If your organization has Microsoft ATP in use and you haven’t had time to go through the latest changes, you’ve come to the right place. We’ve been monitoring the ATP functionality closely as we’ve built new features in our app that will enrich ATP data for your protection. How you ask? Let’s start with what Microsoft has done in the past months and then move into how Hoxhunt can further help your security team to quickly respond to any malicious emails reported by your employees.
Microsoft Automated Investigation and Response (AIR)
In September 2019, Microsoft released Automated Investigation and Response (AIR) in Office 365 which allows your security team to create automated rules for incident management. With AIR, your team can create playbooks around different types of incidents which will help the team focus on the urgent cases while less urgent “informative” reports can be handled at a later stage. Currently, AIR is available in Office 365 ATP Plan 2 and Office 365 E5
How does AIR work? Simple, when an alert is triggered, a predetermined automated workflow sets into action and your security team is notified of the report. By default, the below alerts are auto investigated in AIR:
- A potentially malicious URL click was detected
- Email reported by user as phish
- Email messages containing malware removed after delivery
- Email messages containing phish URLs removed after delivery
- Suspicious email sending patterns detected
- User restricted from sending email
By using AIR, security operations teams can increase their efficiency and effectiveness through automating tasks and workflows for known security threats. These threats can be automatically investigated and suitable playbooks can be set to await for approval, improving security responsiveness within the organization. These threats can be prioritized based on their informational severity helping the security operations team focus their efforts on specific alerts.
You can view all alerts in the Security & Compliance center Alerts > View alerts.
All standard security playbooks provided by AIR are based on standard processes and developed through feedback collected from security operations teams. For more information regarding AIR, check out this Microsoft Document.
How can the security team see what your employees have reported?
There are two ways in which the information can be relayed to your security operations team. One option is to set up a reporting inbox where emails reported through Microsoft native reporting are forwarded to. If you choose to implement the above, remember that it requires your employees to use native Microsoft reporting options such as the reporting add-in. for more information regarding the Microsoft reporting add-in, please read this article. When users report emails through native Microsoft reporting options, the reported emails can be found in Office 365 Security & Compliance under Threat Management > Submissions > Custom mailbox.
The other option is to use Hoxhunt’s ATP feature that uses Microsoft’s own API to automatically integrate our reporting add-in with your ATP. When users report emails using the Hoxhunt add-in, the reported emails can be found here Threat Management > Submissions > User submissions.
If you are using the Hoxhunt feature, reported emails are automatically moved to the junk folder once they have been reported. Contact your CSM to turn on this feature for your organization.
We are continuously following any improvements from Microsoft. Our goal is to streamline security processes and bring you visibility to threats your organization is facing. By engaging your whole workforce, you are building a more secure future for all employees.
ATP Plan comparison: