Contact us: +45 32 67 26 26
English

Use Microsoft Defender to strengthen your email security

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security,Phishing Training,Best Practice | 7 May

Do your company use Office365? A lot of you do. Did you know, that Microsoft Defender is one of the best and easiest places to handle, report and create a secure email setup in your company?

Here's how.  

NOTE: Some of the features are not available on the cheapest plan so some of it might not be in your plan. 

This blog is part of 3 chapters

We are diving into Microsoft Defender and reporting of phishing. This blog is the first part of the trilogy. 

Here's the posts if you want to read them all:

  1. Use Microsoft Defender to strengthen your email security
  2. How to handle and spot phishing mails with Microsoft Defender
  3. How our new phishing report button integrates directly with Microsoft Defender

I hope you enjoy.

What is Microsoft Defender

Microsoft Defender is Microsofts solution to help you secure your company. It's the one place where you can setup your protection of your Office365 accounts. If your company uses Office365 you probably have access. 

If you haven't used it yet, you should. There's some cool features that will make it easier for you to run your IT setup safely.

This blog is not a complete intro

In this blog post, we will focus on how Microsoft Defender can help you protect your company against malicious emails and phishing.

If you need an introduction to setting up your Office365 and Defender from the ground up, this blog post isn't it. Instead, have a look at this. Then, you can always come back when you are ready to dive into the details. 

Why you should use it actively

If you already have a great security setup Defender might not be for you. But we will argue, that most small and medium sized companies should. 

The main argument is: You have all your email security in one place. 

We see it all the time. Companies where it looks something like this: 

"Linda receives a phishing email. Luckily, she spots it. She remembers the IT Guidelines, that she needs to report it to IT straight away. She opens Teams, searches for Jacob, the IT manager, and writes him. Done... Phishing reported.

That's great. Jacob logs into Microsoft Defender and deletes the email for all colleagues (yes, he can do that, we'll come back to that)

The next colleague who reports an email does it by calling Jacob. The third one just deletes the phishing email without reporting.

Jacob has a hard time understanding how many phishing emails actually get reported. " 

Well...

In comes Microsoft Defender. One place to handle all malicious emails. No more calls, no more Teams chats. Jacob can get everything in one place. 

He can:

✅ Get an overview of how many emails get reported

✅ Investigate all the emails to see if they are actually dangerous

✅ Take action and make sure no one clicks these links

✅ Keep track of all email threats in the company

Sounds great right? 

Let's jump into how.

Features

There's a bunch of cool features in Microsoft Defender. We aren't gonna cover them all. We are going to talk about the most useful ones when it comes to email security. But don't be shy to go all in and investigate the rest of Defender yourself. There's a bunch of useful features.

Explorer

If you click the Explorer section in Defender, we'll get into the first useful feature. This is one place where you can search for emails in your company. As the name suggests, you can explore all the emails that land in your colleagues' inboxes.

You can see all emails sent to your company. This is damn smart, if a phishing mail is loose. You can search for URLs, themes, domains, and a lot more. 

You can then delete the email for everyone, move it to quarantine, and investigate it further - depending on which license you have. You can take action across the WHOLE organisation.

You can just delete it. That surprises many of our customers and is one of the best features in Defender.

Review

Your spam filter might put some emails in quarantine, but that actually doesn't mean they get deleted. It just means your colleagues won't receive them before they get a manual acceptance from you in IT.

This is quite clever. Rather safe than sorry. 

But it's only smart if you know this function exists. If not, you end up with mail in quarantine, which should end up in your inboxes but never does.

This is where the "Review" section in Microsoft Defender comes in.

Quarantine-screely

This is where you find ALL the emails that Microsoft Defender puts in quarantine. Here, you can investigate them to see if they are safe or not.

You can release the good ones, and then your employees will receive them. The bad ones, you can delete.

Review email quarantine screely

We see a few emails in our quarantine that were actually real emails, but it's always better to get too many emails in quarantine than too few.

In CyberPilot, our IT team checks the quarantine once per week to release or delete emails.

It doesn't take long and makes your company safer.

Attack Simulation Training

Here's a cool feature as well. The "Attack Simulation Training" feature is one, where you need license, meaning it doesn't come with the standard Office365 plan - you need to pay a bit more.

But, if you have access, this is the place where you can run your own phishing simulations in your company, directly in Microsoft Defender. It does take quite a lot of effort to run, but it's something a lot of big companies do.

If you think phishing training sounds great but don't have the time or skills, it's something we can help you with. 

 

Policies and Rules

You have a spam filter, but spam filters have different degrees on how aggressive they are. Policies and Rules is the place where you setup how aggressive your spam filter should be.

It all depends on the risks in your company. What kind of emails do you receive. Your risk analysis might help you map out what the risk are, and then you can setup your rules in a way that fits your risk level. 


threat policies (2)

Setting this up can help you avoid getting a lot of spam emails and potential phishing emails. 

Advanced delivery

Under policies is also where you find "Advanced Delivery". This is where we do whitelisting for phishing simulations. If you run phishing training with us and use Office365, this is where you whitelist our domains to make sure our phishing emails end up in your inboxes. 

Whitelisting might not be something you need often, but in some situations it comes in handy.

Actions and submissions

If everything is set up correctly. The "Actions and submissions" feature might be your new favorite feature. 

We kid you not.

If you go there, you can see under "User reported", all the emails your colleagues mark as phishing. 

Submission user reported

Why is this cool?

Because it gives you a real metric to track. Not how often your users did the wrong thing (clicked a phishing email), but how often they did the right thing (reported the phishing mail). 

Besides that, you can now take action on the reported emails the moment they are reported. It's just like the explorer feature, except you don't have to find the emails; your colleagues report them to you.

All of this makes it possible for you to create one place to handle all phishing emails, where you get insights on how good you and your colleagues are to report them, and how well you handle them. 

It's too much to unfold here, so we've created a whole blogpost just about this. 

Alert Settings

You can also set up rules for what should happen when someone reports a phishing email. Who should get an alert? And what is the response the user who reported it should get? Some of this happens under Alert settings though. It's a bit confusing - but it can be done. 

Reported phishing simulations

Another cool thing under Actions and Submissions is, that Microsoft Defender can actually see the difference between real reported phishing emails and reported phishing simulations.

This means you can easily work with phishing simulations without it affecting your view, workplace and data for real threats. This means, that your users can safely use the report phishing button for ALL phishing emails - the real ones and the simulated ones.

Why this is clever and how we use this button

A lot of companies that offer phishing training have coded their own "Report phishing button". This means you need to integrate this button into your Office 365. You need your colleagues to use this button to get reporting in the LMS that your phishing training provider has. 

But then you don't have the data in Microsoft Defender, and you can't handle the phishing emails in Defender. This means that your colleagues should ALSO use the Microsoft "Report as phishing" button if you use Microsoft Defender to stop phishing emails from spreading. Or, you need to look in the third-party app to see reported emails, but then go to Defender to take action on these emails.

To us, this sounds a bit dumb.

That's why we haven't built our own report phishing button.

Instead, we simply integrate with Microsoft Defender. Meaning, if your user report a phishing email which is one of our phishing simulations, we can drag this data into our platform. You still have all the info in Defender, and your users only need to learn to use one button. 

To us that's a win win. And you can read a lot more about how it works in this blogpost where we go into depth with it

Conclusion

This was a short intro on some of the features in Microsoft Defender that can strengthen your email security. I hope you found it useful and that you want to try them out.

Stay safe.