FireEye Stories Blog

Automated Threat Remediation for Office 365 Is Now a Few Clicks Away (Part One)

Email was one of the first workloads migrated to the cloud. This trend just keeps gathering steam as more organizations move to Office 365 for cloud-based email management. With a cloud service comes the need to not just secure email, but also automatically remediate against advanced threats as soon as they are detected.

Email security solutions act as a first line of defense. Email is the number one threat vector because the Simple Mail Transfer Protocol (SMTP) wasn’t designed with security in mind. Attackers exploit this weak link, which is why email security solutions are critical. The more a solution prevents threats from being delivered to a user’s inbox, the better. A human must decide what to do – open, click, reply and so on – with every email delivered to their inbox. If a threat moves beyond the inbox, this is when the risk of a serious cyber incident or even a breach sets in. Put simply, bad actors count on users unwittingly clicking on malicious URLs.

Now consider this situation. What if, to bypass security defenses, a URL starts out benign and becomes malicious after it’s delivered? In other words, the threat becomes retroactively malicious.

With FireEye Email Security—Cloud Edition, security professionals can go beyond prevention and detection and respond when emails become retroactively malicious. This is accomplished via seamless integration with the Office 365 API.

Auto remediate for Office 365 delivers business value in the following ways:

  • Gives administrators control to extract malicious emails after delivery to a user’s inbox.
  • Reduces the risk of a cyber threat becoming more serious.
  • Reduces the alert to response with auto remediation options.
  • Enhances return on investment with faster response times and impact reduction.
  • Facilitates viewing and managing of email quarantine results within a central dashboard.

Part One of this two-part blog series provides an overview of auto remediate for Office 365 and its business value. Then in the second part we will explain how to configure an auto remediate for Office 365 policy.

Auto Remediate for Office 365

FireEye Email Security leverages threat intelligence shared across the entire FireEye ecosystem. All Email Security customers benefit from malicious traffic observed across the FireEye network. Any URL or attachment weaponized post-delivery and detected as malicious by FireEye can trigger a retroactive alert in an environment when the threat is delivered to one or more user mailboxes.

Auto remediate for Office 365 extracts emails from a user’s inbox when such a retroactive alert is generated. FireEye Email Security—Cloud Edition removes emails classified as malicious after delivery using the Office 365 API. Security professionals or email administrators can create an auto remediate policy and select one of three policy actions including quarantine, move to an administrator-defined folder, and permanent deletion.

Figure 1: Auto remediate for Office 365 policy actions

Post Email Delivery Weaponized URL Example

The following example demonstrates how auto remediate for Office 365 works.

As shown in Figure 2, an email is received at 7:55 a.m. by the inbound email server. It’s first scanned for spam and impersonation techniques, and also known malware and malicious URLs. The email contains an unknown URL and is analyzed by FireEye Advanced URL Defense. At this stage, the URL is benign. The email is clean and therefore delivered to the user’s inbox at 7:56 a.m.

Figure 2: Email is initially analyzed as benign and delivered to the user’s inbox

In this example, the bad actors weaponize the URL after some time has passed. This is a common tactic used by attackers. Since this tactic is typical, emails are retroactively analyzed post-delivery to the user’s inbox. At 8:15 a.m., the retroactive analysis returns a guilty verdict, meaning the URL is now malicious post-delivery (Figure 3). This triggers a retroactive alert.

Figure 3: Email analysis retroactively – URL is malicious triggering a retroactive alert and automated extraction

Security professionals and email admins can pre-define an auto remediate for Office 365 policy from within the FireEye Email Security—Cloud Edition user interface. When a policy is in place, emails that become retroactively malicious will be automatically extracted from the user’s inbox and quarantined, moved or permanently deleted. Automated remediation frees resources from having to manually search for and extract emails that become retroactively malicious, reducing the average response time to a matter of seconds. Because the remediation is automated, it’s working around the clock, covering the gap when organizations without a 24x7 security operations center (SOC) are off the clock.

Stay tuned for our second blog post in this series to learn how to configure an auto remediate for Office 365 policy. In the meantime, check out more about FireEye Email Security and our Cloud Email Threat Analysis.