the end client administrators that they might want to update their MalwareFilterPolicy to take account of these new attachment types that Microsoft have considered worthy of being blocked.

Therefore, now is the time to check your existing MalwareFilterPolicy to include the new extension types (listed below).

For reference, the new attachment filter types that have been added since March 2017 are


But notice that some of these are initial capital versions of entries that are already there (i.e. hta was in the list or on Edge server a few months ago, but now Hta is on the list as well).

I am assuming attachment blocking is not case sensitive and so the following extensions are if added from the attachment list picker will be duplicates – Hta, Inf, Ins, Jse, Ksh if you imported a matching, but lower case, list from your Edge servers.

Getting Started with Office 365 Advanced Threat Protection

Posted on 7 CommentsPosted in Advanced Threat Protection, ATP, EOP, exchange online, Exchange Online Protection, IAmMEC, malware, Office 365, proxy, Safe Attachments, Safe Links

Announced a few months ago, Advanced Threat Protection became generally available on 1st June. I have been involved with trialling this product during the beta and so I thought I would note down a few thoughts on setting this up and what to expect now that it is publicly available.

Advanced Threat Protection is an add-on product to Exchange Online/Exchange Online Protection with its own subscription, so you will not see these features and products unless you have subscribed. Once you have subscribed you will get two new features in the Exchange Control Panel for Office 365. These are the ability to find malware containing attachments before a detection signature for that malware exists (zero-day malware attacks) and the ability to filter all hyperlinks in email via a known malicious links service (filtering against spear-phishing attacks). The feature to detect zero-day malware is called Safe Attachments and the feature to protect against spear-phishing is known as Safe Links.

Subscribing to Advanced Threat Protection

After signing into the Office 365 administration portal click Purchase Services on the left hand menu and locate your current Office 365 subscription that contains Exchange Online or Exchange Online Protection (Office 365 Enterprise E3 contains EOP, so you would look for your suite purchase if you did not have a standalone purchase of EOP). Your current subscriptions will contain the words Already Purchased underneath the item as shown:

image or image

In the two screenshots above you can see that you have no Exchange Online Advanced Threat Protection licences purchased. To add Advanced Threat Protection licences click the Add more link and enter the number of licences you want to purchase. You do not need to purchases the same number of licences as EOP or Exchange Online mailbox licences as you use the policy below to control who Advanced Threat Protection is available for. Advanced Threat Protection for volume licence customers is available from August 2015 and for non-profit/educational licences from later in the year. Once the purchase is confirmed the Advanced Threat’s menu entry appears in the Exchange Administration Console. Also don’t forget to assign a licence to the appropriate users in the Office 365 portal.

Safe Attachments

Safe Attachments in Advanced Threat Protection takes any email that meets the conditions of any one of the Safe Attachment policies that you create that also contains an attachment and checks this email for for malicious behaviour as it passes through Exchange Online Protection (EOP). Before an email is checked by Safe Attachments the attachment has already been scanned for known malware and viruses. So if the attachment contains malware that was not detected by an existing AV signature or if it is a safe attachment (no malware) then the email is routed to the Safe Attachments component in EOP. If the email does not contain any attachments it is routed to the users mailbox by way of the other EOP spam filtering features.

Once an email is considered to have cause to be checked by the Safe Attachments component of ATP the individual attachments in the message are placed inside a newly created Windows virtual machine that is spun up in ATP for the purposes of this service. The attachment is then executed or otherwise run (for example if it is a Word doc, it is opened in Word in the new VM that was created for it). The VM is then watched for behaviour that is considered to be unsafe. Examples of unsafe behaviour include setting certain known registry key locations (such as the RunOnce group of keys in Windows) or downloading malicious content from the internet. If the attachment does not exhibit that behaviour then the email is released and sent on to the user. If the email does exhibit these actions the email is not sent onward, and optionally a copy of the email in a form of a report is forwarded to an administrators mailbox (where care should be taken on opening the attachment).

The time it takes to spin up a new VM and execute the attachment is in the region of 7 to 10 minutes. Therefore anyone subject to a Safe Attachments policy will have emails that contain attachments delayed by at least this amount of time. Of course this delay is necessary to ensure that the recipient is not being sent malware that is currently not detected (zero-day attacks) and the impact of this delay needs to be considered against the benefit of the additional filtering that happens and the impact of that user executing the malware themselves on their own machine.

To protect a user with Safe Attachments you need to create a policy. This is done in the Exchange Admin Centre in Office 365 and the “advanced threats” area as shown:


In the above screenshot I have a single policy created called “Protect Brian Only”. This would be an example where I wanted to protect those users whom I though where more likely to be subject to zero-day malware attacks – good examples would be highly targets accounts (CEO etc.), IT administrator/help desk accounts and of course the accounts of users who will click anything and so you are often cleaning up their PC! There is no default policy, so unless a user is protected by a policy that you the administrator create, they are not subject to the Safe Attachments feature.

As Advanced Threat Protection is an additional licence, only those users who are licenced should be included in any policy.

Opening the “Protect Brian Only” example policy above shows me three sets of options. These are:

SNAGHTML43aa903b SNAGHTML43b22229 SNAGHTML43aad2b3

The first page allows me to edit the name and description. The second page sets the policy (more on this below) and the final page sets who the policy applies to. In this example it applies to a single recipient who was selected from the list of users in Office 365, though it could be a list of more than one user or anyone with a given email domain or anyone in an already created group.

The policy setting allows me to do the following:

  • Scan attachment containing emails (with options to not do this scanning, scan and send onward to the user regardless of the result, block the emails containing bad attachments or replace the attachments with a notification but allow the contents of the email to go on through).
  • Redirect the attachment containing emails to an alternative email address and what address to use. This is great for seeing what is blocked and acting as a sort of reporting service. Warning – this email address will get malicious emails sent to it, handle with extreme care.
  • Finally, in the event of a timeout at EOP/ATP where the attachment cannot be scanned in 30 minutes, check this box to treat the attachment in the same way as malicious emails are treated. This is the default action.

In the mailbox of the intended recipient, if block or replace is selected in the policy then the user will not see the malicious attachment and therefore cannot accidently execute its contents.

In the mailbox of the email address used for the redirection, you will see messages such as follows:


Here you see a report email that contains the email that was detected as malicious. You can see the To: address (redacted in the graphic above) and that it was not sent to the intended recipient and that it should not be opened.

All in all, its a very simple and inexpensive way to protect the mailboxes of either all staff or those you consider subject to targeted malware such as CEO type staff and the IT department. Even if you do not redirect emails containing malicious attachments, you can report on the number and type of attachments that are blocked from the reporting console available from the image icon on the ATP toolbar. The following shows a 30 day report for my tenant (which has only a few live mailboxes protected). For data-points beyond 7 days old it will take a short while for the information on the report to be returned to you and you need to request that report from the provided link. For data-points under 7 days you can see the information in real-time. The grey background to report shows where the 7 day period is located. In the below screenshot the above malware can be see in the report as the single instance of an email that passed AV scanning successfully but was in fact a zero-day attack. The second screenshot below shows the type of malware attachments that ATP is blocking. From this we can see that the risk lies in maliciously crafted Excel and Word attachments.

SNAGHTML43c1954c SNAGHTML43ce425b

Safe Links

When an email is delivered to the end recipient, any technology that checks the target of any link in the email is prone to one large issue – the web page or attachment on the other side of the hyperlink in the email may be safe and okay to view at the time of delivery, but might not be at the time the user comes to open the email and then click the link. Being aware of users working, or at least email reading hours, and delivering emails outside this timeframe with links to websites that are okay at the time of delivery means the email passes any web site or download checks done by the email server.

Advanced Threat Protection’s Safe Links feature protects the user by rewriting the hyperlink in the email body so that the link is checked at the point of click and not the point of delivery. To do this the hyperlink is changed from the target to the Safe Links portal. Then when the user clicks the link, they are taken to the Safe Links portal and if the site is now on a block list, the user is blocked, but if the target of the link is fine they are sent a browser redirect to the original target. Note that this is not a proxy server – you do not connect to the target URL through the Safe Links portal, you just visit the Safe Links portal when you click the link and if the target is safe at point of click you are directed via your browser to the target (a client side redirect). If the target is not safe at point of click then an error page is displayed.

In the following screenshot is an email with a hyperlink in it. This link was received by me to my Safe Links protected account and it looks link it might be an attempt to download malware to my computer, but I am going to click the link anyway (in second screenshot I am hovering over the hyperlink):

image image

You can see from the above screenshot that the hyperlink takes the user first to https://na01.safelinks.protection.outlook.com/?url=targetURL&data=value&sData=otherValue. The na01 part of the URL will be regionally specific and so might read emea01 or apac01 etc. When the user clicks the link they go to region.safelinks.protection.outlook.com. In my case I see the following webpage:


Here I am told the page has been classified as malicious. I also have an option to continue anyway (and I can control if this setting appears for users or not) and an option to close the browser window.

If the hyperlink is not malicious at the point of click then I still go to the Safe Links portal (as it is the portal that checks the link at point of click), but then get redirected to the target URL. This can be seen in the following screenshot which shows the F12 developer tools enabled in the browser and the network trace screen shown at the bottom of the window:


You will see that the first line is the Safe Links portal and this take 0.75 second before being redirected with a HTTP 302 client side redirect to the target URL and then the rest of the objects on the target page (until I paused the trace).

So how do I set this all up? It is very similar to the Safe Attachments above in that we create a policy, and then any email that contains hyperlinks that is delivered to the end user after that users is added to a policy get rewritten.

First we go to the Advanced Threats area of the Exchange Administration Console:


Here you can see an existing policy. There are no policies by default. If I create a new policy I need to provide the following:


You can see from the screenshot that you need a name for the policy and whether or not a link is rewritten (policies with greater priority take precedence, so if a user is subject to two or more polices then only the higher priority policy takes effect, therefore you can use a policy to turn off link rewriting for a subset of users covered under a lower policy that enabled it for more users). Also you can disable link tracking and not to allow users to have the option to click through to the target URL. Link tracking allows you to report who clicked what link and not allowing users to click through disables the “Continue to this website (not recommended)” link on the Safe Links warning page.

You also have the ability to control URL’s that you do not want to rewrite, and rewriting will only happen for FQDN URL’s (that is those with dots in them) and not single name URL’s such as http://intranet.  This allows you to bypass redirection for sites you know are safe or are FQDN’s but are internal.

Finally you get to set who the policy applies to. You do not need to apply the policy to all users if you have not licenced all users, but you can set policy based on who the recipient is, what domain the recipient is in (all users in that domain) or a group (some users).

On the Mail Flow menu in Exchange Control Panel you can view a URL Trace of the links that users have clicked in the past 7 days. The report shows you the link clicked and if it was blocked or not. If the click through option is enabled, it will show if that was done as well. Only users in policies that track clicks will be reported. As report looks like the following:


Further Administration

To administer your Safe Links and Safe Attachments policy and rules via Remote PowerShell see http://c7solutions.com/2015/06/advanced-threat-protection-via-powershell

Updating Exchange 2013 Anti-Malware Agent From A Non-Internet Connected Server

Posted on Leave a commentPosted in 2013, 64 bit, antivirus, exchange, Exchange Online Protection, IAmMEC, malware, mcm, mcsm, powershell, x64

In Forefront Protection for Exchange (now discontinued) for Exchange 2010 it was possible to run the script at http://support.microsoft.com/kb/2292741 to download the signatures and scan engines when the server did not have a direct connection to the download site at forefrontdl.microsoft.com.

To achieve the same with Exchange 2013 and the built-in anti-malware transport agent you can repurpose the 2010 script to download the engine updates to a folder on a machine with internet access and then use a script from Exchange Server 2013 to download from a share on the first machine that you downloaded the files to, and that the Exchange Servers can reach.

So start by downloading the script at http://support.microsoft.com/kb/2292741 and saving it as Update-Engines.ps1.

Create a folder called C:\Engines (for example) and share it with Authenticated Users / Read access and full control to the account that will run Update-Engines.ps1

Run Update-Engines.ps1 with the following

Update-Engines.ps1 -EngineDirPath C:\engines -UpdatePathUrl http://forefrontdl.microsoft.com/server/scanengineUpdate/  -Engines “Microsoft” -Platforms amd64

The above cmdlet/script downloads just the 64 bit Microsoft engine as that is all you need and places them in the local folder (which is the shared folder you created) on that machine. You can schedule this script using standard published techniques for scheduling PowerShell.

On your Exchange Server that has no internet connectivity, start Exchange Management Shell and run the following:

Set-MalwareFilteringServer ServerName –PrimaryUpdatePath \\dlserver\enginesShare

Then start a PowerShell window that is running as an administrator – you can use Exchange Management Shell, but it too needs to be started as an administrator to do this last step. In this shell run the following:

Add-PSSnapin microsoft.forefront.filtering.management.powershell




Then compare the first results from Get-EngineUpdateInformation with the second results. If you have waited 30 or so seconds, the second set of results should be updated to the current time for the LastChecked value. UpdateVersion and UpdateStatus might also have changed. If your Exchange Server has internet connectivity it will already have updated automatically every hour and so not need this script running.