Microsoft Teams: Protect against Phishing & Malware

This article was originally posted on Matt Soseman’s Blog at http://aka.ms/MattsBlog.
Pretend for a moment that I am a marketing agency you just hired, and invite me as a guest to a team in Microsoft Teams to collaborate. What happens if that guest’s account gets compromised and a bad actor gains access to your team in Microsoft Teams? Your organization is having sensitive conversations there, uploading sensitive files, and if that data were to be publicly disclosed, could do damage to the organization. More importantly, a bad actor can post hyperlinks to “phishing” web sites, and upload malicious files into Microsoft Teams – from there users can open the links or run the files, posing a serious threat to your organization’s security.
How do we help to protect against phishing attacks and malicious files in Microsoft Teams? Office 365 Advanced Threat Protection is here to help. In fact, Office 365 ATP can also help to protect against phishing and malware in not just Microsoft Teams, but Exchange Online, SharePoint, and OneDrive! More information in the Service Description here.
To configure, once the appropriate licenses have been purchased and assigned to each user, open the Office 365 Security & Compliance Center (protection.office.com) -> Threat Management -> Policy and click on ATP Safe Attachments:

Check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:


Now, when a malicious file is uploaded to Microsoft Teams, Office 365 ATP will perform a detonation of the file (following this process). Here we have files in Microsoft Teams, are they malicious?

If the file is indeed malicious, when the user attempts to execute the file in Microsoft Teams, they will receive the following message:

Safe Attachments stops the user in their tracks, and never gives them the opportunity to launch the file. This same behavior also occurs when the file is executed directly from SharePoint. If using Office 365 Alerts (in the Security & Compliance center), and alert can be configured to notify the admin that malware was uploaded to Microsoft Teams:

Here’s what the alert looks like:
(Note, if using Microsoft Cloud App Security an SMS notification can be sent, and MCAS also offers integration into your SIEM.)

What about phishing links in Microsoft Teams? If the ATP Safe Links policy is correctly configured (more information here), then when a phishing hyperlink is posted, the user will receive a blocking message when attempting to click on the hyperlink. Let’s take a loot at this below, here’s a hyperlink in a team conversation in Microsoft Teams:

When the user clicks on the link, ATP Safe Links and the Intelligent Security Graph goes into action to provide protection. ATP recognized the website is malicious, and stops the user in their tracks, not giving them the opportunity to click through to the original website. (Although, that can be changed in the policy).

Conclusion:

Office 365 Advanced Threat Protection provides protection against advanced thread such as phishing and malware for not only your email in Office 365, but also Microsoft Teams! What if everyone had this enabled? The world might just be a safer place! Enjoy!