Microsoft 365 security – anti-malware protection

Malware is the most common threat that can compromise your Microsoft 365 security system. Do you know that each year there are approximately 10 billions malware attacks? Malware is a very broad concept including such treats as viruses, trojans, rootkits, worms, spyware, and other malicious software. What are the effects of such threats? Well, data breach/loss and related costs (which are astronomical, by the way), reputation loss, downtime, legal penalties and much more… In this article I will talk about the Microsoft 365 security in terms of anti-malware protection inside Microsoft 365 services.

Microsoft 365 security – main types of malware

But to understand Microsoft 365 security we need to first talk a little bit more about what malware is in general, and what types of malware can affect your computer in what ways. If you understand your enemy, you’ll have a better chance of fighting it.

Let’s take a look at malware like it’s a disease attacking the human body. When you are sick you’ll probably be showing some symptoms of being infected. In the same way, your computer will show symptoms of being infected by malware. Some of those symptoms may include:

  • Increased CPU usage
  • Computer or programs freezing or crashing
  • Slow computer speeds
  • Problems in network connectivity
  • Modified or deleted files
  • The appearance of unknown files, programs, icons
  • Programs running, turning off, or reconfiguring themselves 
  • In general strange computer behavior
  • Email messages being sent automatically and without the user’s knowledge 

Depending on the symptoms you encounter, you have a chance of determining what type of malware you are facing. To the most dangerous and popular types of malware we consider Viruses, Spyware, and Ransomware.

Viruses

Is capable of copying itself and spreading to other files and computers. Viruses often spread to other files or computers by attaching themselves to various programs and the code is executed when a user launches one of those infected programs. Viruses can be used to steal information, harm host computers and networks, create botnets, steal money, render advertisements, and more. One of the most harmful types of computer viruse is known as a worm. 

A worm spread over computer networks by exploiting operating system vulnerabilities. Worms typically cause harm to their host networks by consuming bandwidth and overloading web servers. Computer worms can also contain “payloads” that damage host computers. 

The basic difference between a virus and a worm is that the first one must be triggered by the activation of their host. Worms can self-replicate and propagate independently and do not require activation or any human intervention to execute or spread the code.

Spyware

Spyware is a type of malware that functions by spying on user activity without their knowledge. These spying capabilities can include activity monitoring, collecting security keys and credentials, data harvesting (account information, logins, financial data), and more. Spyware often has additional capabilities as well, ranging from modifying the security settings of software or browsers to interfering with network connections. Spyware spreads by exploiting software vulnerabilities, bonding to legitimate software, or in Trojans.

Ransomware attacks

Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom. The malware restricts user access to the computer either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay the malware creator to restore access to encrypted files, remove the restrictions and regain access to their computer. Ransomware typically spreads like a normal computer worm: ending up on a computer via a downloaded file or through some other vulnerability in a network service.

Microsoft 365 security – Anti-malware Systems

Now you know what types of malware you are facing, and how each of them works. Let’s look at how you can set up, and modify the Microsoft 365 security that is provided by Microsoft. But what Microsoft 365 malware protection does provide?

Microsoft security includes protection mechanisms that prevent malware from infecting Microsoft 365 clients or servers. The use of anti-malware software is a key ingredient in protecting Microsoft 365 from malicious software. The anti-malware software detects and prevents computer viruses, spyware, worms, and other malicious software from being introduced into any service system. Anti-malware software provides both preventive and detective control over malicious software. 

As new malicious software is created every day, Microsoft is doing what it can to update its signatures regularly. This process is controlled by service teams assigned to appropriate anti-malware tools, taking updates from the vendor’s virus definition site.

The following functions are centrally managed by the appropriate anti-malware tool on each endpoint for each service team:

  • Automatic scans of the environment
  • Periodic scans of the file system
  • Real-time scans of files as they are downloaded, opened, or executed
  • Automatic download and application of signature updates at least daily from the vendor’s virus definition site
  • Alerting, cleaning, and mitigating of detected malware

Let’s take a closer look at two of Microsoft 365 security systems helping you to protect against malware. The first of them is Exchange Online Protection.

Exchange Online Protection (EOP) – line 1

Exchange Online Protection (EOP) is an anti-malware system that provides security to your Exchange mailboxes and has the capability to detect zero-day malware threats. When your users sent, or are about to receive an email, it is being scanned, in search of malware, by multiple anti-malware engines inside EOP. By analyzing emails on multiple layers of defense, Microsoft greatly reduces the chance of allowing malware through their system and reaching your endpoints. When a malware detection system finds suspicious files inside any of the attachments, an email is quarantined, and the attachments are deleted.

You as an administrator don’t need to worry about how this process is running. But you can set up anti-malware policies inside the Exchange Admin Center. Inside those policies, you can determine whether notifications that malware was detected in one of the infected attachments, should be sent to a receiver of a quarantined email, or even to the sender of that email. You can also choose to replace attachments with either custom or default messages if malware was detected.

Microsoft Defender – line 2

Office 365 Advanced Threat Protection (ATP), which since September 2020 has become Microsoft Defender for Office 365 is another email filtering service that provides even more advanced protection against malware. In addition to already introduced in EOP multilayer email scans, Defender introduces a feature called Safe Attachments. This feature helps to protect against a wide range of threats, including viruses, malware, and even zero-day attacks, which may be distributed through Office 365 services. But how does it work? 

All messages and attachments that passed through the first anti-malware solution, which means that they didn’t contain any of the known malware signatures, are transferred to a special environment. In that environment behavior analysis is performed, by using a variety of machine learning and analysis techniques to detect whether that item contains any malicious software. If no suspicious activity is detected, the message is rerouted back to its original destination.

Microsoft Defender also provides you with a service that protects you against phishing attacks. Attackers in phishing emails hide malicious URLs with seemingly safe links, that redirect users to unsafe sites. When your users click the link redirecting to an unsafe site, usually a phishing website, the malware detection response kicks in, and blocks that link.

Another useful system inside Microsoft Defender allows you to gain insights into the user group that is getting targeted inside your organization and the categories of attacks you are facing. Reporting and message tracing allows you to investigate items blocked by anti-malware solutions, and URL trace capability allows you to track where malicious emails links that your users clicked, lead to. You can specify an additional recipient (an admin) to receive notifications regarding any malware detected in messages from both internal or external senders.

Microsoft 365 security – so how you can prevent malware infection

Microsoft provides many solutions to keep your data safe against malware attacks, and you might think that this is enough protection for your organization. However, still, the weakest link of the security, including Microsoft 365 security, are… humans. You need to educate your employees or colleagues about new malicious software and threats, social engineering, proactive prevention, and general recommendations. Such as: 

  • You shouldn’t click on pop-up messages
  • You shouldn’t open email attachments coming from unknown senders
  • You shouldn’t download files from any untrusted or suspicious sources
  • You should always use strong passwords
  • You should install critical security patches for the software you use
  • You should keep certificates in a safe place
  • You should always backup your data

Advanced Threat Protection using a backup solution

It is impossible to prevent 100% of attacks – even when your users are educated and the Microsoft 365 security is in place. You need to know how to minimize or eliminate the negative effects of such incidents and make sure your data is recoverable and accessible. To prevent downtime and data loss you need to have a reliable third-party Microsoft 365 backup solution. With such backup, you can create an additional, and probably the safest, barrier against malware.

Xopero ONE Backup and Recovery for Microsoft 365 ensures data protection offering among many more:  

  • Full control over retention – Store your data as long as you need and take advantage of multiple backup rotation schemes – FIFO, Grandfather-Father-Son – choose yours.
  • Any storage – backup your data to the cloud, including Microsoft cloud or on-premise
  • Granular recovery – fast, and point-in-time recovery of all or only selected types of data – folders, mailboxes, documents, or even particular emails.
  • Encrypted backup –your data is always encrypted, choose a preferred encryption algorithm and length of the encryption key to make sure nobody, except you, can decrypt your information.
  • Automatic backup – Define whether the backup should be made once, or automatically at a specified frequency. Set it up once, and forget about it – it will work as you set it.

and many more…