Security summary for Microsoft Teams

We live in a new age around how we work. Even though we see that the Covid pandemic is finally starting to decrease we have created a new way of working. Microsoft Teams have become an increasingly critical service for storage, communication, collaboration both internally and externally. We can see how the utilization rate is increasing more and more by all types of organizations around the world.

During 2022 Microsoft Teams have reached 270 million users worldwide and over one million organizations use Microsoft Teams as the default messaging platform.

This also means that the threats increase at the same rate (just as with other services / platforms that take over the market). If there are large numbers of users and sensitive information, the interest of criminal organizations is increased.

With this article I want to enlighten you what services should be used to face this threat.

The Control panel

The Microsoft Purview Compliance portal can be seen like a control panel for the Teams platform. With the help of classifications set by sensitivity labels we can design the different Teams and its channels based on the purpose and sensitivity. Controlling everything from guest access, file access, file sharing, to requirements of what users and devices can access and download information.

The key is to make Teams easy to use and understand. After all, the greatest risk of information leakage is our end users. Make it easy to do the right thing and reduce the risk of user mistakes.


Microsoft Purview compliance portal – Microsoft Purview (compliance) | Microsoft Learn

Access and authentication

No one has missed that the identity is the new perimeter and that Zero Trust is an important part of designing access. Based on the Teams design we can and should control access with Azure Active directory Conditional access.

  • We can define requirements for devices, for example that only company managed devices can get full access to upload/download information.
  • We can and should require a strong authentication such as multifactor authentication that has different flavors. We can for example make it easier for the end users with Windows Hello for business or other passwordless solutions.
  • Most important of all within true Zero trust, we should always verify the risk of the sign-in, the user and the device. There is no trusted user, device, or network!
    With help of the signals from Azure AD Identity Protection and M365 Defender we get both behaviors and reputation -based control. We should regardless of user, device, and network block risky sign-ins both externally and internally.


One example is to require an internal user to change password directly when it seems to be used by someone else. This automation reduces the time of the breach or completely stops a hijacked account from accessing our information.

Another example is to combine Conditional Access session control with Microsoft Defender for Cloud Apps to monitor and restrict access for non-managed devices. Then we can still allow these devices but prevent sensitive information from being downloaded.


What is Conditional Access in Azure Active Directory? – Microsoft Entra | Microsoft Learn
What is Azure Active Directory Identity Protection? – Microsoft Entra | Microsoft Learn

Files and links

In addition to stolen identities, malicious files and links are still the most common attack route for criminal organizations to get in control of our environments. As our communication paths move from email to Teams, we also see the increase in malicious links and files coming this way.
Microsoft Defender for Office 365 and the built-in virus protection in SharePoint Online provides

  • Safe Links protection. URL scanning with rewriting of links and time-of-click verification for URLs within Teams conversations and files. The URL scanning is based on reputation and/or detonation asynchronously in the background. This increases protection against both existing and newly arrived malicious links.
  • Virus scanning of uploaded files and virus control during downloading is done by SharePoint Online (that stores all files for MS Teams). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 provides an additional layer of protection for files that have already been scanned. Safe Attachments for Microsoft Teams help detect and block existing files that are identified as malicious in team sites and document libraries.


The files in OneDrive for Business with one detected as malicious

Complete Safe Links overview for Microsoft Defender for Office 365 – Office 365 | Microsoft Learn
Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams – Office 365 | Microsoft Learn

Information Protection

A potential data breach isn’t the only risk companies face when it comes to unstructured data. Noncompliance with regulations can lead to civil or criminal prosecution for business owners or leaders who are found to be negligent or improperly handling sensitive information.

With help of Microsoft Purview Information, we can

  • detect sensitive information
  • classify information with purpose for example to define if its public data meant to be spread or sensitive data that should be limited to authorized users.
  • restrict sharing and access based on the classification/sensitivity
  • encrypt sensitive information. Protection that follows the lifecycle of the information even if it’s allowed to be shared and downloaded. For example, will protected information be monitored even if it´s externally shared and stored outside of Teams and access to the file can be revoked when needed.


With the help of Data Loss Prevention and Communication compliance we can increase awareness within chat and conversations. Restrict sharing of sensitive information, harassing/threatening language and sharing of adult content that could cause serious damage to our business.

Another example of DLP is to use EndPoint DLP to control what kind of information is allowed to be uploaded to Teams (and other cloud storage solutions).

Microsoft Purview Information Protection – Microsoft Purview (compliance) | Microsoft Learn
Learn about data loss prevention – Microsoft Purview (compliance) | Microsoft Learn
Learn about communication compliance – Microsoft Purview (compliance) | Microsoft Learn

Insider risks

Not only do we have external threats. We can also have internal threats that we need to protect ourselves against. This could be everything from internal users sending sensitive information to their private email with good intent, to someone exfiltrating data with the purpose of leaking trade secrets using an internal user account. Microsoft Purview Insider Risk Management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on potentially risky activity. Insider risk management allows you to define specific policies to identify risk indicators. After identifying the risks, you can take action to mitigate these risks, and if necessary open investigation cases and take appropriate legal action.

Insider risk management – Microsoft Purview (compliance) | Microsoft Learn

Data lifecycle management

Microsoft Purview Data lifecycle management is used to comply with laws and regulations. Making sure that irrelevant, out-of-date information is deleted, and that business-critical information is preserved. For example, we can retain or delete certain information based on identified content or the location of the file.
We can also use retention policies and/or a group expiration policy to clean up unused inactive teams/channels and make things cleaner. This makes life easier for our end users and makes it easier for us to protect.

Learn about Microsoft Purview Data Lifecycle Management – Microsoft Purview (compliance) | Microsoft Learn

Microsoft 365 group expiration policy | Microsoft Learn

Last words…

Keep in mind that completely blocking external sharing and guests into your organization often leads to increased risk of information leakage. Basically, because sensitive information will be sent by email instead of being stored and shared from your organization. Shadow IT will increase where employees find their own way of cooperation and sharing of information.

Use Microsoft Teams, in a secure and smarter way!

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

New data protection for Windows

Microsoft just announced that they will release another layer of data encryption within the Windows operating system. This is called Personal Data Encryption (PDE) and will be available from Windows 11 22H2. PDE is an extra layer over the BitLocker disk encryption. The purpose of this it to protect personal data to be accessed either remotely (RDP, File share etc) or locally by another user on the same device.

Personal data locations will be able to be customized later on but is normally “My Documents, desktop and pictures folders.

The encryption is like EFS with a randomized unique 256 bits AES key per file that is protected with Windows Hello for business (instead of certificate-based protection that uses for EFS). To be able to decrypt any file the end user needs to sign in with Windows Hello for Business. This means that the data at rest will be protected before the user login into Windows and as soon as the user lock the machine. Personal Data Encrypted data will only be available when the user signs in with Windows Hello For Business.


The encryption is not a replacement for BitLocker, it should be used in a combination with PDE to fully protect the device and all data. It can’t be combined with standard EFS or Windows Information Protection (WIP).
I personally recommend organizations that using WIP or EFS to replace this with Microsoft Purview Information Protection to be able to identify, classify and protect sensitive content during the entire data life cycle.

For more information and how to test this out follow these links:

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

AIP Client: To be or not to be

A lot of new things have been released during Microsoft Ignite and we have several news within the Office products around information security.

Microsoft Purview Information Protection continues to give more insights and abilities to detect sensitive information. All the news within Microsoft Office is integrated within the product and can’t be combined with the classic AIPC Client. This article is meant to explain and show the difference between the AIP client add-in and Office native.

One of the most requested features that the AIP Client add-in have given in Office is the ribbon that provide more visibility and make it easier to choose the correct information classification. Basically, the user doesn’t need to click on the Sensitivity button to know what information classes that are available and choose the correct sensitivity label. This function with a visible ribbon is planned to be integrated in future Office releases but is not jet here.


However, we have several functions that maybe make us want to disable AIP client Add-in already now. One example is when sensitive information has been detected, with the AIP Client it notices the end-user about it, but it doesn’t show exactly what and where the information is detected in the document.

When sensitive information is detected with Office version 2208 and above, Word notifies the user where the content is in the document as well as what type of content it is. It’s a big improvement in alerting the user to exactly what information was identified and where in the document. This makes it easier for the user to both discover incorrectly identified information but above all to be able to remove sensitive information that may not be approved in the specific document.


Custom Permissions

With the AIP Client and the add-on we have had the possibility to protect information with user defined custom permissions. Here we have the possibility to define what permission (View, Edit, Full Control) to defined users, groups or organizations by their mail domains. Without the add-in (or if we had enabled coauthoring for RMS protected content in the specific tenant) it falls back to the classic RMS function “restrict permissions” that didn’t have the possibility to restrict access to an whole organization.

This has now been resolved in new Office versions (2208) that also include the ability to assign different rights to different users and organizations.

Custom Permission native

Custom Permission with AIP Client




imageWhen it comes to protect emails to user defined recipients with sensitive labels that uses the rather new “Encrypt-Only” restrictions we had never had this possibility with the AIP add-in enabled in outlook.

Outlook native

Outlook with the AIP add-in



What we still miss in the native Outlook client is the AIP add-in Outlook pop-ups that for instance can be configured to notify and/or block the end-user to send internally protected emails externally.


Non-office files

We still need the AIP client to be able to protect non-office files and/or to protect several files/folders at a time from Windows Explorer. This mean that we don’t want to uninstall the AIP Client app, instead we can disable the add-in for per Office apps

Microsoft is planning to disable the AIP add-in by default in office starting with version 2213, read more here around this (and how to prevent it if there is a need for that):

Migrate the Azure Information Protection (AIP) add-in to Microsoft Purview Information Protection built-in labeling for Office apps – Microsoft Purview (compliance) | Microsoft Learn

Activities that should be planned

For organizations that currently have AIP client’s and its add-in enable, it is time to take a decision when and if changes should be done. Many will wait until the bar is available in native office. I recommend that you create communication plans and review whether user instructions need to be updated when the decision have been made. Service desk and other operational departments should of course be informed.

Also make sure that organization-specific (custom) Information Types/Trainable Classifiers are named and described in a good way because they will now be visible to end users.

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

Kontrollerad datalagring för svenska myndigheter

Flera av våra svenska myndigheter och offentliga verksamheter står idag och vacklar över om de kan spara data i vissa molntjänster. Trots detta ökar konstant behovet att kunna använda Microsoft Teams för att kunna kommunicera med övriga parter med både möten och samarbete. En stor utmaning handlar även om att kunna förvalta en Windowsplattform som idag bygger på molntjänster för att erhålla hög säkerhet med alla dess tjänster. Att idag hantera en Microsoft-infrastruktur utan dessa molntjänster är extremt tidskrävande och kostsam med ett konstant arbete att hänga med i utvecklingen och stänga av de tjänster som har molnkoppling.

Men den här artikeln kommer jag beskriva hur vi kan förhindra datalagring i Microsoft 365 som standard, men även ge möjlighet på ett kontrollerat sätt att lagra viss information i molnet.

Vi kommer tekniskt lösa detta med tjänster inom Microsoft Purview Information Protection och med hjälp av informationsklassificering. image
Vi har precis fått nya funktioner som öppnat helt nya dörrar.

Ett sätt att höja våra användares medveten och stoppa viss typ av information för datalagring i allt ifrån molntjänster, USB minnen och andra lagringsytor är med tekniker inom Data Loss Prevention (DLP). Här kan vi både övervaka, informera och blockera användare när viss typ av information flyttas/lagras utanför organisationens väggar.

I de flesta fallen handlar det här om viss känslig information som har hårdare krav som innebär kryptering och/eller förhindrande av lagring i osanktionerade (moln)tjänster. Det här löser vi tekniskt genom att identifiera viss typ av information baserat på filernas innehåll eller informationsklassificering (sensitivity labels).

För flera av våra myndigheter är behovet något helt annat. Allt ska som standard blockeras, inget får lagras men det finns undantag för viss information godkänd för datalagring. Detta har varit en teknisk utmaning tidigare, men vi har nu fått teknik som fyller det här syftet.

Vi kan nu låta installera både Microsoft Teams applikationen och OneDrive klienten på våra Windows-enheter inom organisationen. Med hjälp av inbyggt DLP teknik i Windows styr vi så inga filer kan flyttas eller skapas i dessa tjänster. Där emot kan användaren göra ett aktivt val att klassificera en fil manuellt med en viss informationsklassificering som är tillåten att lagras i Microsoft 365. Där efter kan filen flyttas och sparas både i Teams och/eller OneDrive för att synkas till respektive molntjänst.

Tekniskt används ett nytt krav i DLP som handlar om att identifiera om Office filen saknar en sensitivity label. På det sättet kan vi blockera oklassificerade Office filer och övriga klassificerad data som inte är tillåten för molnlagring. Med hjälp av samma DLP-teknik blockerar vi andra filtyper som kan innehålla information för att säkerställa att inte denna lagras i molnet.

Några exempel på hur det här kan se ut.

Användaren försöker skapa ett Word dokument i OneDrive, vilket blockas av EndPoint DLP i Windows. Användaren tar istället en excel-fil som är klassificerad (med en definierad label) som är godkänd för datalagring som kopieras till OneDrive (och synkas till molnet).


I nästa exempel visar vi hur ett publikt dokument kan flyttas till Teams medans ett dokument utan klassificering (sensitivity label) blir blockerat för uppladdning.


Blockera enheter som saknar DLP stöd

Med hjälp av Conditional Access säkerställer vi att det enbart är managerade klienter med denna DLP teknik som når M365 tjänster. Med hjälp av Defender for Cloud Apps kan vi ge en begränsad behörighet att enbart använda webb access för övriga enheter där vi blockerar upp/nedladdning baserat på likvärdigt regelverk.


Befintlig data

Finns det redan data lagrad i molnet som kan innefattas av dessa eller nya krav kan vi få logik i EndPoint DLP som helt enkelt flyttar information och lagrar den lokalt. Filen byts då ut av en text fil där vi kan/bör förklara VARFÖR den har flyttats och var användaren nu kan hitta informationen.

Som med all DLP funktionalitet bör det här användas med försiktighet. Blockerar vi våra användare/verksamheter utan att motivera varför och ger dom ett fungerande alternativ att utföra sina arbetsuppgifter ökar risken att de nyttjar helt andra tjänster att utföra sitt arbete och vi tappar kontrollen helt.

Rikets/Sveriges Säkerhet

Flera av våra myndigheter har information som innefattas av informationsklassificeringen ”Rikets säkerhet”. Det här är information som hanteras i helt slutna system (eller i pappersform) utan någon form av internetanslutning. Den här typen av information ska/kan inte klassificeras med hjälp av sensitivity labels. Där emot är det viktigt att ha någon form av detektering OM den skulle förekomma i verksamhetens molntjänster.

Här finns det möjligheter att definiera upp standarder som används i dessa slutna system. Med hjälp av något som är identifierbart kan den här informationen detekteras och på samma sätt både förhindra att den laddas upp till molntjänster, flyttas till lokal lagring och larma om den identifieras på internetanslutna enheter.

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

Problem sending or receiving protected emails externally?

Last week was the tenth time I helped an organization that couldn’t send protected emails externally.

In other words, it’s worth a blog article.

It’s all about a very common misconfiguration of Conditional Access.

The scenario is that (RMS) protected emails can be opened internally but if they are either sent or received externally, they can’t be opened in Outlook.


In all cases the issue have been that the sender’s organization has required MFA for all users to all cloud apps.

Multifactor Authentication (MFA) is in most cases what we want to enforce to increase the security but in this case it simply doesn’t work.

Let me start to explain how to solve this issue.

If your MFA Conditional Access rule looks like the following you simply need to exclude the app Microsoft Azure Information Protection from the specific rule.

All users All Cloud apps Require MFA
image image



If you have other Conditional Access rules that require MFA against the app Microsoft Azure Information Protection, you need to exclude this for external users.

As soon as the exclusion has been done, protected emails will be able to be opened (decrypted) in Outlook.


Let me explain why

Outlook as an App supports MFA. For example, if MFA is required internally, you can sign-in to Outlook to your own organization with MFA. The problem comes when you need to decrypt a rights protected message (rpmsg). One of the best things with RMS encryption is that is works seamless with Office files both internally and externally. During decryption, the authentication of your signed-in account in Office is used to verify your permissions against the organization that encrypted the content, both internally and externally (without any additional password/certificate that most 3-party solutions use).
The problem when you need to authenticate to decrypt a protected message that comes from an external organization is that Outlook uses the signed in account and its token to authenticate to the sender’s tenant. If MFA is required Outlook doesn’t support  re-authenticating to the sender’s organization with MFA against this tenant.

Publicerat i Conditional Access, Microsoft Information Protection | Märkt , , | Lämna en kommentar

Protect your environment by reviewing your applications!

To be able to protect our organization as well as preventing information leakage we not only need to secure our own environment we also need to identify what kind of apps and services that are in use by our users.

Microsoft Defender for Cloud Apps, formerly known as MCAS is a great tool to both get to know what kind of apps that are in use, get more knowledge about the apps as well as blocking unwanted application.

There is two different kind of apps that we can identify with Microsoft Defender for Cloud Apps.

  • Cloud Apps used from our network (based on FW/proxy logs) and/or devices (via Defender for Endpoint).
  • OAuth apps that integrate with our Azure AD, for instance, to sign in a user and/or access a user’s Microsoft 365 information such as calendar, email, and files.

There are a lot of news coming around OAuth apps, lets save that for a coming blog post and focus on the other type of apps, discovered cloud apps.


The risk of not knowing what 3-party apps that are being used is everything from information leakage to identity theft.

It’s called Shadow IT when users start using unsanctioned services to perform their work. With this tool we can easily identify if this is the case either by identify that large number of users accessing the same unsanctioned app or that a lot of data are transferred to a specific unknown app.

Another security risk that it common is that users reuse their work email adress as well as their password for 3-party solutions. We have seen several cases where a web service has been hacked and credentials stolen from this application have been used to get access to the company.

Microsoft Defender for Cloud Apps have built in alerts that reports both new apps that are being identified for high usage as well as new breaches with apps that are in use by our business. We can also create our own alerts and use Power Automate to get the alert into any destination we want and even take automatic actions.


A major challenge with Microsoft Defender for Cloud Apps is to identify ownership within the organization because this is such a broad product.

If we identify Shadow IT, we need to involve several parts of the organization to review what actions we need to take.

Examples include:

  • Make sure that we provide our business with the services they need to do their job.
  • Inform and educate how to use sanctioned apps and services
  • Once we have identified and informed about a sanctioned solution, we can block the unsanctioned solution.

However, it can be more critical in some cases where we need to act as quickly as possible to prevent information leakage. This assumes that we have a playbook with actions for this type of alerts.

For example, an alarm occurs that large amount of data are uploaded to an unsanctioned cloud app with a low score that turns out to be a service for anonymously sharing information.

A first step that our security operation can take is to start monitoring the service. This results in users being informed that their activities are being logged. If it turns out to be something that is approved by the business, the user can still move on.



A prerequisite to be able to monitor and block the app is that Microsoft Defender for Endpoint is running on the device.

How to get started

If you are working in IT and don’t have the business and its management involved, start by giving them information that Microsoft Defender for Cloud Apps has identified.

One good example as a first introduction for the management is to generate a Cloud Discovery executive report.


Today this is done from the Microsoft Defender for Cloud Apps -portal and the Cloud Discovery part. In a few months this will integrated as a coherent part of the Microsoft 365 Defender portal. Stay tuned for more information around news within Microsoft Defender for Cloud Apps.

More information about Microsoft Defender for Cloud Apps

Publicerat i Microsoft Defender | Märkt | Lämna en kommentar

Restrict information sharing based on sensitivity

Both Teams and SharePoint are good solutions for sharing and collaborating with sensitive information internally as well as externally.

With help of Sensitivity labels, we can define rules and permissions for everything from allow/block external guests, sharing of files, as well as conditions for accessing different Teams and SharePoint sites.

In the most cases a certain team or project often includes different kinds of files with different sensitivity. Everything from public non-sensitive information to more confidential information that all have different rules and regulations.

All settings around “Groups & Sites” that we can define in Sensitivity Labels are based on existing Teams/SharePoint settings.

The biggest challenge is most often when we use Teams or restricted channels in Teams to restrict access to certain information. Even if we set a Team or a Teams channel as private, the default setting for sharing is that files can be shared to anyone within your organization.


In the most cases we have specific private Team and/or private channel to restrict access to only the members. But…

Regardless of the private setting of the team and channel that restrict access to the specific location, files within this team can be shared to users outside of the Team/Channel.


This is due to the following global setting in SharePoint


Within information security, it is of course most advantageous to change the global settings for Shares to ”Specific people”. This does not allow files to be shared to anyone other than those who have access to the Team or channel.

However, it is often difficult to change the global setting as there is uncertainty about the need for information sharing. After all, it is usually a small part of our information that is actually more sensitive.

This week we have got new functionality within Microsoft Information Protection that solves this challenge.

We can now, based on the sensitivity of both the team and specific documents, control just sharing settings. This applies both to who we can share files with, and to control whether we allow edit or view only access to the shared document.

Some examples, if we have Team sites including private channels where we need to restrict sharing to only members of the Team/Channel, we can define this setting on the sensitivity label of the site.

image image

If sensitive information is located in a nonrestrictive team we can restrict the sharing setting only on these files.


For more information how to configure sensitivity labels with default sharing link type in SharePoint and OneDrive:

Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive – Microsoft 365 Compliance | Microsoft Docs

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Classify information based on Teams location

Information classification is used to separate information into different categories. Everything from legal cases to sensitive projects often includes different kinds of information. It could contain both public information meant to be spread/shared officially and more sensitive highly confidential information restricted to certain users.

However, a common business request is the ability to classify information based on a certain location such as Team sites or SharePoint sites. Today the classification/Sensitivity label of the site only control how information can be accessed and shared and doesn’t affect the sensitivity label of the files within the team.

Notice that this picture has been customized to visualize that sensitivity label of the Team and the files doesn’t reflect.
Notice that this picture has been customized to visualize that sensitivity label of the Team and the files doesn’t reflect.

Default label per SharePoint/Team site

What’s in roadmap and currently in private preview is that a default sensitivity label can be configured per site. A site with configured default sensitivity label will automatically apply this label to all documents created or uploaded to this site. The exception is documents that already have been manually or automatically classified with a sensitivity label.
Documents with another default label will be relabeled with the default label configured for the Team/SharePoint Site.

In this example two different files are uploaded to Confidential team for Project Beta.

· The excel file is already manually labeled as Public.

· The document is just created with a default label (Business).

Within 2 minutes Teams shows that the Excel file remains classified as Public while the document has been relabeled as Confidential \ Project Beta


When a new document (excel workbook in this example) is created from this site it is labeled by default as Confidential \ Project Beta


If you want to try this out, the product owner at Microsoft have written an article with guidelines

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Detect and protect sensitive IT information

What we have seen is that organizations are often good at verifying permissions and access to their IT (security) systems, but what most organizations miss is to restrict and protect extracted data such as logs and reports from these systems. Information that contains both system information and user data that in the wrong hands can be used by criminals to map our IT environment and identify vulnerabilities or violate laws and regulations regarding sensitive user information.

We need to support our analysts and IT staff to identify sensitive IT / System information, get the information correctly classified and protected. This has just become much easier! Since last week, we have new built-in trainable classifiers, where we have a classifier just for IT information. Trainable classifier is there to help us identify information based on analyzing existing information and using AI to find similarities with new information. You can read more about how trainable classifiers works and how to create your own classifiers in this blog post

The trainable classifier IT refers to information technology and cybersecurity topics such as network settings, information security, hardware and software issues. If we compare this trainable classifier with the Sensitivity info type “IP Address”, it only identifies IP addresses while this identifies the combination of network, hardware, software and user information.

Here is a list of all the new predefined trainable classifiers that meet several common business needs.


Trainable Classifiers can be used in combination with several services such as

  • Sensitivity Labels to detect, classify and protect information
  • Retention Policies to determine whether information should be deleted or retained for a defined period
  • Microsoft Defender for Cloud Apps (formerly known as MCAS) which can scan connected cloud services to identify and (for certain services such as M365) automatically classify / protect data-at-rest information.

I have configured a sensitivity label to support the organization to classify and restrict sensitive IT information such as incident reports and forensic reports. The label is set to automatically detect the information and recommend the end user to classify with this label.

image image

For example, if someone download alerts reports including sensitive security/compliance incidents from the Defender portals and open them in M365 apps, the user will be prompted to use this label.

image image

Detect sensitive IT information from MCAS

In this example I download threat analytics information around the Log4j exploitation including exposed devices.

Detect sensitive IT information from Defender

The limitation with recommended and auto labeling is that csv files are not supported, the reports / logs need to be in xlsx or docx format.

However, we can both identify and restrict the rights of these files.

Identify sensitive IT information at rest.

As I mentioned earlier, we can use Microsoft Defender for Cloud Apps (MCAS) to identify and act on information found by trainable classifiers.

By creating an information protection policy, we can retrieve Trainable classifiers as conditions. The result is that we will identify all files located in SharePoint / Teams / OneDrive that contain this type of information. Here we can identify data that is also in other formats, such as csv files.

image image

Since we have support to use the trainable classifier with Microsoft Defender for Cloud Apps we can also create session policies to define rules with Conditional access for this information. We can for instance block download or access from unmanaged devices. In this session policy I require MFA to be able to download files including sensitive IT information


The result looks like this where files including sensitive IT data require higher security verification to be downloaded

Detect sensitive IT information session

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Attack Simulation Training

For decades successful intrusions have occurred by tricking a user to either execute something or leak sensitive information like passwords or other secrets.
As our security solutions are improved and protection increases, we can clearly see how attacks in the form of social engineering like phishing (Email/IM), smishing (SMS), vishing  (Voice calls) increases.

Basically, if the attacker wants something that could be hard to get by attacking a system it is often easier to contact some internal user(s) either by email/IM or phone and let them do the work. Like getting someone from the inside to open the locked door to your environment.

If we look at how most ransomware attacks are performed, it is usually about tricking a user into clicking on a link or executing a code. This concerns both users in working life and in private, where we know that the consequences can be devastating.

So, what can we do to prevent this?

It’s mostly about education, training, and awareness! We need to continue educating our new and existing employees. Teach them how to identify anomalies in the message so they become more careful. They need to be able to validate the sender, the text and above all the reasonableness/probability of the message they receive.
This need to be done with a combination of training and practice.
This is where Microsoft Defender Attack Simulations comes in. Attack simulation training in the Microsoft 365 Defender can run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users to prevent a real attack.image

A simulated attack like this phishing attempt from DHL can either be based on a predefined template

Attack simulation also allows us to customized one in a local language, in this case from the local service desk.


We also get predefined trainings to choose from to educate the users.


Note that this video is fast-forwarded and cropped to show the user experience.

Let’s take a look how this is done from the M365 Defender Portal

We find Attack simulation training on the Email & Collaboration chapter in the Security portal.
Here we can simulate attacks and follow up the result of current and previous simulations.


This solution is continuously updated to reflect several of the attacks we see in real life.

At the time of writing, we have the following techniques to choose from when simulating an attack.


For the moment we have 91 prepared payloads that we can choose from.


We also have the possibility to create our own payload. This can be helpful for simulating a scenario from our own organization as well in our own language.

We define what source the email should have; we can set whatever email address we like for the purpose of the simulation


We can either import an existing email or create one our self and attach a phishing link


Based on the simulated technique we got recommended trainings to choose from.


We can assign the training to either all users or only the one that got phished (clicked on the email or shared their credentials)


We can customize the existing default landing page, create our own or use a custom URL.


We can schedule the training and make it region aware to reflect real case scenarios.


Will my email protection solution block these emails?

No, these emails are placed directly in the user’s inbox and never passes the Exchange/Mail servers.

3 important steps to get started

  1. Plan your simulation well, make sure it sanctioned by the business and its management
  2. Combine the training with information campaigns and explain the “why” and background why this is important
  3. This is not a one-shot, the training must be recurring in order to maintain both the attention of our existing and new employees.
Publicerat i Microsoft Defender | Märkt | Lämna en kommentar