T1204.001 Malicious Link Mappings

Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)

Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. Safe Links Detects Malicious Links attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages. Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware. The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. License requirements: M365 E3 (or Defender for Office plan 1)

M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. Preset Security Policies Detects Malicious Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.