MS-102 GĐ6
Module 42
Defender for Office 365 (MDO)
Safe Attachments (Dynamic Delivery), Safe Links (real-time scan), Anti-phishing impersonation, Preset Security Policies và Threat Explorer.
Tình huống – VinaCorp
Finance team nhận email giả mạo CEO (BEC — Business Email Compromise) kèm file Excel chứa macro độc hại. IT cần bật Safe Attachments (Dynamic Delivery), Safe Links và cấu hình anti-phishing bảo vệ các executive.
MDO Plan 1 vs Plan 2
| Tính năng | EOP (Free) | MDO Plan 1 | MDO Plan 2 |
|---|---|---|---|
| Anti-spam / Anti-malware | ✅ | ✅ | ✅ |
| Safe Attachments | ❌ | ✅ | ✅ |
| Safe Links | ❌ | ✅ | ✅ |
| Anti-phishing (Impersonation) | ❌ | ✅ | ✅ |
| Real-time Detections | ❌ | ✅ | ✅ |
| Threat Explorer (full) | ❌ | ❌ | ✅ |
| Attack Simulation Training | ❌ | ❌ | ✅ |
| Automated Investigation (AIR) | ❌ | ❌ | ✅ |
| Campaign views | ❌ | ❌ | ✅ |
Safe Attachments
| Action | Mô tả | Khuyến nghị |
|---|---|---|
| Off | Không scan | Không dùng |
| Monitor | Deliver ngay, scan background, log kết quả | Test/Pilot |
| Block | Block nếu phát hiện malware, hold email | Standard |
| Replace | Xóa attachment nguy hiểm, deliver email với placeholder | Khi cần giữ email |
| Dynamic Delivery | Deliver email ngay (không có attachment), scan song song, đính kèm lại khi sạch | Best UX + Security |
Lab: Tạo Safe Attachments Policy
Connect-ExchangeOnline -UserPrincipalName [email protected]
# Tạo Safe Attachments policy với Dynamic Delivery
New-SafeAttachmentPolicy -Name "VinaCorp-SafeAttach" `
-Action DynamicDelivery `
-Enable $true `
-Redirect $true `
-RedirectAddress "[email protected]" `
-ActionOnError $true
# Áp dụng cho toàn bộ domain
New-SafeAttachmentRule -Name "VinaCorp-SafeAttach-Rule" `
-SafeAttachmentPolicy "VinaCorp-SafeAttach" `
-RecipientDomainIs "vinacorp.vn" `
-Priority 0
Write-Host "Safe Attachments (Dynamic Delivery) enabled"
Safe Attachments (Dynamic Delivery) enabled for vinacorp.vn
Safe Links
Safe Links rewrite URL trong email → khi user click, MDO scan real-time trước khi redirect. Nếu URL độc hại → block + warning page.
# Tạo Safe Links policy
New-SafeLinksPolicy -Name "VinaCorp-SafeLinks" `
-IsEnabled $true `
-ScanUrls $true `
-EnableForInternalSenders $true `
-DeliverMessageAfterScan $true `
-DisableUrlRewrite $false `
-EnableSafeLinksForTeams $true `
-EnableSafeLinksForOffice $true `
-TrackClicks $true `
-AllowClickThrough $false `
-CustomNotificationText "URL này đã bị chặn bởi chính sách bảo mật VinaCorp."
New-SafeLinksRule -Name "VinaCorp-SafeLinks-Rule" `
-SafeLinksPolicy "VinaCorp-SafeLinks" `
-RecipientDomainIs "vinacorp.vn"
Write-Host "Safe Links enabled (click-through blocked)"
Safe Links enabled (click-through blocked) for vinacorp.vn
AllowClickThrough $false: User không thể bypass cảnh báo để vào URL độc hại. Cân nhắc $true cho pilot nếu nhiều false positive.
Anti-phishing – Impersonation Protection
# Tạo Anti-phishing policy bảo vệ executives
New-AntiPhishPolicy -Name "VinaCorp-AntiPhish" `
-Enabled $true `
-EnableMailboxIntelligence $true `
-EnableMailboxIntelligenceProtection $true `
-MailboxIntelligenceProtectionAction MoveToJmf `
-EnableSpoofIntelligence $true `
-EnableUnauthenticatedSender $true `
-EnableViaTag $true `
-PhishThresholdLevel 3 `
-EnableTargetedUserProtection $true `
-TargetedUsersToProtect @(
"CEO;[email protected]",
"CFO;[email protected]",
"CISO;[email protected]"
) `
-TargetedUserProtectionAction Quarantine `
-EnableTargetedDomainsProtection $true `
-TargetedDomainsToProtect @("vinacorp.vn","vinacorp.com") `
-TargetedDomainProtectionAction Quarantine `
-EnableOrganizationDomainsProtection $true
New-AntiPhishRule -Name "VinaCorp-AntiPhish-Rule" `
-AntiPhishPolicy "VinaCorp-AntiPhish" `
-RecipientDomainIs "vinacorp.vn"
Write-Host "Anti-phishing impersonation protection active"
Anti-phishing impersonation protection active
Protected executives: CEO, CFO, CISO
PhishThresholdLevel: 3 (Aggressive)
Preset Security Policies
Microsoft cung cấp 2 preset được quản lý bởi Microsoft — settings tự động cập nhật theo threat landscape mới nhất.
| Preset | Mức độ | Phù hợp |
|---|---|---|
| Standard protection | Balanced — ít false positive hơn | Hầu hết user |
| Strict protection | Aggressive — block nhiều hơn | Executives, Finance, IT |
| Built-in protection | Baseline Safe Links + Safe Attachments | User chưa có policy nào |
# Portal: security.microsoft.com → Email & collaboration → Policies & rules
# → Threat policies → Preset security policies
# → Standard protection: Assign → All users
# → Strict protection: Assign → Group: GRP_Executives, GRP_Finance
# PowerShell: kiểm tra preset policy assignments
Get-EOPProtectionPolicyRule | Select-Object Name, State, Priority
Get-ATPProtectionPolicyRule | Select-Object Name, State, Priority
Threat Explorer (MDO Plan 2)
security.microsoft.com → Email & collaboration → Explorer
1View: All email → Filter: Delivery action = Blocked → xem email bị block 7 ngày qua
2View: Phish → Group by: Sender domain → tìm domain đang campaign phishing
3Click email cụ thể → Email details → xem detection tech, delivery location, URL clicks
4Select emails → Take actions → Soft delete / Hard delete / Move to Junk
Tổng kết M42
Kiến thức cốt lõi
- ✅ Dynamic Delivery: scan song song, không delay email
- ✅ Safe Links: rewrite + real-time scan mỗi lần click
- ✅ AllowClickThrough $false = không thể bypass warning
- ✅ Impersonation: bảo vệ CEO/CFO khỏi BEC
- ✅ Preset policies tự cập nhật — tốt hơn manual config
Lab đã thực hành
- 🔬 Safe Attachments: Dynamic Delivery + redirect to security team
- 🔬 Safe Links: rewrite + block click-through + Teams/Office
- 🔬 Anti-phishing: protect CEO/CFO + domain impersonation
- 🔬 Threat Explorer: hunt phish campaigns, take action