Detecting Malicious Code in Microsoft 365

In Microsoft 365, Exchange Online provides a solid signature-based basic email protection with Exchange Online Protection (EOP).

SharePoint Online and OneDrive for Business are also equipped with a signature-based basic antivirus protection in the standard package. But these solutions won’t save you from all threats: in order for malicious code to be detected, a signature must be present. However, some time may pass before a signature is available, during which these solutions cannot protect.

Here, Microsoft Defender for Office 365 provides additional protection, which ideally also detects malicious code that has never been in circulation before.

Microsoft Defender for Office 365 consists of several components:

• Protection for files: Executable files stored in SharePoint Online or OneDrive for Business (e.g., the files shared in MS Teams), as well as files received via email attachment, are started in a compartmentalized environment by Microsoft Defender for Office 365, where it checks how the code behaves. Unusual activities can be detected in the process. Executable files also include Office files with embedded macros, PDF files, and so on. You can thus block access to malicious files.
• Protection for links: The links contained in emails are replaced so that they initially point to Defender for Office 365. If a user clicks on such a link later (no matter from which email client), the system checks whether the original target is potentially dangerous. For example, phishing sites that try to obtain login data from the user by imitating the login screens of mail order companies, banks, and so on are dangerous.

However, link protection doesn’t only work for emails. The Office applications (Microsoft 365 Apps for Enterprise) also check the danger level of the link target when a link is clicked in a file (e.g., in a Word file) and warn you if necessary. The Microsoft Teams client behaves in the same way. In these solutions integrated into the applications, the original links aren’t replaced.

You can activate the two components for the entire organization or only parts of it, if necessary. A separate configuration of the two components for different user groups is also possible. The figure below shows how Defender for Office 365 proceeds upon the receipt of emails:

1. First, all mails are checked by EOP and filtered out if necessary (1). 

2. The next step is to check if the email contains file attachments. If an attachment is executable and has never been checked before, it gets transferred to the detonation chamber (2). Executable files include scripts (JavaScript, for example) as well as Office files (because of possible macros), PDFs, and Flash files.

The detonation chamber is a virtual machine based on Azure. There, the attachment is executed and checked for suspicious activity. Such activities include accessing the system registry or requesting admin rights. Based on the behavior, the attachment is classified in terms of its danger level and then processed further depending on your configuration. One option would be to block malicious attachments, as shown here.

The analysis of file attachments in the detonation chamber takes some time; an average of two minutes, per Microsoft. Via the configuration, you can decide whether mails should be delivered accordingly later to the user’s mailbox or whether a function called dynamic delivery should be applied. If you use this function, users will receive their emails even before they are checked in the detonation chamber. However, the attachments are then initially replaced by placeholders.

If no threat is found in the detonation chamber, the placeholders will later be automatically replaced with the actual attachments. However, dynamic delivery only works if the user’s mailbox is also in Exchange Online and not in the on-premise Exchange organization (as would be possible in an Exchange hybrid configuration, for example). By the way, file attachment analysis is applied not only to emails sent to you from outside your organization, but also to emails sent by your users to each other.

3. Links within the email are rewritten to the host (3), safelinks.protection.outlook.com. The figure below shows an example.21

4. If the user later clicks a link, Defender for Office 365 checks the original target. If problematic content is suspected there, the user receives a clear warning message in the browser. 

Paraphrasing the links when receiving emails has a great advantage: link destinations are not checked once upon receipt, but later when the user actually clicks a link. Attackers like to publish harmless content behind the link targets first, and only when the mails are delivered and not detected by less powerful techniques do they put the actual malicious content online.

Of course, even with Microsoft Defender for Office 365, you won’t get a 100% detection rate for all possible threats. However, the level of protection is significantly higher compared to using EOP alone.

Due to the manageable cost of Microsoft Defender for Office 365, the protection feature is well worth considering. Microsoft Defender for Office 365 is already included in the Office/Microsoft 365 E5 license package (in Plan 2) and Microsoft 365 Business Premium (in Plan 1). However, you can also add it as a single license to other licenses. Microsoft Defender for Office 365 Plan 2 includes additional features for advanced analysis tools and attack simulation training for its own users.

Protection for File Attachments

The configuration for email attachment protection by Microsoft Defender for Office 365 can be found in the threat policies under Secure attachments.

There you create one or even multiple policies that are linked to different conditions, such as for different user groups or specific recipient domains.

The configuration of such a policy is not particularly complex:

1. Click Create. The form shown below will display.

2. Specify a name and, if necessary, a description for the new policy.

3. In the Users and Domains step, select to which groups, users, and domains you want to apply the policy. You can also use this to create different policies for different objects. 

4. In the Settings step, select the desired malware detection procedure under Response for secure attachments in case of unknown malware. The following options are available for selection:

• • Off: Attachments won’t get checked at all.
  • Monitor: Checks the attachments, but logs only the result. Potentially malicious attachments are delivered.
  • Block: If an email contains a malicious attachment, the entire email won’t be delivered.
  • Replace: Emails are delivered, but malicious attachments are replaced.
  • Dynamic Delivery: Emails are delivered directly, but attachments are initially replaced by a placeholder. The placeholders will be replaced with the original attachments after approval.

5. You can forward the affected emails to a special email address to review them in more detail, if necessary. For this purpose, you need to select the Enable redirect option and enter an email address.

Once you’ve created the new policy, it may take about 30 minutes for it to actually be applied. If you’ve configured multiple policies, you can also use the arrow icons to change the priority and thus the order in which they are to be applied.

Protection for Files in SharePoint Online and OneDrive for Business

If you want to use Microsoft Defender for Office 365 for files in SharePoint Online and OneDrive for Business as well, open the Secure Attachments policy in Threat Policies and click Global Settings. Turn on the Enable Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams option.

Protection for Links

The configuration for handling links in emails is similar to the configuration of attachments. You can find this in Threat Guidelines under Secure Links.

To create a new policy, follow these steps:

1. Click the Create button. The form displays. 

2. Specify a name for the new policy and, if necessary, a description.

3. In the Users and Domains step, you need to select which users, groups, and domains the policy should apply to (see below). You can also use it to create different policies for different objects.

4. To enable protection, set On in the Protection Settings step under Select the action for unknown, potentially malicious URLs in messages and in Select the action for unknown or potentially malicious URLs in Microsoft Teams.

Activate the other options according to your requirements. The following options are available:

• Apply real-time URL scanning for suspicious links and links that point to files
• Wait for URL scanning to complete before delivering the message
• Apply “Secure Links” to email messages sent within the organization
• Do not track user clicks: This option might be required for privacy reasons.
• Do not allow users to click through to the original URL: Of course, this doesn’t prevent users from typing the URL themselves in the browser.
• Display the organization’s branding on notification and alert pages
• Do not rewrite URLs, only scan them via the Safe Links API: This is only possible with some clients, such as Microsoft 365 Apps and the Microsoft Teams client.

Even with such guidelines, it takes around 30 minutes for them to become active.

Protection for Links in Office Applications

Malicious link protection in Office apps (Microsoft 365 Apps for Enterprise) and in the Microsoft Teams client is enabled separately from the email configuration. For this purpose, you want to open the Secure Links policy in Threat Policies and click Global Settings (see final figure). Then turn on the Use secure links in Office 365 apps option.

Editor’s note: This post has been adapted from a section of the book Hacking and Security:

The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.