Some time ago, I wrote a post on Defender ATP (now called Microsoft Defender for Endpoint) and the OS hardening measures it offers under attack surface reduction rules that are useful for crafting a client that’s resilient against next gen attacks.

But seeing as most admins have projects with certain outcomes in mind, I wanted to briefly outline the M365 platforms that will aid in a project with total ransomware protection as it’s outcome.

After setting expectations and a success criteria likely with a OS build to test actual ransomware against, let’s talk about the platforms we’ll be using. This assumes you have full M365 E5 or the E5 security license.

Here’s the platforms we’ll make use of:

  • Microsoft Cloud App Security
  • Azure Active Directory P2
  • Defender for Endpoint/ Microsoft Enterprise E5
  • Office 365 Advanced Threat Protection P2

What, exactly are we being protected from?

Bad actors can affect our systems and users a whole lot of different ways. Ransomware, specifically, is a type of attack that encrypts files, folders, or the whole hard drive with the intent to extract a ransom from the user or organization. To combat this, we’ll need to find a way to make our files and folders resilient. Because ransomware is mainly spread via email, we’ll need some strong controls in place to interrogate the content being displayed to our users and the senders themselves. And we need to accomplish this with a series of controls that balances security without compromising the productivity of the user base.

How to accomplish this

Let’s first start by configuring our Email Security with O365 by running the Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) PowerShell module to get the current setting for O365 ATP and recommended settings. The module can be downloaded here. Email security is already likely something you have in the form of Exchange Online Protection configured or maybe the Premium 1 license of O365 Advanced Threat Protection.

Or if you want to skip all that, jump over to the Microsoft site here for a list of the various settings under a Default, Standard and Strict matrix. The full P2 license offers not only the helpful Safe Links and Safe Attachments policies to protect users from malicious links directing them to low-reputation sites and from downloading unsafe attachments, but for Enterprise users, the newly revamped Threat Simulator (think controlled spoofing scenarios to test your users) and the Automated Investigation and Response playbooks allows AI to take the rote work email security admins might take. If you’re a new admin and need additional guidance on email security, Microsoft has a good primer here.

Lets next deploy the whole suite of Attack Surface Reduction rules offered by Defender for Endpoint. Taking special attention that we know ahead of time we’re blocking Macro’s. Excel power users should be kept in mind for this deployment.

Rule name
Block executable content from email client and webmail
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Block JavaScript or VBScript from launching downloaded executable content
Block execution of potentially obfuscated scripts
Block Win32 API calls from Office macros
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block Office communication application from creating child processes
Block Adobe Reader from creating child processes
Block persistence through WMI event subscription

These rules will comprise our 2nd line of defense after email security.

On top of that, our third pillar meant to capture other stray variable is deploying Application Guard offered with Windows Enterprise E5. Basically, it’s add-on that allows users to access sites that are untrusted (I.E not explicitly whitelisted, or not seen a great deal across the network) but in a Hyper-V-based browser container. If our employee receives a link that redirects them to a webpage that O365 ATP allows them to access, and Smart Screen allows them to access, they’ll be able to access the webpage, but in an isolated environment. And from there, we can make further restrictions, like blocking copy/paste functionalities etc.

For our fourth wheel, we’ll configure Controlled Folder Access that was specifically designed to thwart Ransomware. Basically, this blocks untrusted applications from accessing protected folders. These protected folders are specified when controlled folder access is configured. Lets say our users received an email that O365ATP trusted and downloaded a link that bypassed Application guard and SmartScreen. The ransomware payload would be blocked from accessing the folders we’re expressly protecting.

How can we test this?

  1. Deploy a VM with an OS image your typical users see and grab some ransomware from white-hat forums
  2. Visit the Defender ATP test ground and use the ASR rules script, CFA script, SmartScreen test script to test your effort chance of success against the real deal.