Link Search Menu Expand Document

Office Protect

Table of Contents

Introduction

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, or other sensitive details, by impersonating oneself as a trustworthy entity in digital communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site.

Phishing is an example of social engineering techniques used to deceive users. Users are lured by communications purporting to be from trusted parties such as social networking websites, auction sites, banks, emails/messages from friends or colleagues/executives, online payment systems, or IT administrators.

Attempts to deal with phishing incidents include user training, public awareness, and technical security. Office 365 Protect will take technical measurements in dealing with phishing attempts. Aside from technical measurements against phishing, Office protect will safeguard Office 365 by using custom use-cases.

SKU’s

Feature Office Protect (Standard)
Protection against phishing attempts +
Office user activity monitored +
Block malware from spreading through e-mail +
Secure links in Office 365 +
Blocking malware from spreading through SharePoint, Teams, and OneDrive +
Added security (use-cases) for Office 365 +
Detecting and follow-up on advanced malware spreading through Office 365 +
Extended investigation for advanced malware spreading through Office 365 +
Compliant with NEN & ISO +
24/7 incident follow-up +

Features

Protecting against phishing attempts

Wortell uses the capabilities of Defender for Office 365 to prevent phishing attacks. Wortell configures Defender for Office 365 to Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks.

Wortell will periodically check if all settings are still set correctly.

Office user activity monitored

Wortell uses Azure Sentinel as a SIEM solution. Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel is a birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames. Connecting Office 365 to Azure Sentinel allows Wortell to monitor your organization it’s Office tenant with use-cases that are created by Wortell.

Aside from Wortells’ use-cases, the platform will create alerts when suspicious activities are happening such as the creation of a forwarding/redirect rule in Office 365 Exchange. Wortell will respond to the available alerts using their proven incident response process.

Block malware from spreading through e-mail

A potential risk is being a target of malware that is sent through e-mail. Malware emails often appear to be package/parcel delivery notices, invoices, fax/scans, or fake court notices. As a reaction, the user most likely opens the e-mail attachment which will install the malware on the user workstation. Wortell uses the capabilities of Defender for Office 365 to prevent malware from spreading through e-mail. Wortell configures Defender for Office 365 to provide zero-day protection to safeguard your messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox.

Almost all the applications in Office 365 uses can share links. The shared links can be sent in different ways but most of the time they will be shared through Microsoft Teams or e-mail. Because links can be part of a phishing campaign it is important to scan them and respond to malicious links.

Wortell uses Defender for Office 365 to enable safe links. Safe links provide time-of-click verification of URLs, for example, in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked.

This reduces the success rate of a potential phishing attempt. If, for some reason, a potentially malicious link is clicked an alert is created. Wortell will respond to this alert quickly and correctly using their proven incident response process.

Blocking malware from spreading through SharePoint, Teams, and OneDrive

Just as malware is spreading through e-mail, malware could also be sent through SharePoint, OneDrive, or Microsoft Teams.

Wortell configures Office 365 Defender with Safe Attachments. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 provide an additional layer of protection for files that have already been scanned at upload time by the common virus detection engine in Microsoft 365. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams help detect and block existing files that are identified as malicious in team sites and document libraries.

When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams are enabled and identifies a file as malicious, the file is locked using direct integration with the file stores. In the library view, the file is marked as malicious. Although the blocked file is still listed in the document library and web, mobile, or desktop applications, people can’t open, copy, move, or share the file. But they can delete the blocked file. This will help malware from being spread through Office 365.

Added security (use-cases) for Office 365

Security Information and Event Management (SIEM) systems aggregate security data from across the enterprise; help security teams detect and respond to security incidents and create compliance and regulatory reports about security-related events. Because SIEM is a core security infrastructure with access to data from across the enterprise, there are a large variety of SIEM use cases.

As part of Office Protect, the customer will get subscribed to the Wortell use-case library. This library contains a variety of use-cases that detect malicious behavior in Office 365. These use-cases will be visible as analytics rules in Azure Sentinel. When an analytics rule is triggered an alert or incident is generated. Wortell will respond using their proven incident response process on these alerts and incidents.

Detecting and follow-up on advanced malware spreading through Office 365

Complex and advanced types of malwares can potentially result in a lot of security alerts. Wortell will respond to these advanced types of malwares using Defender for Office 365. The response capabilities of Defender for Office 365 will get used to investigate and respond to threats.

Wortell will review, prioritize, and respond to alerts created by Defender for Office 365 with its automated investigation and response module. Wortell will respond using their proven incident response process on these alerts and incidents.

Extended investigation for advanced malware spreading through Office 365

Complex and advanced types of malwares can potentially result in a lot of security alerts. Wortell will respond to these advanced types of malwares using Defender for Office 365. The investigation capabilities of Defender for Office 365 will get used to investigate and respond to threats.

NEN & ISO Compliant

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS). Using it enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

24/7 Incident Follow-up

Devices are important, and attacks are happening during the day and nighttime. Therefore, Wortell has a team of cybersecurity engineers available 24/7.

Wortell has organized the availability of the experts as follows:

  • Tier 1: Eyes on-screen during business hours and outside of business hours
  • Tier 2: Eyes on-screen during business hours, stand-by outside of business hours
  • Tier 3: Eyes on-screen during business hours, stand-by outside of business hours

Cost Calculation

The cost will be calculated based on the number of users that have an Office 365 license assigned. Once per month the number of accounts present in Office 365 will get fetched.

License Requirements

The following prerequisites need to be met to deliver this service:

  • Per-user at least one of the following licenses needs to be present:
    • Defender for Office 365 P2
    • Microsoft 365 E5 / A5 Security

Microsoft Licenses are not part of Wortell Protect and need to be purchased separately.

Other Requirements

The following requirements need to be met to deliver this service:

  • Identity Protect needs to be enabled in order to investigate Office Protect alerts.

Product Requirements

The following requirements are necessary before onboarding this product to our MDR service:

Requirements MoSCoW
Microsoft Defender for Office is configured and in use Must have
Exchange Online, SharePoint Online, and Microsoft Teams are in use Should have
Configuration is based on the Microsoft Strict/Standard baseline or Wortell Best Practices Must have

Wortell Managed Detection and Response has an extensive onboarding program that will help customers to get compliant with the above requirements. You can read more about our onboarding program over here.