New Microsoft 365 defaults, Application Guard beta add email protections

Microsoft has made it harder for attackers to redirect email responses or leverage malicious attachments. Here's how to review the impact these new features will have on your business.

Microsoft is pushing out more Microsoft 365 security settings that will increase security by default. You need to assess some of these settings for their impact on your business processes.

One of the new Microsoft 365 defaults has to do with email forwarding. As of September 1, Microsoft has changed the defaults on Microsoft 365 ATP external email forwarding controls. Messages that are automatically forwarded outside the organization will be blocked and a non-delivery report (NDR) will be sent to the user.

Attackers know that if they wiggle into a desktop and gain a toehold in Outlook, they can run PowerShell scripts to set up hidden rules to forward emails. I’ve seen a recent attack via email that changed the reply-to address to be someone outside of the organization, redirecting the response to the attacker.

Run the Auto-forwarded messages report to identify which users in your tenant are automatically forwarding messages outside the organization. Then focus on the users with either SMTP forwarding or Inbox rules and plan accordingly. Exchange transport rules (ETRs) are unaffected by this change. Then configure the outbound spam policies to allow automatic external forwarding for either your entire organization or specific users. This change does not affect internal automatic message forwarding.

If you have or plan to set up external forwarding, it will be natively blocked by default going forward. If you require this feature, you will need to take action to continue to do so.

Recently an email came into my office that pretended to be a financial transaction. The sender was someone who had done business with the firm and was connected to a client of the firm. There had been emails with this sender a few days before. The email had an HTML attachment. The attacker had entered their email system and had changed the reply to a domain located in Latvia.

bradley email 365 1 Susan Bradley

Email sent with adjusted reply-to field

The header shows that the email came from the sender’s Microsoft 365 account, so the attacker had not spoofed the sender. The attacker then added a reply to a sending email with a PowerShell command in this format: $msg.headers.add("Reply-to",""). The attacker took a clean email that would pass through many email hygiene platforms and attached an HTML file designed to harvest credentials. They programmed the response to be sent to an email address under their control.

bradley email 365 2 Susan Bradley

Mail headers sent through Microsoft 365

Often attackers will host testing platforms to see if the campaign is successful and then pivot to a production platform to launch the attack. Processes that you can use to protect yourself from these types of campaigns include turning off macros, tightening email security controls, and monitoring traffic to commonly abused top-level domains (TLDs).

For all versions of Office, evaluate if your users need to use macros. Educate your users on the warning messages you will receive once launching a Word or Excel file that includes macros and the appropriate actions to take when receiving attachments. CERT has been warning users about how to handle attachments for many years. Here’s a brief summary of their advice:

  • Be wary of unsolicited attachments, even from people you know. Check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. Note that ISPs and software vendors do not send patches or software in email.
  • Keep software up to date.
  • Trust your instincts. If an email or email attachment seems suspicious, don't open it even if your antivirus software indicates that the message is clean.
  • Save and scan any attachments before opening them. If you have to open an attachment before you can verify the source, take the following steps:
    • Be sure the signatures in your antivirus software are up to date.
    • Save the file to your computer or a disk.
    • Manually scan the file using your antivirus software.
    • If the file is clean and doesn't seem suspicious, go ahead and open it.
  • Turn off the option to automatically download attachments.
  • Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need "administrator" privileges to infect a computer.
  • Apply additional security practices. You may be able to filter certain types of attachments through your email software or a firewall.

Testing Application Guard

Microsoft recently announced a new sandbox platform for protecting users from opening Office attachments called Application Guard for Office. This is now in public preview but is off by default. To see it in action you need Microsoft 365 E5 or Microsoft 365 E5 Security as your base license. As a minimum software requirement, you need the following:

  • Windows 10 Enterprise edition, client build version 2004 (20H1) build 19041
  • Office Beta Channel Build version 2008 16.0.13212 or later
  • Windows 10 cumulative monthly security updates KB4566782 (the August update).

Then install the Office enablement package. This package installs a group policy called "KB4559004 Issue 001 Preview" under “Computer Configuration\Administrative Templates”. Set this group policy to “Enabled”.

To preview this, go into the Office account and opt into the Office Insider program. Once you’ve enabled the Office beta and ensured that the operating system is on the Enterprise version, you can test the impact of the sandbox function. Review all the necessary steps from the Office page. Once it’s enabled and you open an untrusted document, you will see a splash screen in Word, Excel, PowerPoint, etc. that indicates that Application Guard is in use:

bradley email 365 3 Susan Bradley

Application Guard in use

The ribbon bar will indicate that the file is in Application Guard, as will the task bar icon of the application. At this time if you receive .NET updates, you may receive error messages when Application Guard for Office is launched and you will need to reboot your computer.

Some interactions may mean that you will need to plan for some users to have Application Guard and some not. As Microsoft notes, this isolates untrusted documents from accessing trusted corporate resources, intranet, the user's identity, and arbitrary files present on the computer. Therefore, it may block a user from inserting files from other locations into the document being worked on. Especially if you have users that either have been targeted by attackers in the past or those that you think may be targeted, you may wish to start the process of testing this solution for your office.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline