Microsoft demystifies email attack campaigns targeting organizations
Email is attackers’ preferred method for gaining a foothold into organizations. Campaign views, a new type of report available to some Microsoft enterprise customers, allows security teams to see how successful specific email attack campaigns have been at compromising their organization and to thwart future ones.
About Campaign views
Campaign views is accessible through the Threat Explorer dashboard of Office 365 ATP, Microsoft’s cloud-based email filtering service.
“Within a single campaign, attackers may change the sending infrastructure, sending IPs, sending domains, sender names and addresses, URLs, and even the hosting infrastructure for these attack sites. They use these changes or ‘morphs’ to try and get around defenses,” Girish Chander, Microsoft’s Group Program Manager of Office 365 Security, explained.
Security teams can explore details of email attack campaigns their organization has been targeted with and:
- See summary details about each campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
- See the list of IP addresses and senders used to orchestrate the attack.
- Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
- See all the URLs that were manifested in the attack
- Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.
This allows them to identify users who have fallen prey to the attack and take remediation steps faster, spot and remediate configuration flaws that allow the attack to be successful, use the indicators of compromise to investigate related campaigns and hunt and track threats so they can thwart future attacks.
Positive effects on multiple levels
Chander says that customers who’ve already used the feature are very satisfied, as it allowed them to, for example, identify configuration flaws that resulted in 34% of the phishing messages detected by ATP being rescued and delivered into user inboxes.
“One pleasantly surprising learning for us through these conversations with customers is how almost all of them have told us that these campaign views also allow security teams to more effectively represent to the CISO and business peers, the protection value security teams bring to the organization. They do this by enumerating the campaigns blocked, adding color by describing the type of key campaigns, the improvements made to the defenses and the users remediated,” he added.
Campaign views is currently in public preview and available to business customers on the Office 365 ATP Plan 2, as well as those who have opted for the most comprehensive (i.e., E5) Office 365, Microsoft 365 Security and Microsoft 365 plans.