Step 1: As an administrator, ensure your policies are configured correctly. Work with your SOC and gather feedback on threats or junk that make it through your filters, adjust as necessary. You just purchased a shiny new tool, why not use it to the best of its capability.
Step 2: Arm your users with Indicators that help them stop and think. This builds a culture of awareness.
✅ First contact safety tip- Yes
✅User or domain impersonation-Yes
✅Messages from outside the org, flag them – Yes
Enable the Report Message Add-In. Teach your users how to properly report a threat.
Step 3: Re-enforce knowledge. Conduct Quarterly Phishing Simulations. Add indicators to help them spot a threat. NEVER use your own company branded material as the payload. We want to educate, not build fear and treat every email as suspicious.
Step 4: Start cleaning up your allow lists. Check out this video from the Microsoft Ninja Training series: https://www.youtube.com/watch?v=LAtmVC53hbE
As an administrator, it is your responsibility to take the guess work away from an end user. At times, even a trained analyst is not able to spot a carefully crafted phishing message at first glance.
Need more help with Defender for Office 365? Check out this setup guide: https://setup.microsoft.com/defender/office-365-setup-guide
Norton Norris 