This article is contributed. See the original author and article here.
Microsoft Support is excited to continue the blog series that will demystify how Microsoft 365 email protection works. In this fifth and final part of the series, we will cover the different overrides, why you may need them, and why it isn’t a good idea to keep them permanently.
Email security is a critical aspect of modern business operations, and Microsoft 365 provides a robust set of tools to keep your communications safe. But what should you do when legitimate emails are blocked? This is where submissions and overrides come into play. As we have covered in part 2 of this series, Submissions help you learn more about why email was junked or quarantined and allow you to notify Microsoft if the filters got it wrong. (It happens.) Overrides are special settings that allow certain emails to bypass the usual security filters, ensuring important communications reach their destination.
A closer look at email overrides
Overrides are not one-size-fits-all; they come in different forms to suit various needs. Use Explorer email summary flyout and email entity pages to learn more about why a message was delivered to a certain location, and if overrides played a role in delivery. Note, since messages can have multiple allow or block overrides as identified in the column Override source, the override that ultimately allowed or blocked the message is identified in Primary override source in Explorer.
Tenant Allow Block List (TABL): Ideal for creating temporary and safe exceptions. Based on your submission, Microsoft will analyze the exact part of the email deemed malicious (sender, domain, URL, file hash, spoof, or impersonation). TABL is the preferred choice for maintaining security: “Allows” eventually expire, and until they do, the system learns from your submissions to allow emails with similar elements. Both easy for you to manage, and useful for service filter adjustments. A win-win!
Exchange Mail Flow Rules (Exchange Transport Rules or ETRs): ETRs provide the most flexibility but come with increased risk. They should be used sparingly and thoughtfully. Safer ETR overrides use conditions for email authentication checks passing before allowing anything (see an example). The Analysis tab of the email entity page in Explorer will help you verify which ETR acted on a message, and the anti-spam message headers will include SFV:SKN if an ETR override is detected.
Figure 1: “Allowed by organization policy: Exchange transport rule” override source on the Email Entity page in Microsoft Defender XDR
Outlook Safe Senders (User Overrides): Users can mark their own trusted senders in Outlook, affecting only their individual mailbox. The screenshot below demonstrates the detailed information from the email entity page in Microsoft Defender XDR, and the anti-spam message headers will include SFV:SFE if a user override is detected.
Figure 2: “Allowed by user policy: Sender address list” override source on the Email Entity page in Microsoft Defender XDR
Certain user allows “win” over tenant configurations and provide the end-users the ability to manage their own exceptions, so make sure to review the “User and tenant settings conflict” section to learn what to expect at Order and precedence of email protection.
Tip:List all overrides for a user or all users in your organization using the PowerShell cmdlet. For full syntax and examples, see Get-MailboxJunkEmailConfiguration.
IP Allow List (Connection Filtering): This allows emails from specified IP addresses to bypass filters as part of connection filtering. One risk here is if an IP you believe is trusted becomes compromised, the entire email filtering stack except Secure by default is bypassed. Another risk is adding IP overrides for shared IP addresses or ranges. If bad actors use the same sender infrastructure for malicious purposes, you will allow bad messages along with good ones. In short: exercise caution, review regularly, keep IP allows to a minimum. The anti-spam message headers will include IPV:CAL if an IP override is detected, and the Explorer email entity page will look like this:
Figure 3: “Allowed by organization policy: Connection policy” override source on the Email Entity page in Microsoft Defender XDR
Anti-Phishing Policy Overrides: Aimed at combating domain, user and mailbox impersonation phishing threats, these overrides will target false positives with UIMP, DIMP, GIMP verdicts only. They are relatively safer as the rest of the protection scans take place, but it’s still a good idea to make sure from time to time any trusted senders and domains are still necessary, as they never expire.
Tip:You can also use Tenant Allow/Block List for impersonation overrides, just note that the allow entry isn’t created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the anti-phishing policy that detected the message and it does not expire.
Example The company CEO, John Smith (johnsmith@contoso.com) is a prime target for impersonation attacks, so your SecOps team adds his address to trusted users to protect in the anti-phishing policy. However, the CEO sometimes sends email to his team from his personal account (johnsmith@outlook.com). After the service flags this correctly as user impersonation, you add the CEO’s personal address to trusted senders, for his emails to get through to recipient inboxes. (Of course, after you educate the CEO about the risks tied to this practice, you remove this entry.)
Figure 4: Add trusted senders part of the anti-phishing policy in Microsoft Defender XDR
Anti-Spam Policy Overrides: used to override spam, bulk, spoofing and low-confidence phishing verdicts (SPM, HSPM, PHISH, SPOOF and BULK), anti-spam policy senders and/or domains allows also override the anti-phishing stack, and they do not expire. Overly broad (domain) allows are particularly risky and known to be a leading cause for letting bad email into your inboxes. Best practice, review your policies periodically and trim/clear these lists. The Analysis tab of the email entity page in Explorer will help you verify if a policy that acted on a message, and the anti-spam message headers will include SFV:SKA if a policy override is detected.
Tip:You can also export an extended report (message trace) for the email in question. The AGENTINFO event in the resulting csv file contains the CustomData field with additional details, such as the GUID of the policy that acted on the message. For example:
S:PCFA=SUM|tact=5|di=SQ|tactcat=SPM|hctfp=191b78dc-9221-4a2c-b51c-208a186e931a; SQ means the message was routed to Spam Quarantine, and hctfp stands for Hosted Content Filter Policy. Find the policy name by running the cmdlet Get-HostedContentFilteringPolicy in Exchange Online PowerShell.
While most of this article is about allow overrides, you can use Anti-Spam policies to block email, as well. For example, filter messages containing geographies and languages you would not expect to be working with. Learn how toconfigure spam filter policies.
Secure by Default
Microsoft 365 Secure by Default stance ensures that the system starts with the highest security settings. Notably, verdicts for malware (MALW) and high-confidence phishing (HPHISH) cannot be overridden by ETRs if the MX record points to Office 365. This policy is in place to protect users from the most severe threats automatically.
Why would I ever override Secure by Default?
There are specific instances where an override may be necessary. It is highly recommended to configure the Advanced delivery policy to handle these uses cases securely.
Phishing Simulations: To test their defenses, organizations might run controlled phishing simulations. To ensure these tests reach inboxes when they’re sent over email, overrides are essential.
SecOps Mailboxes: Security teams sometimes need to examine malicious emails for analysis and learning. Access to such emails requires an override to allow them through.
What if the MX record for my domain does not point to Exchange Online Protection?
Secure by default applies only when the MX record for your domain points to Microsoft 365 (contoso-com.mail.protection.outlook.com). If the MX record points to another service or device, it’s possible to override high-confidence phishing verdicts using an Exchange mail flow rule to bypass spam filtering (malware verdicts cannot be overridden). But although it’s technically possible, consider the benefits of defense-in-depth of your filtering solution paired with Microsoft Defender for Office 365. Use Enhanced Filtering for Connectors to skip the last known IP address(es) of your service, and to infer the email authentication information from the original sender IP. In addition, if your filtering solution supports ARC, configure to trust the ARC sealer in Microsoft Defender XDR settings. These configurations will allow you to keep the extra layer of Microsoft protection even when using third party protections.
While overrides are useful tools, they must be implemented wisely. Incorrect usage can inadvertently open your company to threats. It’s essential to take the following precautions:
Only allow emails from verified and trustworthy sources. And even when you trust the source, consider that it may become compromised, and you would inadvertently allow unwanted phishing or spam.
Use Advanced Hunting in Microsoft Defender XDR to help you discover top overrides sources and remove the unnecessary ones.
Regularly review your overrides to ensure they remain relevant and secure.
Never put domains that you own onto the Allow and blocklists. If you own Contoso, do not add contoso.com to your allow lists.
Never put common domains, such as microsoft.com and office.com, onto the Allow and blocklists.
We hope that by understanding and applying email overrides correctly, you can ensure your organization’s email is both secure and functional, allowing the right messages to get through while keeping the bad ones out.
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in theDefender for Office 365 forum.
Click hereto view additional posts in this series.
This article is contributed. See the original author and article here.
May 2024 Edition
We’re so excited to publish the updated Teams DLP Playbook!
This document provides an overview of how enterprise customers can deploy Microsoft Teams-DLP for protecting sensitive information. Microsoft Purview Data Loss Prevention has integrations with multiple workloads that help to protect customer data with a single policy. Teams DLP is one of the workloads within Microsoft Purview Data Loss Prevention. This guide walks through the different aspects of deploying use cases across content/containers.
In summary, this playbook will help to:
Understand the new Microsoft Purview Portal console and interface
Develop a strategy for deploying Teams DLP across the organization
Provide near real-time Alerts with notifications
Review various scenarios to test Teams DLP over chat and channel communication
This document helps readers plan and protect sensitive information scenarios that normally exist in every organization. This playbook helps as a user guide to mitigate the risk of exchanging crucial data while communicating over chat or giving access to sites for guest users.
If you have any questions on this playbook or suggestions, please reach out to our yammer group ataka.ms/askmipteam!
This article is contributed. See the original author and article here.
ZoomIn3D GenAI-Enabled Voice-Controlled 3D User Interface
Cleverdist have developed a system that allows users to monitor and control infrastructure through connecting to camera streams, creating triggers, and using computer vision. The system integrates artificial intelligence for operational use.
Founders Hub Benefits
What level are they?Graduated from the program.
What benefits have they been using?prototyping fast and with scale using Azure
Cleverdist is a startup that has already graduated from the Founders‘ Hub program but were able to take advantage of the benefits. They utilized essential resources like GPUs and AI tools to power their product.
ZoomIn3D Product Demo
Cleverdist has robust capabilities, including the use of multiple microphones and the integration of multimodality to interact with AI models. These features allow users to execute tasks such as repositioning cameras through natural language commands, with an intuitive and user-friendly interface. The ability to craft triggers from control system inputs, schedules, and computer vision has enabled actions such as alarm activation and report generation, streamlining operations and enhancing productivity.
Interested in taking your startup to the next level? The Microsoft for Startups Founders Hub unlocks a world of possibilities for budding entrepreneurs, offering complimentary access to advanced AI technologies via Azure. Participants can benefit from up to $150,000 in Azure credits, personalized mentorship from seasoned Microsoft professionals, and a wealth of additional resources.
This initiative is designed to be inclusive, welcoming individuals with a vision to innovate, without the prerequisite of prior funding.
This article is contributed. See the original author and article here.
Na última quarta-feira, dia 05 de Maio, dei início a um novo workshop. Dessa vez, o foco foi em ensinar como criar uma aplicação Line Of Business com OpenAI, Azure Communication Service e Microsoft Graph Toolkit. E, durante essa live exploramos muitas coisas interessantes e legais que de fato essas tecnologias podem fazer por nós!
Vamos resumir essa primeira parte do Workshop agora mesmo!
O que foi abordado durante a Live?
Durante a live, discutimos aspectos fundamentais da integração da Inteligência Artificial, Comunicação e Dados Organizacionais em Aplicações de Negócios.
A sessão foi iniciada com uma contextualização sobre a importância da tecnologia na prevenção de desastres naturais, mediante a recente castrátofe ocorrida no Rio Grande do Sul com as enchentes e como a integração da Inteligência Artificial e a Tecnologia pode ajudar a prevenir futuros desastres.
Desenvolvimento da Aplicação LOB com Azure Communication Services, Microsoft Graph/ Microsoft Graph Toolkit com OpenAI
Nessa primeira parte do workshop, que a qual será dividida em outras partes, foi abordado do que se trata a aplicação a ser aprendida e desenvolvida.
Do que se trata a aplicação? Essa aplicação é uma ferramenta básica de gerenciamento de clientes que possibilita aos usuários administrar clientes e seus dados associados.
Ele é composto por um:
Front-End:foi desenvolvido com Angular + TypeScript
Back-End:que interage com APIs do Back-End para obter dados, acessar funcionalidades de Inteligência Artificial, enviar emails e SMS, usando justamente o Azure Communication Services. (falaremos mais sobre esse serviço no decorrer do artigo) e extraindo as informações desde um banco de dados (PostgreSQL) e também do Microsoft Graph para fins organizacionais.
Aqui está a arquitetura da aplicação:
Principais Componentes do Workshop
O projeto usa as seguintes tecnologias:
OpenAI:Utilizado para interpretar linguagem natural e executar tarefas complexas como conversão de linguagem para SQL.
Azure Communication Services:Demonstração de como incorporar funcionalidades de chamadas e mensagens dentro do aplicativo.
Microsoft Graph:utilizado para acessar dados organizacionais, reduzindo a necessidade de alternar entre aplicativos.
Microsoft Graph Toolkit:Utilizado para acessar dados do Microsoft Graph e integrar com o aplicativo.
O vídeo gravado pelo Dan Wahlin exemplifica como essa aplicação funciona e como ela pode ser útil para empresas que precisam gerenciar clientes e suas informações associadas.
O que é o Azure Communication Services?
OAzure Communication Servicesoferece APIs multicanal para incorporar funcionalidades de voz, vídeo, chat, SMS, email e muito mais em aplicações.
Esses serviços incluem APIs REST e SDKs de biblioteca cliente, facilitando a adição de recursos de comunicação sem necessidade de expertise nas tecnologias subjacentes.
O Azure Communication Services suporta diversos formatos:
Até mesmo o uso do WhatsApp pode ser integrado com o Azure Communication Services.
Além disso, o ACS é compatível com várias plataformas e linguagens, incluindo navegadores web (JavaScript), iOS (Swift), Android (Java) e Windows (.NET), com uma biblioteca de interface do usuário para acelerar o desenvolvimento de aplicativos para Web, iOS e Android. Ele é identidade agnóstica, dando controle sobre a identificação e autenticação dos clientes.
Se deseja saber os diferentes cenários de uso que você pode implementar com o Azure Communication Services, acesse aqui.
E, se você desejar saber mais sobre o Azure Communication Services, novamente o Dan Wahlin gravou um vídeo explicando como funciona o Azure Communication Services e como ele pode ser útil para empresas que precisam de funcionalidades de comunicação em suas aplicações.
O que é o Microsoft Graph?
O Microsoft Graph atua como um portal para os dados e insights do Microsoft 365. Ele oferece uma forma unificada de programar que permite acessar uma vasta quantidade de dados disponíveis no Microsoft 365, Windows e Enterprise Mobility + Security. Com o Microsoft Graph, você pode desenvolver aplicativos tanto para organizações quanto para consumidores, beneficiando-se dos dados que alcançam milhões de usuários.
Há inúmeros serviços do Microsoft Graph que você pode acessar, como:
Serviços principais do M365:Bookings, Calendar, Delve, Excel, Microsoft 365 compliance eDiscovery, Microsoft Pesquisa, OneDrive, OneNote, Outlook/Exchange, Pessoas (contatos do Outlook), Planner, SharePoint, Teams, To Do, Viva Insights.
Serviços de Enterprise Mobility + Security:Análise Avançada de Ameaças, Proteção Avançada contra Ameaças, Microsoft Entra ID, Identity Manager e Intune.
Serviços do Windows:atividades, dispositivos, notificações, Impressão Universal.
Serviços Dynamics 365 Business Central
Caso queira saber mais sobre o Microsoft Graph, acesse aqui.
Porém, é importante ressaltar que o Azure OpenAI Services é um serviço que não está disponível para todos os usuários. Ele é um serviço em preview e, para usá-lo, é necessário solicitar acesso. Se você deseja fazer uso do serviço, precisará solicitar acesso e aguardar a aprovação.
Nota: O link para solicitação de acesso ao Azure OpenAI Services está no link aqui.
Nota: O link para solicitação de acesso ao Azure OpenAI Services está no link aqui.
Mas, caso você não tenha acesso ao Azure OpenAI Services, você pode usar a OpenAI API. A OpenAI API é um serviço que está disponível para todos os usuários e você pode começar a usá-lo imediatamente. Requer custos de uso, mas você pode começar a usar o serviço sem a necessidade de aprovação.
Iniciando a configuração do Projeto
Lembrando que, para seguir o passo a passo do workshop você poderá acessar a documentação oficial do workshopaqui.
Nesse primeiro momento, configuramos o projeto fazendo uso doCodespaces. Pois com o Codespaces, não precisaremos instalar nada em nossa máquina local. Tudo será feito na nuvem e, para isso, basta ter uma conta no GitHub.
Nota: O Codespaces é um serviço que permite desenvolver e testar aplicações em um ambiente de desenvolvimento baseado na nuvem. Você pode usar até 60 horas por mês gratuitamente.
Nota: O Codespaces é um serviço que permite desenvolver e testar aplicações em um ambiente de desenvolvimento baseado na nuvem. Você pode usar até 60 horas por mês gratuitamente.
Aproveitamos para executar o comando npm install para instalar as dependências do projeto. Tanto na pasta client e na pasta server. E, devido ao uso do Codespaces, podemos fazer uso do Docker para criar um container com o PostgreSQL. Simplesmente executando o comando docker-compose up -d para criar o container.
Se você não acompanhou a live, o projeto está disponível no GitHub. Você pode acessar o repositório aqui. Forke o repositório e siga o passo a passo do workshop.
E, finalmente criamos uma conta do Microsoft 365 Developer Program. Que é um programa gratuito que oferece uma conta de desenvolvedor do Microsoft 365, com acesso a um ambiente de desenvolvimento do Microsoft 365 E5, incluindo 25 licenças de usuário para uso de teste.
Recomendo que você crie uma conta no Microsoft 365 Developer Program para ter acesso a um ambiente de desenvolvimento do Microsoft 365 E5 e também para poder conseguir seguir com o tutorial!
Conclusão e Próximos Passos
Ao final do workshop, os participantes foram incentivados a aplicar o conhecimento adquirido em seus projetos, com Gláucia enfatizando a inevitável influência da inteligência artificial no futuro da tecnologia e desenvolvimento de software.
Próxima Live
Preparem-se para a próxima sessão da série Learn Live, onde continuaremos explorando novas integrações e expandindo os conhecimentos em aplicações LOB com OpenAI, Azure Communication Services e Microsoft Graph Toolkit.
A próxima parte do workshop será no dia 29 de Maio às 14h (horário de Brasília). Então, fique ligado(a) para não perder nenhuma live! E, aproveite e se inscreva no Canal do YouTube do Microsoft Reactor para não perder nenhuma live!
Lembrando que, essa série de vídeos continuará até Julho de 2024! Então, fique ligado(a) para não perder nenhuma live! E, aproveite e se inscreva no Canal do YouTube do Microsoft Reactor para não perder nenhuma live!
Recursos Adicionais
Sempre é muito importante ter acesso a recursos adicionais para aprimorar o conhecimento. Por isso, deixo aqui alguns links que podem ser úteis para vocês:
This article is contributed. See the original author and article here.
Session: Building Collaborative Apps in Teams to bring People together Speakers: Loki Meyburg
Collaboration and productivity are essential for any organization, especially in the hybrid work environment. Microsoft Teams is the ultimate platform for collaboration, allowing you to work together with apps in chats, channels, and meetings. Loki Meyburg explained in his session how to build collaborative apps in Teams and enhance your work experience.
Collaboration vs. Productivity
First, let’s understand the difference between collaboration and productivity, and how Teams can support both aspects of work. Collaboration is the act of working together with multiple people to achieve a common goal, while productivity is the efficiency and effectiveness of individual or collective work efforts. Microsoft Teams enables you to collaborate around apps by sharing, discovering, notifying, and collaborating on app content in various contexts.
Sharing is the first step of collaboration
One of the key features of Teams is the ability to collaborate around shared links. When you share a link to an app content in a chat or channel, Teams can automatically unfurl the link and attach a rich interactive preview card, using adaptive cards and bots. The preview card can show relevant information and actions related to the app content, such as a product launch diagram, a survey, or a report. You can also open the app content in a popout window with chat on the side or share it to a meeting and use it together in real-time.
To build these experiences, you can use message extensions, link unfurling, app content stages, and Live Share. Message extensions allow you to register your domain and turn links into adaptive cards. Link unfurling enables bots to unfurl the links and attach the adaptive cards to the messages. App content stages are special views that present the web app in a popout window or a meeting stage. Live Share is a service that allows you to easily enable multiplayer experiences in meetings, with features such as inking, cursors, video, and audio synchronization.
How to build these experiences
Bots are the foundation on which we will build these experiences. They enable everything else. You can use message extensions and link unfurling to attach rich interactive adaptive card previews when your URLs get shared in chats or channels. These previews can show relevant information and actions related to your app content, such as a product launch diagram, a survey, or a report. You can also customize the look and feel of the adaptive cards using templates and styles.
There are two app content stages, collab stage and meeting stage, to present your web app in Teams. The collab stage is a popout window that opens when you click on the app icon in the chat header or the preview card. It allows you to view and interact with the app content along with the chat on the side. The meeting stage is a full-screen view that opens when you share the app content to a meeting. It allows you to collaborate on the app content in real-time with other meeting participants. You can use Live Share to easily enable multiplayer experiences in meetings, with features such as inking, cursors, video, and audio synchronization.
Going from productivity to collaboration
Another important aspect of building collaborative apps in Teams is taking collaboration to the next level. You can enhance the collaboration experience by proactively notifying users and creating focused conversations, leveraging app skills and natural language processing, and using Teams SSO to authenticate users. You can also use some tools and resources for developers, such as Figma UI Kit, Teams Toolkit for Visual Studio Code, and Developer Portal. You should also be aware of some upcoming improvements, such as app rating and review, adaptive card styling, permissions and consent, and instant app tabs.
In conclusion, Teams can help you collaborate around apps in various scenarios and contexts, and you can build these experiences using the Teams platform.
Additional resources
You can find more information about how to build your own collaborative apps like link unfurling, collab stages or the Teams AI library here:
Recent Comments