Defend uses AI to detect and prevent the full spectrum of advanced phishing attacks. Leveraging machine learning, natural language processing, and natural language understanding, Defend detects the attacks that get through native security and Secure Email Gateways, including business email compromise.

The following features are available with Defend. 

Advanced Phishing Detection

Defend features deliver inbound email protection using self-learning techniques, behavioral intelligence, language processing engines, and automation. Every aspect of an inbound email is analyzed in unison, enhancing detection efficacy. All controls are applied cross-platform, providing protection on any device or interface.

Silent Mode

Silent mode allows Defend features to run in a monitoring mode without visual impact on end-users. This mode is typically used during a proof of concept (POC) or in the early stages of deployment while user communications are prepared.

Banners

Banners are a core part of the Defend service. Contextual color-coded HTML warning banners are added to emails received, immediately alerting users to the level of risk of an email. In this mode, links are typically rewritten to provide time-of-click protection. Banners provide real-time teachable moments for your users, explaining aspects of an email that indicate a threat and augmenting your security awareness and training.

Link Scanning and Rewriting

Defend features rewrite all URLs and scan links at the time of receipt and click. When scanning links, several checks are performed, including, but not limited to, blocklist checks, domain age, and number of redirects. The URL rewriting allows Defend to perform the checks again at the time of the click to protect against time-based attacks.

The Defend URL rewriting feature can operate in conjunction with Microsoft SafeLinks. It cannot interoperate with other rewriting services from secure email gateways. This setting can be controlled via the Defend console Settings page.

Graymail

Graymail is a non-malicious bulk email sent from legitimate sources. Examples of graymail include opted-in newsletters, announcements, or advertisements. Defend features can detect graymail and action a graymail with the following functionality:

• Graymail banners
• Moving mail to a _Graymail folder
• Report as Graymail or not as Graymail buttons on email summary pages

For full details, see the Defend - Graymail Management article.

Reporting

The Defend console provides detailed reporting and analytics. All incidents are tracked along with granular details about the attack, including the phish type, payload, sender IP address, location, and authentication results. The Defend console can be used to investigate incidents, and an investigation status and comments section are available. Alternatively, events can be exported to your own SIEM or SOC.

Remediation

Defend's email remediation controls, provided by Graph API, can be used to respond to threats quickly. In the case of a wider phishing attack sent to numerous internal recipients, Defend features can delete all identical or similar phishing emails.

For full details, see the Defend - How to Remediate Phishing Emails article.

Abuse Mailbox

Usually, organizations have mailboxes that can be used to receive emails reported as phishing by end-users to be investigated. Defend features will monitor the specified abuse mailbox to see what is being reported by end-users and automatically remediate malicious and persistent phishing threats. Event notifications can also be configured to notify administrators when specific actions have occurred regarding the abuse mailbox.

For full details, see the Defend – Abuse Mailbox Automation article.