Microsoft 365 Defender – part 3

In our previous posts, we have looked at some of the basics of Microsoft 365 Defender. For those of you who want to learn more, Microsoft has done something pretty amazing for us. They have included a learning hub. Here you can look at different learning paths, look at info for the different products and also go into specific topics.  ( Part 1 and part 2 in this series can be found by clicking on the links.)   Free training! (Yay) By selecting the Products option, you are able to look at specific products that you want more info about:  The different Defender products in Microsoft 365 Defender.  If you want to search for a topic, you have quite a few to choose from:  Topics But for today we will be looking at another interesting feature in Microsoft 365 Defender, and this is located under Endpoints in the left menu. As you can probably tell, Endpoints is where we find some of the info related to our clients. There are other places as well, but we will get into that later. Here we wil

Microsoft 365 Defender – Part 2

In this blog post, which is part 2 of a series ( part 1 here ), we will go a little more into some of the functionality in this product. Some of the more important features of new security products are the ones based on machine learning and AI. It is important to work on security skills, but when things happen so fast and on such a large scale, we can really use some help from the machines that are on our side. Microsoft Threat Intelligence analyzes 24 trillion signals daily and use machine learning and AI to react and respond to threats.    Microsoft Threat Intelligence ( This means that we in many cases can expect response times way beyond what even the best security teams can achieve.  Todays topic – Threat analytics Today, as we continue our journey into the Microsoft 365 Defender product, we're going to talk about Threat analytics. This is an extremely useful feature which gives us insight into what's going on in the world, and if our environment is vulnerable

Microsoft 365 Defender - part 1

Our journey to the cloud has created some new ways of thinking, new ways of working, and of course a bunch of new portals to work in. It's beginning to be a while since Microsoft started consolidating their different security products under the defender name. Some of the big ones like the Advanced Threat Protection solutions are well known to many of us and more products are being added under the Defender umbrella all the time. Today we are going to look at Defender for Microsoft 365. What it is, and how it can help us. My demo tenant has Microsoft 365 E5 licenses, and this gives us the full power of the defender suite.  What is the Microsoft 365 Defender product really? In this post, which is part 1 in a series, we will look at some of the basics of Microsoft 365 Defender. Many of us are used to defining Microsoft 365 Defender from what we can see in the portal, where we can:  - Detect Security risks - Investigate attacks - Prevent harmful activities A

Securing emails to "regular" users with Information Protection.

  This is a scenario that tend to stop our information protection discussions pretty fast. Cause even though Sensitivity labels are great at securing/labeling info, even when sharing with external parties, this changes immediately when we want to communicate directly with customers in a B2C scenario. Microsoft has showcased the growing support for this if the customer has gmail or outlook and stuff like that, but we cannot assume that this goes for everyone, and even more important: We cannot assume that our customers have tech knowledge. So, what do we do then? How about those non-business users? If you have any experience with this and want to share them with us, please let me know in the comment section below.   Sensitivity labels These are great. After Microsoft bought Secure Islands (back in 2016 I believe it was) Rights Management Service (RMS) turned into something with a lot more potential with Azure Information Protection (AIP). This has evolved further into what we know

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au

Do not Forward and the protection of attachments

Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli

Can Information Protection help us against Ransomware?

We have many useful tools against ransomware in Microsoft 365, but can Information Protection be one of them? My good friend Olav Tvedt took up this question the other day, and the inititial answer is no. But the again, it can also be yes, in a way. This is not something I have tested, but it is an interesting theory. Encryption will not stop ransomware from re-encrypting the data, but there is another thing it can do, that might have helped quite a few of the victims lately.  One of the awesome things about Information Protection is the way it protects data with the use of AAD authentication. We allow or deny people the access rights to a piece of information by their AAD accounts. And this is where we get a useful tool against ransomware. Not the attack itself, but what has been done to victims lately, where they have been threatened with getting sensitive data released to the dark web after the attack. For some this can be devastating, and this is where Information Protection can he