Tuning 365 Defender’s Anti-Malware Controls

Have you squeezed everything you can out of your Microsoft email stack? Is everything dialed in to maximise its effectiveness? Follow this guide to find out.

Optionally pair this guide with delivr.to to see the fruits of your labor in real-time and blast malware out of your inbox 🔫

Want to know what files you can block from the get-go to massively reduce your attack surface? Skip straight there to find out!

The lab

To give it that new car smell, we’ll be using a brand new Microsoft 365 Developer sandbox for this guide. Chances are this isn’t your first foray into O365, so your environment might look a little different. The important thing is to step through these controls and compare them to your environment to make sure everything is in working order.

We’ll be using delivr.to to validate the effectiveness of our changes. delivr.to is a platform for validating email security controls, and has a broad collection of over 500 payload samples to put your mail controls through their paces. Ideal for seeing, in realtime, the impact of any changes.

Don’t forget to add an anti-spam bypass for no-reply@delivrto.me if you’re following along at home! See how here.

The process

If you do nothing else, do these 3 things:

1. Enable preset security policies — By far the most important thing to do. The preset security policies are turned off by default, which is an easy win you’re missing out on.
2. Enable malware filter — In a brand new tenant, the Common Attachment Type Filter is disabled by default. It gets enabled automatically with the present security policies above, or you can use PowerShell to enable it.
3. Create a Safe Attachments & Safe Links policy —Ensure settings such as URL rewriting are enabled.

Steps 1 & 2 both enable the file filter, which flatout prevents delivery of any file that has an extension on the deny list. We can take this list even further.

4. Bonus: Extend file types blocked by default — Combine lists produced by Microsoft, Mimecast, and delivr.to, for a belt-and-braces approach to blocking by file extension.

Enable preset security policies

Whilst PowerShell can be used to turn on/off the preset security policies, these policies won’t exist if you’ve never configured them, so let’s use the portal to configure them.

1. Navigate to the Preset security policies view
2. Under Standard protection , either toggle it on, or click Manage protection settings if its greyed out
3. Apply Exchange Online Protection to All recipients
4. Apply Defender for Office 365 protection to All recipients
5. You can optionally configure impersonation protection
6. Click Confirm and ensure the policy is now enabled

Enable common attachment filter using PowerShell

You can check the status of this policy using the Get-MalwareFitlerPolicy and looking at the EnableFileFilter flag.

Follow this guide from Microsoft to connect for the first time using PowerShell h

When enabled, the default file types below will be automatically treated as malware.

ace, apk, app, appx, ani, arj, bat, cab, cmd, com, deb, dex, dll, 
docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, 
lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, 
scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z

In our experience, the vast majority of organisations never send these file types, and the reduction in attack surface is almost always preferable.

Turning this on will:

• Block the default list of file types above
• Reject messages and return a Non-Delivery Report (NDR)
• Use the default Quarantine Policy for malware detections

Check you want to apply it to the Defaultpolicy, then run this to turn it on:

Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true

If this is your first time running this command, you may be hit with the error InvalidOperationInDehydratedContextException . All you need to do is run Enable-OrganizationCustomization first, and try again.

Create Safe Attachments & Safe Links policy

For Safe Attachments:

1. From the Safe attachments portal, click Create and give it the name Custom Safe Attachments Policy
2. We want this to apply to all users, so enter your domain into the Domains box
3. Set the action to Block — Block current and future messages and attachments with detected malware
4. Hit Next then Submit and Done

For Safe Links:

1. From the Safe links portal, click Create and give it the name Custom Safe Links Policy
2. We want this to apply to all users, so enter your domain into the Domains box once again
3. Configure your settings to match the screenshot below, then hit Next , Submit , and Done

Bonus: Extend the default list of blocked files

By default, Microsoft blocks these files:

ace, apk, app, appx, ani, arj, bat, cab, cmd, com, deb, dex, dll, 
docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, 
lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, 
scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z

Mimecast maintains an even more exhuastive list here:

 _exe, a6p, ac, acr, action, air, apk, app, applescript, awk, bas, bat, 
bin, cgi, chm, cmd, com, cpl, crt, csh, dek, dld, dll, dmg, drv, ds, ebm, 
elf, emf, esh, exe, ezs, fky, frs, fxp, gadget, gpe, gpu, hlp, hms, hta, 
icd, iim, inf, ins, inx, ipa, ipf, isp, isu, jar, js, jse, jsp, jsx, kix, 
ksh, lib, lnk, mcr, mel, mem, mpkg, mpx, mrc, ms, msc, msi, msp, mst, mxe, 
obs, ocx, pas, pcd, pex, pif, pkg, pl, plsc, pm, prc, prg, pvd, pwc, py, 
pyc, pyo, qpx, rbx, reg, rgs, rox, rpj, scar, scpt, scr, script, sct, 
seed, sh, shb, shs, spr, sys, thm, tlb, tms, u3p, udf, url, vb, vbe, 
vbs, vbscript, vdo, vxd, wcm, widget, wmf, workflow, wpk, ws, wsc, wsf, 
wsh, xap, xqt, zlq

We can combine these into a Flexible Intermediary Lightweight Transforming Exploitation Rule™, aka filter, and add it to a custom anti-malware policy.

_exe a6p ac ace acr action air ani apk app applescript appx arj awk bas 
bat bin cab cgi chm cmd com cpl crt csh deb dek dex dld dll dmg docm drv 
ds ebm elf emf esh exe ezs fky frs fxp gadget gpe gpu hlp hms hta icd iim 
img inf ins inx ipa ipf iso isp isu jar jnlp js jse jsp jsx kext kix ksh 
lha lib library lnk lzh macho mcr mel mem mpkg mpx mrc ms msc msi msix msp 
mst mxe obs ocx pas pcd pex pif pkg pl plsc pm ppa ppam prc prg pvd pwc py 
pyc pyo qpx rbx reg rev rgs rox rpj scar scf scpt scr script sct seed sh 
shb shs spr sys thm tlb tms u3p udf uif url vb vbe vbs vbscript vdo vxd 
wcm widget wmf workflow wpk ws wsc wsf wsh xap xll xqt xz z zlq 

You can’t copy and paste the list of file extensions through the portal, so first add the policy with PowerShell:

New-MalwareFilterPolicy -Name "delivr.to Custom Anti-malware Filter" -EnableFileFilter:$true -ZapEnabled:$true -Confirm:$false -FileTypeAction 'Reject' -FileTypes "_exe","a6p","ac","ace","acr","action","air","ani","apk","app","applescript","appx","arj","awk","bas","bat","bin","cab","cgi","chm","cmd","com","cpl","crt","csh","deb","dek","dex","dld","dll","dmg","docm","drv","ds","ebm","elf","emf","esh","exe","ezs","fky","frs","fxp","gadget","gpe","gpu","hlp","hms","hta","icd","iim","img","inf","ins","inx","ipa","ipf","iso","isp","isu","jar","jnlp","js","jse","jsp","jsx","kext","kix","ksh","lha","lib","library","lnk","lzh","macho","mcr","mel","mem","mpkg","mpx","mrc","ms","msc","msi","msix","msp","mst","mxe","obs","ocx","pas","pcd","pex","pif","pkg","pl","plsc","pm","ppa","ppam","prc","prg","pvd","pwc","py","pyc","pyo","qpx","rbx","reg","rev","rgs","rox","rpj","scar","scf","scpt","scr","script","sct","seed","sh","shb","shs","spr","sys","thm","tlb","tms","u3p","udf","uif","url","vb","vbe","vbs","vbscript","vdo","vxd","wcm","widget","wmf","workflow","wpk","ws","wsc","wsf","wsh","xap","xll","xqt","xz","z","zlq"

Then create a rule that uses this policy:

New-MalwareFilterRule -Name "delivr.to Custom Anti-malware Rule" -MalwareFilterPolicy "delivr.to Custom Anti-malware Filter" -RecipientDomainIs <YOUR DOMAIN>

What if we didn’t stop there?

Warning: Implement the file types below with caution. Most organisations don’t need to send them legitimately, but you never know what Mark in sales gets up to…

Our clients have had success extending the list of file types even further, and tailoring this list based on their organisation. We’d recommend adding a separate policy so that it’s easier to rollback.

.wbk - A WBK file is a backup file created by Microsoft Word
.rtf - Rich Text Format file that can contain embedded VBS etc
.odt - Documents based on OpenDocument Text File format
.ods - OpenDocument Spreadsheet Document format
.odp - Presentation file used by OpenOffice.org
.dotm - A DOTM file is a document template created by Microsoft Word
.wll - A WLL file is an add-in used by Microsoft Word
.vcf - For storing contact information
.tar.xz - Compressed archive
.tar.gz - Compressed archive
.tar.bz2 - Compressed archive
.tar - Compressed archive
.svg - Recently exploited web-friendly vector file format
.slk - Microsoft format used to exchange data between spreadsheets
.scr - Screen saver file
.rdp - Used for Remote Desktop Protocol (RDP) files
.rar - Compressed archive
.ps1 - Aplain text file that contains one or more PowerShell commands
.ps1xml - An XML file that defines extended type data
.ps2 - PostScript file is a special file format by Adobe
.mht - AMIME enabled archiving file format
.iqy - Internet Query files, read by Excel to download data from the Internet
.csproj - A C# project file
.7z - Compressed archive
.xltx - Microsoft Excel Template file
.xlsb - Excel binary workbook file
.ppsx - PowerPoint slide show
.ppsm - Macro-enabled slide show created by Microsoft PowerPoint
.pps - PowerPoint 97-2003 slide show file
.potx - PowerPoint template presentation
.potm - PowerPoint template files with support for Macros
.ppam - PowerPoint add-on, which extends and adds certain capabilities
.ppa - Add-in file used by Microsoft PowerPoint
.pot - Microsoft PowerPoint template files for PowerPoint 97-2003
.xlam - Macro-Enabled Add-In file used to add new functions to spreadsheets
.xla - Microsoft Excel Add-Ins file format that adds tools
.mdb - Microsoft Access database file
.accdb - Microsoft Access 2007 database file
.eml - An email message saved to a file in the Internet Message Format
.dotx - Template files created by Microsoft Word
.dotm - Template file created with Microsoft Word 2007 or higher
.dot - Template created by Microsoft Word

First, create a new policy:

New-MalwareFilterPolicy -Name "delivr.to Advanced Anti-malware Filter" -EnableFileFilter:$true -ZapEnabled:$true -Confirm:$false -FileTypeAction 'Reject' -FileTypes "wbk","rtf","odt","ods","odp","dotm","wll","vcf","tarxz","targz","tarbz2","tar","svg","slk","scr","rdp","rar","ps1","ps1xml","ps2","mht","iqy","csproj","7z","xltx","xlsb","ppsx","ppsm","pps","potx","potm","ppam","ppa","pot","xlam","xla","mdb","accdb","eml","dotx","dotm","dot"

Then add a rule:

New-MalwareFilterRule -Name "delivr.to Advanced Anti-malware Rule" -MalwareFilterPolicy "delivr.to Advanced Anti-malware Filter" -RecipientDomainIs <YOUR DOMAIN>

Conclusion

This guide has shown you how to check that your Microsoft 365 Defender configuration is dialled in properly.

For most organisations, the protection that a correctly-configured 365 Defender setup gives is perfectly adequate and you can sleep easy knowing you’re protected against most email-borne threats.

For those that wish to take it further, check out the free email security tool Sublime Security to see how you can start applying advanced rules to file types you can’t just outright block. Happy hunting! 🎯

BONUS:How to use Microsoft’s ORCA tool

Microsoft provides a fantastic tool called Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) that generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can use this tool to assess how far away your other email security configurations are from Microsoft’s recommended best practices.

In PowerShell, run the following commands:

Your UPN is typically your email address, which can you find under your name in this portal.

Install-Module -Name orca
Install-Module ExchangeOnlineManagement -Force -Scope AllUsers
Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true

All that’s needed now is to run the tool, which you can do with this command:

Get-ORCAReport

It’ll take a minute or two, and you should end up with a nice HTML report covering the key areas of O365 security.