… Hey guys It's Nick welcome to another episode of t minus three sixty five If you don't know me I'm a Microsoft MVP Been working in the channel now for upwards of decade helping MSPs grow their business through Microsoft three sixty five We have a very exciting topic for you today around the security realm. Do an attack method that you can use or attackers are using to actually bypass what we might consider to be one of the strongest forms of MF a which is commonly known as pass keys You might also know them by five zero two keys as well. But essentially here the example I'm gonna show you in the various tech methods and tactics that somebody would use here It's actually something I've seen in real life consulting with an organization that got tricked into wiring over five hundred and dollars to a fraudulent bank account So some heavy considerations here I'm gonna walk you through some of the common methods like I mentioned, but also I'm gonna pair that with all the policy settings, things that you can do within Microsoft three sixty five to help rent these attacks as well too So a lot to cover but definitely like the channel Subscribe to the channel If you wanna see more of this kind of content, Otherwise let's go ahead and dive in Okay So let's go ahead and start to walk through how a user might get compromised…even with what you would consider a fishing resistant form of MFA being a passkey. In this case let's just say the organization here has said Hey we're gonna be super secure conscious and we're gonna give all of our users within our organization a security key in this case a Yubikey five zero two. Another naming for that naming convention but effectively here this is known as fishing resistant because of the overall PKI infrastructure. We're into that in a separate video if you wanna check all of that out but I wanna call out that even though this is phishing resistant MFA you could be using the Authenticator app with number matching, or you could be using older forms like an OT decode or something like an SMS or email if you wanna go really legacy. Those are weaker forms of MFA because they're not fishing resistant, but it is something that could overall play into the attack that you're gonna see here And this attack over all that I mentioned up here at the top is called either cookie hijacking or you'll also hear the term past the cookie. So in this particular case you know our organization again said we take security very seriously We're gonna go ahead and issue these five zero two keys So you have a really the strongest form of MFA to sign in. Now one thing that they can do I mentioned this as you know kind of the progression here as far as what we see in the past from the tax being known is this user says oh I left my laptop at the office and I'm gonna use my personal device I need to sign in and check email from home. And this particular organization did lock down you know the use case of corporate owned devices or like that They allow their users to sign in for personal devices…or it's unrestricted They don't really have a policy behind it So effectively here when we get into these personal because there's a lot of heavy security considerations. I mentioned them here and these are just some you know it's not all inclusive. And My example here isn't to say that this attack couldn't happen on a corporate owned device You just have a much higher propensity that this device is actually gonna be compromised because it isn't managed and you have a lot of considerations i put three up here just for giving you examples but we the consideration of old hardware, in this particular case. so that in and of itself is something that…you could have really own unpatched OS software…you know security patches aren't there things like that that can really leave certain vulnerabilities on the on the device even zero days as an example. And this device also might not have any AV as well So if you have no antivirus or maybe really weak antivirus from some third party that malware if it gets installed on the device can easily disable and start to infect the device even further So a lot of considerations there. But in this flow they've gone ahead They've gotten on their personal device even though it's a really archaic device It doesn't have AV. And they've signed into my soft in the browser Let's just say this is Chrome. Whenever you have this particular…example here as far as…Chrome in the session, what gets stored here is a session cookie. And this has been going around for years as far as just this application use case And this obviously is pick to Microsoft Most websites do this They store a session cookie So you can have a persistent session and you're not logged out every five minutes since user experience They want you to stay in your app So it's more likely for them to have cookies and have those cookies last for a while Now Microsoft, they last for one hour That's the default time to live on this particular session token, but what happens is when Microsoft goes to reevaluate the session, they have something known as continuous access evaluation that goes on and checks to make sure that nothing's really changed It might be a malicious event. So a common example of that is that as an admin you went in and you said hey, let me go ahead and revoke their sessions That actual session would be revoked immediately, and that cookie wouldn't refresh…Right So other things that could go on here is that they refresh the token They see they're coming from a malicious IP address maybe. and then they terminate the session make you log in again. But no matter what we have a certain level of time here that this session is is open. So in this particular case let's say this user then is looking through their email and have this email on here It's actually a phishing email that is disguised as their HR platform which is known as in this case they're using Workday. And so this email very common today that these threats will come through email and have malicious links in them It's a fishing attempt but effectively here this email is saying something along lines of, you know hey, you have to submit…you know or approve this time off request for Jane You know Jane might be somebody you manage right internal to your organization. So you click on this link, and this is a malicious link that actually installs malware…on this particular device And there's various forms of malware you know that that could be installed, but it's basically giving the attacker here initial access into this device. And I mentioned the link here but there's various forms you know of which they could gain this initial access here And this isn't saying that they're they're signing into my soft here They just clicked on this link that downloaded this malware because they didn't have you know AV protections The device wasn't on that wasn't patched. Something like that So in this case you know we have malicious link You'd also have malicious attachment with macros in it something like that…Crossite scripting can be happening on websites That's usually that's more of legacy type of attack, and then malicious executable. Example of this is you're downloading some pieces of soft not from the source site or from some repository that says they have you know the capability and the download Chrome right or or some other popular application…and actually download malware It's a it's a dangerous executable… So in this particular case the attacker has remote access into this device maybe through you know shell scripting, Mimi Katz is a popular one that somebody could use as far as running scripts that go against that device. And remotely here they can actually grab and harvest…the session token from Chrome And you can see this in certain examples or certainly post some within this video, but effectively here you know you're basically saying that I have the session token now and all the user or the attacker in this case has to do is they just can put it into a browser window on their device…and I'll show you guys example of that as well, where you can actually put in this token and just refresh your page. And essentially here you get this automatic session So let me actually show you this right now Yeah I wanted to show you guys the past the cookie attack to a certain degree here Just so you can see that I'm signed in to DECam that I just used the Windows Hello option on…If you were to go into the inspect tool application in cookies here, You have this cookie that has this name E STS auth persistent, and it has this token as well too. And that's my session token you know that has that grant across that for what I used to sign in with. So I'm actually going to copy this as well And you have the domain of dot login dot Microsoft online dot com here. And I'm actually going to try to mimic this into another browser on a different device. So I'm here on a VM and in an incognito window of…the browser here for Chrome and I'm gonna go to login dot Microsoft online dot com, and it's going to take me to the sign in page here Click on inspect and click on application. I can go into the cookies here for this website. And we went ahead and adding this cookie here …for the E STS…auth…persistent …I'm gonna go ahead and add… that copied cookie value that I got there and I'm just gonna put a dot here in front for this particular value. Now that I have this in here I can simply just click on refresh…And nothing happened here So what did I do wrong Oh I spelled this wrong here. So if we go change this to an e…And now we refresh …you'll notice here that I didn't have to do anything and I just was signed in. So on a normal attack you know, the user will use mimi cats some type of power shell maybe to harvest that…cookie you know from the browser…and then they'll just use that and they can put it in here and then they're signed into the account…Okay So in that particular use case we saw how we refresh the token or refresh the page there, and that was automatically kind I've just generated there And I I showed you how to manually enter those session tokens into the browser and extract them but the user or the attacker here is gonna be doing that programmatically…on their device right So just keeping that in mind. So if we continue on here let's say okay this this attacker now has gotten an access…So they're in you know they're in this account. And now what are they gonna do next Right So one of the things that they're commonly going to do here because again remember that session is only good for up to an hour So unlike to a lot of cases there they're gonna try to achieve it's known as persistence. So within Microsoft there's a couple of different ways they're gonna try to do that this is not conclusive either right There's multiple ways These are some of the common ways that you'll see as well too. One of which is that you have this device join So we'll try to join another device Maybe this device where they harvested…the some session token as well. And in that particular case you know they're saying that they they wanna be seen as a trusted device on the network Right? That's one area that they're gonna try to achieve persistence. The other of which though is really helpful for them is to establish a secondary MFA method. So they may go on and they go to the security info within Microsoft and they may register an OTP token They may register an SMS phone number and they may register, Microsoft Authenticator app there's another method there And that way they can get back into the account right for for most of these methods. Now, key to call out here right If we if we're really thinking about this. If they if this was an actual passkey, if they generated…a token here for…or an MFA method and they're using something like Authenticator, it also has to be kind of using you know passwordless, functions within the tenant because they wouldn't know the password still if they just use this method, but there's other methods like man in the middle where they could grab the username password, as well too as well as that MFA token and then they can register another method So just wanna call if you guys are really paying attention there it's good to note here because while they can do that, they would really need you know the secondary form unless was set up as as kind of a passwordless method. Now, when they do from there here you know really depends on their goals and what they're trying to to accomplish within the account So in a lot of cases they may try to run a campaign We'll get into that here in a second to try to you know extract certain information or get user to take certain actions. they may move laterally They might want to say I'm in Jane's account I compromised Jane, but Jim I've actually found out through reconnaissance…is actually the controller within the organization he works for the finances I wanna get to him So I need to compromise his account. you might also see them try to elevate the privileges so find an account that has admin rights you know so can take more damage or do more damage within the account. they could also just you know saying that you wanna perform some malicious action like sending a bunch of you know fake spam out of the account…that's known as you know more of the fishing concepts. Certainly a lot of protections that we can got there In this particular use case though for my example, they're just gonna be moving money to a illegitimate bank account. And this is very common as well to interest actually came out with a new report or talked about business email compromise. I think it's over forty percent…of business email Mye's actually had malicious inbox rules or the you know the change in inbox rules was a direct result of that compromise as well too. So this is very common The attacker will get in there and they'll start to set mailbox rules and outlook. number one they'll start to clean up you know where they initially entered So that original email maybe that work day email they delete that, reboot it from their deleted folder as well They're really trying to avoid detection, right within the account. They'd wanna maintain persistence…avoid detection, and also try to step to their next goal. so the other thing they want to do here if they're gonna start to try to move laterally or compromise users within the organization here is they're gonna send out maybe a campaign maybe on a large scale but they may be doing individual users after they do some reconnaissance, identify that again, maybe Jim is the controller they figure that out by going into teams, seeing the organization chart, you know very commonly can can get some social engineering maybe even involved with that. But when they send out this campaign they may be sending it to multiple users within the organization. And then they'll set up these inbox rules here so that if and replies, they're automatically gonna mark that email as read and they're gonna move it to the archive so that the real user maybe that's who is compromised to begin with does not see those those messages come through and you know saying, why why is Jim messaging me back I didn't send him this and all that because they're again trying to avoid detection. So this campaign here again could be on a upscale especially on enterprise where they're they're mass messaging a lot of people but in some cases SMB especially it may be just messaging one two to three people as well And in this case you know the organization that I referenced here as well too, they got them to ahead and actually exchange…various bank account information for one of their common third party vendors that they pay on a recurring basis Right so this is somebody that they paid on a quarterly basis…but they got them to go ahead and update the bank account info nation here You could also do this if they really you know were crafty and really wanted to get sophisticated with another malicious link here right That's their…information to update it. And that's simply saying that they have a portal that maybe looks like the existing vendor. It's got a bank account information page where they say hey enter your details about your you know your wire or your ACH payment Right. And in that way they've just then modified you know the payment details and they've gotten the money transferred to this fraudulent account, which is usually kind of like a host account that the attacker will then decommission after the act to remove their traces there So certainly a lot that we went through there but it's interesting to me because we have…things going on and there's a lot of intelligence behind these attacks There's a lot of prep work. And honestly from a time perspective, this could take months You know to evolve…especially you know obviously they need to get persistence here, but they may get persistence and they may stay in this reconnaissance mode you know just emails that are coming through getting to know the organization better, understanding where sensitive data like IP might exist or you know who's in the finance department things like that they may be doing that for months if they're not detected. So you have to keep that in mind too from a time frame perspective. But now let's ahead and go back here I wanna revisit the entire timeline, and I wanna talk to you about some of the protections that you can put into place with Microsoft three sixty five and the various things that you have within your packaging. specifically I wanna speak to Microsoft business premium I talked to SMB a lot my videos, and business premium is the best value for your buck as far as security features and functionality but I'll I'll key these out as we keep going Here. So if we start at step one here obviously, you know we have considerations for…fishing resistant MFA So if are not fishing resistant if you're just using OTP, or something like SMS or email, definitely a good way to step up is to go into more of your fishing distant types like, Windows Hello or the pass keys here or the UV keys that you can do. again check out my video to see more on those. But if we go down Sorry keep doing that if we go down to number two here with the personal device, really you know ultimately you just say that we don't support corporate access on personal devices. Now this is very hard to do I think especially in SMB. There's various things that you can do to combat that. But one way you know that you could combat that if you said you know we're gonna support this, is to support maybe a light…MD option. That is to say that maybe you don't push out you know all the policies that you normally would to a fully managed place but you have some basic checks and balances here. So from a compliance perspective…you might say that I wanna encapsulate at least…these basic functions right And these are again just to examples here but you may say that the OS has to be a certain minimum version for you to be able to access that that information You may say that AV has to be on that device, you may say that has to be at a certain patch level Right so there's some considerations there You should just say blanketly like all personal devices no matter what it is has access because that's where you get really exposed and your propensity to breach goes up a lot, from that perspective as well too So I'd say you know from this perspective, if you're going have to support it try to support it in this way You can also use device compliance policies…and in tune… if you're using…Intune as your NBM…and you could say block if this device isn't in the compliant state right That's a good way to protect against that I'll link all this in the blog post that I'll link below so you have information on all these but these are just some of the examples that I wanted to show. Next here the session cookie being stored, you know I talked about one thing here which is the level of which that you get, the time to live right This is one hour that we have here, but with condition access policies, you can actually set…the session …to not be persistent Right We have a continuous evaluation going on we could say that after an hour you have to sign back in again. Now I don't like that and I'll show you another conditional access policy here in a few minutes that life better than that one because this is really disruptive for end users Remember we're always trying to balance security and end user disruption. And this really makes people angry. If you start kicking them out every hour and making them sign back in again you're gonna be hated as that IT guy. So important thing to call out there but it is possible linked to that as well too where you can limit the sessions. Generally the only I recommend doing this is for people that are in highly privileged roles. So like if you elevate to a global administrator, then I think it's worn that you should have you know your session capped because that's just reducing your tax surface right? for somebody who's super privileged…Now next thing here we have is this kind of malicious link and malicious attachment…that comes through here. And so…we think about…our protections they're really defender for Office three sixty five is where we get some of this stuff hero such as our link protection …and this is real time click protection that we get Right So if this user clicks on this email it's going to scan this malicious link and really sandbox this and really detonate it right in an isolated environment to see whether or not this is malicious , and we also get native fishing protections right… So depending on the email header information, depending on you know, the you know, physical data about what's coming through here It also could potentially just block this email altogether because it could determine overall that it's a phishing…attempt you know on the device as well too. On the device itself physically let's say you know we got past all this so hit the link here. We also have protections here with windows defender …And this is both you know our AV protections that we can manage through Intune You know if you've enrolled the devices into Intune and your defender, as well as some of the default policies that exist which is again if you come back to the hardware, the personal devices, may not have that AV on there as well too So just a consideration there. but defender is another great, endpoint section type of software there that can go ahead and prevent that attack from happening as well Just contain it right then and there. So we go into know more of the harvesting here. This is where the main conditional access policy comes into play that I want show, which is simply saying that when you go you know through this here you have your condition continued success evaluation right the CAE…that I talked about, but if it's in this session we can also do what's known as…strict location…conditional access evaluation…as is all part of a conditional access policy that you can set up that I'll show you here as well too, but effectively…all you're doing is saying that we have set up trusted locations…in entre…that users can log in from…or are quote unquote improved locations right And this is IP based. This is kind of conflicting to me because it gets into…more I guess the type of architecture we're talking about trusted firewalls perimeter networks things like that because it's such a condensed isolated system, but what this does as far as this policy…is that if this attacker here harvests the session token and then they tried to replay it into their browser. They would actually get blocked here because the IP…would not match the trusted location. And so this would effectively fail, and they wouldn't be able to log in You would be shut down at that point in time Now again, it is important to mention that with conditional access evaluation, it could evaluate the IP you know when it's reevaluating the session, and say oh actually this IP is really malicious right It's coming from a tour browser or something like like that But if a user or attacker's masking that you know another way that you know that that that could be blocked here as far as you know just just having that shutdown completely. Again this is harder to achieve because you're talking about having trusted locations where a lot of us today work in a hybrid remote environment. We don't know all the IP says that users are logging in from So harder to do here but this is effectively what shutting this down. Microsoft's also in a public preview with a policy that's around session tokens and in their articles report article information about it They touch on how web cookies aren't supported today, but does imply that they will be supported in the future. I'm hoping so so that we can just avoid or block this type of attack without having to have the strict location…CIE set up here too…So now getting into the persistence right you know these are other methods here that a user can use is regardless of any attack right persistence is always good to be something If a user is compromised, this is always gonna happen. So if we have these methods here, we have a device join We have MFA method. both of these actually, we talk about oops. We talk about protections here, both of these…can actually be handled with conditional access policies…and this is under the user actions section under targeted applications …So under there you'll see user actions which is register security information which includes both the self-service password stuff as well as MFA another MFA method. And then you have…registering…or or joining the BiasstASRA ID or entre ID now as it's better known. And this you could say you could grant that but you require…you know additional protection. So this is also where you know a lot of people have set up policy to say you know number one , you're in a trusted location right So you're saying Hey I want you sorry. You're in a trusted location here for…this to be granted You know so for you in order to do this you have to be on a trusted IP. So that could stop that from happening. You could also say you're to require…an MFA another MFA request in order to do this So in order to join a device you have to fulfill MA MFA request. With this session…you know they they basically be prompt to re authenticate if you will with MFA, and they would be able to do that in this particular use case Alright So those are just a couple of of ways you could you know lock this down as well. Many different things you can do there but this is a good conditional access policy to put into place here as well too. So as far as you know next steps they they run through all this when they're doing the honestness…in the things within the account. There is some things that you can look to set up here that are native as well with the inbox rules and this is again where we come to, defender for Office three sixty five, there's some native alerts here that they have in…one of those is creating an inbox rule. So it's actually going to send an alert to the admins in the camp but in a lot of cases that I found is MSPs don't actually hook this up to their PSA by default. So what you wanna do is go into those settings there and you just wanna redirect these alerts …to go into the PSA tool so that you can actually track these as well too. And that natively captures you know this is a suspicious inbox rule that was just created where it's you know either manipulating this or forwarding it to an external domain If you don't have that policy set up with transport rules as well but this can help you identify potential indicators compromise…with your users right and this will all flow into the defender portal, but we also have defender for cloud apps…which you know is another tool that can use that has a native alert policy for suspicious inbox tools can configure it as well. You get all this with again with business premium too So it's really important to note that good way to get ahead of trying to identify if users actually been compromised as well too. And then this campaign right Again, we have, in this particular case…link protect section here maybe for this one But with these campaigns especially when a user is being asked to…you know manipulate financial information, this should be you know something that's like very alarming…to the user If they see that especially coming from an email and maybe worded weird because this isn't how Jane talks but that's the point of reconnaissance. The attacker will actually learn you know the kind of the doc log the nomenclature that this person uses maybe over months and they can actually write a message that seems very much realistic…to another person within the organization or maybe it's an external user that's a supplier…something like that. but their red flag should really go off here right Whenever you're you're saying hey they're asking me to change financial data Should you really be doing a due diligence and ultimately …the best thing that you get…this or…the best thing that you can do for this is just security awareness training in my mind today…And that's really just training the users to help identify these types of things but also you know this is part of your basic core training You know it's part of the value add of you being an SP is to train him on you know looking for this type of information here as well. And this is something that every user should have on high alert So with that I wanna quickly just take you through some of these policies within the Microsoft portal just so you can see them as well where they're located Again I'll link all this information below my blog post So let's head over and see that now So I'm here in the entra admin center to start to show you some of these policies many of you are familiar already with conditional access So I'm not gonna cover what conditional access is as part of this video. But in this I'm gonna go ahead and create what I would consider one of the strongest policies for what we talked about, which is strict conditional access evaluation. Basically you would select you know certain users or groups for this You probably would want to exclude a break glass user just to make sure you don't lock yourself out of the account. You can include targeted resources such as Exchange and SharePoint, where this in your network section you would include trusted network location. So you could do selected or you could do all depending on how you have this configured. You could do the grant controls You could require…you know MFA you can inquire your authentication strength to be your fishing resistant. MFA as well…So you can put that in there for the requirement. And then…from there under sessions…what you would do is you would click on the customize…continuous access evaluation, and then use the strictly enforced location policies. I'd always turn these policies into report only so you can just see the traffic in your organization before you turn anything on. But this is where we would have that breakdown with the user or the attacker I should say, acquired your session token Try to enter it into a browser on their device. They would be coming from an IP Maybe that's not and should not be in your trusted location list , and that would immediately break down the session for them. And they wouldn't be able to log in like we saw in our example. This is the other one…that I mentioned here that's in preview You can click on this and you can go to the support article to see more about that You'll notice that there is this exclusion for web based cookies At this particular point in time of this recording. Maybe by the time you're watching this this will support web cookie so if you see this one definitely check out the support article to review that. but this is something that I hope will overcome this because I do think it's really hard again to try to get into our trust and networks and locations. For the things that we're doing here. Some of the other conditional access policies again not gonna go through these too much in-depth but for persistence techniques under the targeted resources here you can go under user actions, and this is where as mentioning you can click for security information, which is both MFA and the self-service password reset settings. And you could require you know another MFA push under the grant , or you could require it to be coming from a trusted location. as part of that you would have to create one policy for device join and one policy for MFA registration. That's all part of my recommended baselines that you can find on my website tied to the CIS controls. So definitely check that out. as far as reviewing those and and being able to monitor against those as well too. You have your identity protection settings in here that I mentioned ideally you know this could try to find risky…sign ins you know for what we're looking at don't have any in this tenant but even with an entra IDP one license you can see these risk detections. Based off of maybe malicious IPs things like that risky users and more of the identity protection policies that you can create which automatically take into consideration high risk users and and enforce certain policies like blocking them completely from sign in is more of an IDP two setting which I'd highly recommend if you're an MSP to configure because you get that licensing part of your partnership with Microsoft for free. there's trial licensing that you can get as well. But for your customers, most likely most of us out there don't have P2 just saying that bluntly because that's what exists in the market today. so just check that out those are a couple of those settings here for what we're looking at Let's pivot over to the Intune Admin Center as well Okay So in Intune…we have our devices right and we are enrolling them A lot of us have set up auto enrollment for MDM. He went tapped into into and I have a whole course on Udemy If you wanna get kind of a kick start, to this but they come across you know obviously it's personal or corporate. And we're saying we only wanna support corporate owned device or like I mentioned if you do need the support personal, you kinda have some requirements for…baseline settings. And you can really do that within the compliance policies here, for what you're looking at So we could set a…Windows ten baseline and above. So I'm just gonna say test for this for right now. And then you have all of your compliance settings here as well too So some of the basic ones you might wanna have is like this device at least has BitLocker configured…to minimum OS version, right so we're saying it has got recent patches or at least it's running on a certain version that we could support. and then you know some things like it's running some anti virus or it has firewall configured, you know for these particular settings, This is where you can pair this with both…defender for endpoint or defender for business It's more commonly known in the SMB space for the packaging that you get. but also it pairs with conditional access policies as well too. So actions for non compliance you would say that it's in a non compliant state. And then when you're done here…you can go into conditional access …and you could basically create this policy within here…And this is one of the most restricted policies I will say So you have to be prepared to support this from an operational sense. But under your grant controls you would say the device has to be marked as compliant. Right for you to be able to do that You could also say the device has to be required, Microsoft Ultra a hyper join device. Or you could say within the other targeted resources or conditions here …That…will the filter for devices…You say yes to this You could say the device ownership. If I look for that one here…is equal to company …for one of these designations…there's another one in here where it's the trust type. And if you're cloud native, you could also say it's entre join versus just on or registered. That's usually where you get into joined is typically something that is classified as a corporate device and registered as like, if you have auto enrollment to turned on anybody can just enroll into MDM, even their personal device When they try to sign in to Microsoft and the fake client applications on their desktop or whatnot …So good settings to kinda configure there. The other components that you get into here with what we're looking at is if you go into …Windows here platform …you go into Windows enrollment, have these various settings in here, and then you can go into device platform restrictions. And under the default, you can configure these properties here…And what I typically recommend if you can support it is to just block …personally owned devices from enrolling in the MDM solution. So again we're just we're just saying corporate owned devices. You can set up app protection policies for mobile devices…to last support on their personal cell phones That's really…granular…And…secure in my mind to allow for that flexibility but those are some of the other settings that you can configure in here And obviously within endpoint security you can also configure your, antivirus setting for Windows Defender and configure these policies as well. And it natively has that connection…obviously with endpoint…my defender for endpoint or defender for business. So that's just another setting that you can see in here. I'll cover all these more in-depth I just want to poke around I know this is maybe a lot for you to take in if you've never seen these settings. but I just wanted to show you where these are located. So the last ones I'm gonna show you is in the defender portal as well Alright So I'm here in the defender admin center. And within here you know we have a lot of different consolidation now which I think is good It confuses a lot of people, and natively so I mean we've we've moved through different portals over time here as well. But if you have defender for endpoint or defender for business this is where all your incidents and alerts will kind of triage through across your devices. You have vulnerability management in here, track real time threats, things like software vulnerabilities…on devices, unpatch systems known CBEs on devices, things like that as well. But within the email collaboration this is also where you get into your defender for office three sixty five settings. Under your threat policies here is where you can configure your anti phishing your safe links and safe attachments. empty mail were obviously as well too. you have some that are set up by default here…but…I typically like to modify those just because of…the end user settings and all that It's part of my high level hardening calls recommendations but this is where you get that real time click protection or scanning in the sandboxed environment to detonate…those files to help prevent against phishing attacks or obviously the malware that they could be trying to install on those devices So that's a good way to help with that And obviously the anti phishing policies to maybe prevent it from even the email from even being sent to begin with right for what we're looking at there. The other things that you can do within here is if I go back to policies and rules, you have your alert policies…And this is where again we have this library…of alerts by default within the in the admin portal And by default again, you only have these alerts going to the global administrators on file. And, you have, you know various ones that relate to the email flow like suspicious email sending patterns detected. You have email messages removed after delivery…you also have where's the main one here that I wanna look at, specialist email forwarding activity…that's within here as well. Email sending limit…exceeded. So there's a lot of native grade alerts in here that can also help you detect business email compromise, throughout the account. And within these…you can have these on You have these alert settings but your recipients here is the tenant admins So this is where I was mentioning You can modify these and set it to your PSA email connector, and just have those flow through being triaged you know you know throughout throughout your environment there. So that either your…help desk or your SOC team if you're that big you have your own internal soc something like that your security team, can kind of monitor these and you have them flowing through, one one account across customers It's a little bit easier to manage. And then they would investigate through here across the board You can also look at you know campaigns that might be going on You can do investigations. Real time detections. So it's a good way to at least triage and and kind of get ahead of maybe somebody who has achieved persistence and is trying to hide, their their identity within the account so that's everything I wanted to show for you guys in today's video Hope this was helpful. Definitely comment below with any questions you had about the things that I covered And as always subscribe to the channel If you wanna see more content like this I'll see you guys next week …
