Microsoft Defender for Office 365 中的分步威胁防护Step-by-step threat protection in Microsoft Defender for Office 365

Microsoft Defender for Office 365 保护或筛选堆栈可以分为 4 个阶段,如本文所介绍。The Microsoft Defender for Office 365 protection or filtering stack can be broken out into 4 phases, as in this article. 一般来说,传入邮件在传递之前会通过所有这些阶段,但电子邮件的实际路径受组织的 Defender for Office 365 配置限制。Generally speaking, incoming mail passes through all of these phases before delivery, but the actual path email takes is subject to an organization's Defender for Office 365 configuration.


请继续关注到本文末尾,了解 Defender for Office 365 保护的所有 4 个阶段的统一图形!Stay tuned till the end of this article for a unified graphic of all 4 phases of Defender for Office 365 protection!

第 1 阶段 - 边缘保护Phase 1 - Edge Protection

遗憾的是,曾经至关重要 的边缘块现在 相对简单,让坏角色能够克服这些障碍。Unfortunately, Edge blocks that were once critical are now relatively simple for bad actors to overcome. 随着时间的推移,此处阻止的流量较少,但它仍是堆栈的重要部分。Over time, less traffic is blocked here, but it remains an important part of the stack.

边缘块设计为自动。Edge blocks are designed to be automatic. 如果误报,将通知发件人并告知发件人如何处理其问题。In the case of false positive, senders will be notified and told how to address their issue. 来自信誉有限的受信任合作伙伴的连接器可以确保可交付性,或在载入新终结点时可以设置临时替代。Connectors from trusted partners with limited reputation can ensure deliverability, or temporary overrides can be put in place, when onboarding new endpoints.

在 Defender for Office 365 中筛选的第 1 阶段是边缘保护。

  1. 网络 限制 通过限制一组特定基础结构可以提交的消息数,保护 Office 365 基础结构和客户免受拒绝服务 (DOS) 攻击。Network throttling protects Office 365 infrastructure and customers from Denial of Service (DOS) attacks by limiting the number of messages that can be submitted by a specific set of infrastructure.

  2. IP 信誉和限制将 阻止从已知的连接 IP 地址错误发送的邮件。IP reputation and throttling will block messages being sent from known bad connecting IP addresses. 如果特定 IP 在短时间内发送许多邮件,则这些邮件将被限制。If a specific IP sends many messages in a short period of time they will be throttled.

  3. 域信誉 将阻止从已知错误域发送的任何邮件。Domain reputation will block any messages being sent from a known bad domain.

  4. 基于目录的边缘筛选 阻止通过 SMTP 获取组织的目录信息的尝试。Directory-based edge filtering blocks attempts to harvest an organization's directory information through SMTP.

  5. 退退检测 可防止组织通过无效的未送达报告 (未送达报告) 。Backscatter detection prevents an organization from being attacked through invalid non-delivery reports (NDRs).

  6. 连接器的增强 筛选功能可保留身份验证信息,即使流量在到达 Office 365 之前通过其他设备。Enhanced filtering for connectors preserves authentication information even when traffic passes through another device before it reaches Office 365. 这提高了筛选堆栈的准确性,包括启发式群集、反欺骗和防钓鱼机器学习模型,即使在复杂或混合路由方案中也可以。This improves filtering stack accuracy, including heuristic clustering, anti-spoofing, and anti-phishing machine learning models, even when in complex or hybrid routing scenarios.

阶段 2 - 发件人智能Phase 2 - Sender Intelligence

发件人智能中的功能对于捕获垃圾邮件、批量、模拟和未经授权的欺骗邮件至关重要,还会成为网络钓鱼检测的因素。Features in sender intelligence are critical for catching spam, bulk, impersonation, and unauthorized spoof messages, and also factor into phish detection. 这些功能中的大多数是可单独配置的。Most of these features are individually configurable.

MDO 中的筛选阶段 2 是发件人智能。

  1. 帐户具有 异常行为且与泄露一致时,会引发帐户泄露检测触发器和警报。Account compromise detection triggers and alerts are raised when an account has anomalous behavior, consistent with compromise. 在某些情况下,在组织的安全运营团队解决问题之前,用户帐户将被阻止并阻止发送任何进一步的电子邮件。In some cases, the user account is blocked and prevented from sending any further email messages until the issue is resolved by an organization's security operations team.

  2. 电子邮件 身份验证涉及客户配置的方法和在云中设置的方法,旨在确保发件人得到授权,是可信的邮件发送者。Email Authentication involves both customer configured methods and methods set up in the Cloud, aimed at ensuring that senders are authorized, authentic mailers. 这些方法可抵御欺骗。These methods resist spoofing.

    • SPF 可以拒绝基于 DNS TXT 记录的邮件,这些记录列出允许代表组织发送邮件的 IP 地址和服务器。SPF can reject mails based on DNS TXT records that list IP addresses and servers allowed to send mail on the organization's behalf.
    • DKIM 提供对发件人进行身份验证的加密签名。DKIM provides an encrypted signature that authenticates the sender.
    • DMARC 允许管理员按其域中的要求标记 SPF 和 DKIM,并强制在这两种技术的结果之间保持一致。DMARC lets admins mark SPF and DKIM as required in their domain and enforces alignment between the results of these two technologies.
    • ARC 未进行客户配置,但基于 DMARC 构建,以用于邮件列表中的转发,同时记录身份验证链。ARC is not customer configured, but builds on DMARC to work with forwarding in mailing lists, while recording an authentication chain.
  3. 欺骗智能能够筛选允许"欺骗" (即代表其他帐户发送邮件,或转发来自恶意欺骗程序模仿组织或已知外部域的邮件列表) 的用户。Spoof intelligence is capable of filtering those allowed to 'spoof' (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious spoofers imitating an organizational, or known external, domain. 它将合法"代表"邮件与欺骗发件人分开,以传递垃圾邮件和网络钓鱼邮件。It separates legitimate 'on behalf of' mail from senders spoofing to deliver spam and phishing messages.

    组织内部欺骗智能 检测并阻止来自组织内部域的欺骗尝试。Intra-org spoof intelligence detects and blocks spoof attempts from a domain within the organization.

  4. 跨域欺骗智能 检测并阻止来自组织外部的域的欺骗尝试。Cross-domain spoof intelligence detects and blocks spoof attempts from a domain outside of the organization.

  5. 批量筛选 允许管理员配置批量可信度 (BCL) 指示邮件是否从批量发件人发送。Bulk filtering lets admins configure a bulk confidence level (BCL) indicating whether the message was sent from a bulk sender. 管理员可以使用反垃圾邮件策略中的批量滑块决定要视为垃圾邮件的批量邮件的级别。Administrators can use the Bulk Slider in the Antispam policy to decide what level of bulk mail to treat as spam.

  6. 邮箱智能 从标准用户电子邮件行为中学习。Mailbox intelligence learns from standard user email behaviors. 它利用用户的通信图来检测发件人何时看起来只是用户通常通信但实际上是恶意的人。It leverages a user's communication graph to detect when a sender only appears to be someone the user usually communicates with, but is actually malicious. 此方法检测模拟。This method detects impersonation.

  7. 邮箱智能模拟 基于每个用户的单个发件人映射启用或禁用增强的模拟结果。Mailbox intelligence impersonation enables or disables enhanced impersonation results based on each user's individual sender map. 启用后,此功能有助于识别模拟。When enabled, this feature helps to identify impersonation.

  8. 用户模拟 允许管理员创建可能模拟的高值目标列表。User impersonation allows an admin to create a list of high value targets likely to be impersonated. 如果邮件到达发件人看起来与受保护的高值帐户相同的名称和地址,则标记该邮件。If a mail arrives where the sender only appears to have the same name and address as the protected high value account, the mail is marked or tagged. (例如 ,tr for 。(For example, trα for

  9. 域模拟 可检测类似于收件人域且尝试看起来像内部域的域。Domain impersonation detects domains that are similar to the recipient's domain and that attempt to look like an internal domain. 例如,此模拟tracye@liw。 For example, this impersonation tracye@liwα for

阶段 3 - 内容筛选Phase 3 - Content Filtering

在此阶段,筛选堆栈开始处理邮件的特定内容,包括其超链接和附件。In this phase the filtering stack begins to handle the specific contents of the mail, including its hyperlinks and attachments.

MDO 中的筛选阶段 3 是内容筛选。

  1. 传输 ( 也称为邮件流规则或 Exchange 传输规则) 当邮件满足同样广泛的条件时,管理员可采取各种操作。Transport rules (also known as mail flow rules or Exchange transport rules) allow an admin to take a wide range of actions when an equally wide range of conditions are met for a message. 根据已启用的邮件流规则/传输规则评估通过组织传递的所有邮件。All messages that flow through your organization are evaluated against the enabled mail flow rules / transport rules.

  2. Microsoft Defender 防病毒 和两个第三方 防病毒 引擎用于检测附件中所有已知的恶意软件。Microsoft Defender Antivirus and two third-party Antivirus engines are used to detect all known malware in attachments.

  3. 防病毒 (AV) 引擎也用于真正键入所有附件,以便类型阻止可以阻止管理员指定类型的所有附件。The anti-virus (AV) engines are also used to true-type all attachments, so that Type blocking can block all attachments of types the admin specifies.

  4. 只要 Microsoft Defender for Office 365 检测到恶意附件,文件哈希及其活动内容的哈希就会添加到 Exchange Online Protection (EOP) 信誉。Whenever Microsoft Defender for Office 365 detects a malicious attachment, the file's hash, and a hash of its active content, are added to Exchange Online Protection (EOP) reputation. 附件信誉阻止 会通过 MSAV 云调用在所有 Office 365 和终结点上阻止该文件。Attachment reputation blocking will block that file across all Office 365, and on endpoints, through MSAV cloud calls.

  5. 启发式群集 可以基于传递启发确定文件是否可疑。Heuristic clustering can determine that a file is suspicious based on delivery heuristics. 当发现可疑附件时,整个市场活动将暂停,文件将沙盒。When a suspicious attachment is found, the entire campaign pauses, and the file is sandboxed. 如果发现该文件是恶意的,将阻止整个市场活动。If the file is found to be malicious, the entire campaign is blocked.

  6. 机器学习模型 作用于邮件头、正文内容和 URL,以检测网络钓鱼尝试。Machine learning models act on the header, body content, and URLs of a message to detect phishing attempts.

  7. Microsoft 使用来自 URL 沙盒的信誉以及 URL 信誉阻止中第三方源的 URL 信誉来阻止任何包含已知恶意 URL 的邮件。Microsoft uses a determination of reputation from URL sandboxing as well as URL reputation from third party feeds in URL reputation blocking, to block any message with a known malicious URL.

  8. 内容启发式功能 可以使用机器学习模型,根据邮件正文中的结构和字词频率检测可疑邮件。Content heuristics can detect suspicious messages based on structure and word frequency within the body of the message, using machine learning models.

  9. 安全附件 将适用于 Office 365 客户的 Defender 每个附件都沙盒化,使用动态分析检测之前未发现的威胁。Safe Attachments sandboxes every attachment for Defender for Office 365 customers, using dynamic analysis to detect never-before seen threats.

  10. 链接内容触发 将电子邮件中链接到文件的每一个 URL 视为附件,在传送时以异步方式对文件进行沙盒处理。Linked content detonation treats every URL linking to a file in an email as an attachment, asynchronously sandboxing the file at the time of delivery.

  11. 当上游 防钓鱼技术发现邮件或 URL 可疑时,会发生 URL 触发。URL Detonation happens when upstream anti-phishing technology finds a message or URL to be suspicious. URL 触发在传递时对邮件中的 URL 进行沙盒化。URL detonation sandboxes the URLs in the message at the time of delivery.

第 4 阶段 - 传递后保护Phase 4 - Post-Delivery Protection

最后一个阶段发生在邮件或文件传递之后,对各种邮箱中的邮件以及 Microsoft Teams 等客户端中显示的文件和链接执行。The last stage takes place after mail or file delivery, acting on mail that is in various mailboxes and files and links that appear in clients like Microsoft Teams.

在 Defender for Office 365 中筛选的第 4 阶段是传递后保护。

  1. 安全链接 是 MDO 的单击时保护。Safe Links is MDO's time-of-click protection. 每封邮件中的每个 URL 都打包为指向 Microsoft 安全链接服务器。Every URL in every message is wrapped to point to Microsoft Safe Links servers. 单击 URL 时,将针对最新信誉检查 URL,然后用户重定向到目标网站。When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. URL 是异步沙盒,用于更新其信誉。The URL is asynchronously sandboxed to update its reputation.

  2. 网络钓鱼Zero-Hour ZAP (自动清除) 反作用地检测并清除已传递到 Exchange Online 邮箱的恶意网络钓鱼邮件。Phish Zero-Hour Auto-purge (ZAP) retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.

  3. 恶意软件 ZAP 会主动检测并中性化已传递到 Exchange Online 邮箱的恶意恶意软件邮件。Malware ZAP retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.

  4. 垃圾邮件 ZAP 可主动检测并中性化已传递到 Exchange Online 邮箱的恶意垃圾邮件。Spam ZAP retroactively detects and neutralizes malicious spam messages that have already been delivered to Exchange Online mailboxes.

  5. 与没有 自动化的任何团队一样,市场活动视图使管理员能够更快、更完整地查看攻击的全局信息。Campaign Views let administrators see the big picture of an attack, faster and more completely, than any team could without automation. Microsoft 利用整个服务中的大量反网络钓鱼、反垃圾邮件和反恶意软件数据来帮助识别市场活动,然后允许管理员从头到尾调查它们,包括目标、影响和流,这些对象、影响和流也可在可下载的活动写入中提供。Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns, and then allows admins to investigate them from start to end, including targets, impacts, and flows, that are also available in a downloadable campaign write-up.

  6. 通过报告邮件外接程序,用户可以轻松地向 Microsoft 报告误报 (错误标记为错误 ) 或误报 (将错误电子邮件标记为) 以便进一步分析。 The Report Message add-ins enable people to easily report false positives (good email, mistakenly marked as bad) or false negatives (bad email marked as good) to Microsoft for further analysis.

  7. Office 客户端的安全链接在 Office 客户端(如 Word、PowerPoint 和 Excel)内部提供相同的单击时安全链接保护。Safe Links for Office clients offers the same Safe Links time-of-click protection, natively, inside of Office clients like Word, PowerPoint, and Excel.

  8. 对 OneDrive、SharePoint 和 Teams 的保护在 OneDrive、SharePoint 和 Microsoft Teams 内部提供相同的安全附件保护,防止恶意文件。Protection for OneDrive, SharePoint, and Teams offers the same Safe Attachments protection against malicious files, natively, inside of OneDrive, SharePoint, and Microsoft Teams.

  9. 当选择指向文件的 URL 后,链接内容触发将显示一个警告页面,直到文件的沙盒完成,并且发现该 URL 是安全的。When a URL that points to a file is selected post delivery, linked content detonation displays a warning page until the sandboxing of the file is complete, and the URL is found to be safe.

筛选堆栈图The filtering stack diagram

最终图表 (图表的所有部分一样,) 随着产品的增长和开发 而发生变化The final diagram (as with all parts of the diagram composing it) is subject to change as the product grows and develops. 为此页面添加 书签,并使用 你在底部找到的反馈选项(如果需要在更新后询问)。Bookmark this page and use the feedback option you'll find at the bottom if you need to ask after updates. 对于记录,这是按顺序排列的所有阶段的堆栈:For your records, this is the the stack with all the phases in order:

MDO 中筛选的所有阶段的顺序为 1 到 4。

更多信息More information

现在是否需要为 Office 365 *设置 Microsoft Defender _?Do you need to set up Microsoft Defender for Office 365 *right now _? 使用此堆栈_now*,通过此 步操作开始保护你的组织。Use this stack, _now*, with this step-by-step to start protecting your organization.

特别感谢 MSFTTracyP 和编写团队的文档向 Giulian Garruba 提供此内容Special thanks from MSFTTracyP and the docs writing team to Giulian Garruba for this content.