L1 BIO 13.02.01 ISO A.8.16

Geavanceerde Bedreigingsbescherming Beleidsregels In Microsoft Defender Voor Office 365

πŸ“… 2025-01-15
β€’
⏱️ 15 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Geavanceerde Bedreigingsbescherming (Advanced Threat Protection) in Microsoft Defender voor Office 365 vormt een gelaagde verdedigingsstrategie die meerdere beveiligingslagen combineert om organisaties te beschermen tegen geavanceerde cyberdreigingen zoals zero-day malware, geavanceerde phishing-aanvallen, ransomware, credential harvesting en andere geavanceerde persistent threats. Deze comprehensive defense-in-depth aanpak integreert Safe Attachments, Safe Links, Anti-Phishing, Anti-Malware, Anti-Spam en Threat Intelligence in een gecoΓΆrdineerde verdedigingsstrategie die bescherming biedt op meerdere aanvalsvectoren simultaan.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
9/10
Implementatie
20u (tech: 8u)
Van toepassing op:
βœ“ M365
βœ“ Exchange Online
βœ“ Defender voor Office 365
βœ“ SharePoint
βœ“ OneDrive
βœ“ Teams

Moderne cyberaanvallen zijn steeds geavanceerder en gebruiken multi-vector attack strategies waarbij aanvallers meerdere technieken combineren om traditionele single-layer security controls te omzeilen. Zero-day malware exploits die nog geen signatures hebben worden niet gedetecteerd door traditionele antivirus, geavanceerde phishing-aanvallen gebruiken social engineering en impersonation technieken die gebruikers misleiden, ransomware distributie via email attachments met polymorphic malware die signatures continu verandert, credential harvesting via fake login pages die authenticatiegegevens stelen, en business email compromise (BEC) aanvallen waarbij aanvallers legitieme accounts compromitteren en vervolgens misbruiken voor wire fraud. Zonder een gelaagde verdedigingsstrategie kunnen organisaties slechts één aanvalsvector tegelijkertijd blokkeren, waardoor aanvallers eenvoudigweg een andere vector gebruiken om hun doel te bereiken. Een enkele security control zoals alleen anti-malware scanning mist geavanceerde phishing-aanvallen, alleen anti-phishing policies missen zero-day malware in attachments, en alleen safe links bescherming mist impersonation attacks. Advanced Threat Protection lost dit op door een defense-in-depth strategie te implementeren waarbij meerdere security layers simultaan werken: Safe Attachments blokkeert malware in email attachments via sandbox detonation, Safe Links beschermt tegen malicious URLs door links te scannen voordat gebruikers erop klikken, Anti-Phishing policies detecteren impersonation en spoofing aanvallen via machine learning, Anti-Malware scanning blokkeert bekende malware signatures, Anti-Spam filtering voorkomt spam en bulk email delivery, en Threat Intelligence integratie gebruikt real-time threat feeds om emerging threats te detecteren. Deze gelaagde aanpak zorgt ervoor dat zelfs als één layer faalt, andere layers de aanval kunnen blokkeren, wat de overall security posture aanzienlijk verbetert. Voor Nederlandse overheidsorganisaties is dit essentieel voor compliance met NIS2 Artikel 21 dat vereist dat organisaties technische maatregelen implementeren om cyberdreigingen te detecteren en te voorkomen, ISO 27001 controle A.8.16 voor security event monitoring en threat detection, en BIO richtlijn 13.02 voor email security controls.

PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Geavanceerde Bedreigingsbescherming Beleidsregels configureren een comprehensive set van geΓ―ntegreerde security policies die samenwerken als een gelaagde verdedigingsstrategie. De configuratie omvat zes primaire componenten: (1) Safe Attachments Policy - configureert sandbox detonation van email attachments waarbij bestanden worden uitgevoerd in geΓ―soleerde virtual machines om malicious behavior te detecteren voordat emails worden afgeleverd, met action modes zoals Block (quarantine entire message), Dynamic Delivery (deliver email immediately met placeholder voor attachment), of Replace (remove attachment maar deliver email body), en bescherming scope voor Exchange, SharePoint, OneDrive en Teams, (2) Safe Links Policy - configureert URL scanning en rewriting waarbij alle links in emails worden gescanned voordat gebruikers erop klikken, malicious URLs worden geblokkeerd, en safe links worden herschreven naar Microsoft's scanning infrastructure voor real-time protection, met bescherming voor Office applications, email clients, en Teams, (3) Anti-Phishing Policy - configureert impersonation detection, spoof intelligence, mailbox intelligence en safety tips om geavanceerde phishing-aanvallen te detecteren, met user impersonation protection voor executives en finance teams, domain impersonation protection voor company domains, en actions zoals Quarantine, Move to Junk, of Deliver with warning banner, (4) Anti-Malware Policy - configureert signature-based malware scanning voor bekende threats, met automatic quarantine van detected malware en notification naar admins en users, (5) Anti-Spam Policy - configureert spam filtering en bulk email detection om spam en junk email te blokkeren voordat het inboxen bereikt, met spam confidence levels en bulk email thresholds, en (6) Threat Intelligence Integration - configureert real-time threat intelligence feeds die emerging threats detecteren en automatisch policies updaten. Daarnaast kunnen Priority Account Protection policies worden geconfigureerd voor executives en high-value targets met stricter protection settings. Alle policies worden geconfigureerd via Microsoft 365 Defender portal onder Email & collaboration β†’ Threat policies, of via PowerShell met ExchangeOnlineManagement module. De policies werken samen waarbij een email eerst door anti-spam filtering gaat, vervolgens anti-malware scanning, daarna safe attachments detonation, safe links scanning, en ten slotte anti-phishing analysis, waarbij elke layer aanvullende bescherming biedt. Deze gelaagde aanpak zorgt voor comprehensive protection tegen alle bekende en onbekende threats.

Vereisten

Voor het configureren van Geavanceerde Bedreigingsbescherming Beleidsregels zijn de volgende voorwaarden vereist:

  1. Microsoft Defender voor Office 365 Plan 1 of Plan 2 (onderdeel van M365 E5 of standalone licentie)
  2. Exchange Administrator of Security Administrator rol voor policy configuratie
  3. PowerShell 5.1+ met ExchangeOnlineManagement module voor automation en bulk configuratie
  4. Comprehensive security policy documentatie die beschrijft welke protection levels nodig zijn voor verschillende user groups
  5. Priority accounts lijst: Identificeer executives, finance team, IT admins en andere high-value targets die stricter protection nodig hebben
  6. User communication plan: Informeer gebruikers over safe links rewriting, safe attachments delays, en phishing warning banners
  7. Security team email adres voor malware redirects en incident notifications
  8. Threat intelligence integration planning: Bepaal welke external threat feeds moeten worden geΓ―ntegreerd
  9. Testing plan: Valideer dat business-critical emails en attachments niet false positive worden geblokkeerd
  10. Incident response procedures: Definieer hoe security team reageert op detected threats via ATP policies
  11. Quarterly review proces: Plan regelmatige evaluatie van policy effectiveness en false positive rates
  12. Compliance mapping: Documenteer hoe ATP policies voldoen aan NIS2, ISO 27001 en BIO requirements

Implementatie

Geavanceerde Bedreigingsbescherming Beleidsregels implementatie via Microsoft 365 Defender portal:

Gebruik PowerShell-script advanced-threat-protection-policies.ps1 (functie Invoke-Remediation) – PowerShell script voor automatische configuratie van comprehensive Advanced Threat Protection policies met Safe Attachments, Safe Links, Anti-Phishing, Anti-Malware en Anti-Spam policies.

Stappen voor comprehensive ATP configuratie:

  1. Ga naar security.microsoft.com β†’ Email & collaboration β†’ Threat policies
  2. Configureer Safe Attachments Policy (Stap 1 van 6):
  3. - Navigate naar Safe Attachments
  4. - Click 'Create' β†’ Name: 'ATP Safe Attachments - Company Wide'
  5. - Safe Attachments unknown malware response: Select 'Block' (aanbevolen) of 'Dynamic Delivery' (balanced)
  6. - Redirect messages met detected attachments: Enable β†’ security-team@company.com
  7. - Apply protection if scanning can't complete: Block
  8. - Protection scope: Enable voor Exchange, SharePoint, OneDrive, Teams
  9. - Assign to: All users (of create separate policy voor priority accounts met stricter settings)
  10. Configureer Safe Links Policy (Stap 2 van 6):
  11. - Navigate naar Safe Links
  12. - Click 'Create' β†’ Name: 'ATP Safe Links - Company Wide'
  13. - URLs will be rewritten: Enable (alleen voor Office apps, email, Teams)
  14. - Do not rewrite URLs, do not track user clicks: Uncheck (aanbevolen: rewrite en track)
  15. - Use safe links for email: Enable
  16. - Use safe links for Office applications: Enable (Word, Excel, PowerPoint, Access)
  17. - Use safe links for Microsoft Teams: Enable
  18. - Do not allow users to click through to original URL: Enable (aanbevolen: block malicious URLs)
  19. - Apply real-time URL scanning: Enable (aanbevolen voor zero-day URL threats)
  20. - Apply safe links to email messages sent within the organization: Enable (internal email protection)
  21. - Assign to: All users
  22. Configureer Anti-Phishing Policy (Stap 3 van 6):
  23. - Navigate naar Anti-phishing
  24. - Click 'Create' β†’ Name: 'ATP Anti-Phishing - Company Wide'
  25. - Impersonation protection:
  26. - Protect specific users: Add executives, finance team, IT admins
  27. - Protect specific domains: Add company domains en trusted partner domains
  28. - Mailbox intelligence: Enable (ML-based impersonation detection)
  29. - Spoof intelligence: Enable (detecteer gespoofed internal senders)
  30. - Advanced settings:
  31. - Unusual characters: Enable (detecteer lookalike domains met special characters)
  32. - Unusual percentage of impersonation: Set threshold (aanbevolen: 30%)
  33. - Action: Select 'Quarantine' (aanbevolen) of 'Move to Junk'
  34. - Assign to: All users
  35. - Create separate 'ATP Anti-Phishing - Priority Accounts' policy met stricter settings voor executives
  36. Configureer Anti-Malware Policy (Stap 4 van 6):
  37. - Navigate naar Anti-malware
  38. - Click 'Create' β†’ Name: 'ATP Anti-Malware - Company Wide'
  39. - Malware detection response: Quarantine message
  40. - Notifications:
  41. - Notify administrator about undelivered messages: Enable β†’ security-team@company.com
  42. - Notify recipients about quarantined messages: Enable (users zien notification)
  43. - Common attachment types filter: Enable β†’ Block .exe, .scr, .bat, .cmd, .com, .pif, .vbs, .js
  44. - Assign to: All users
  45. Configureer Anti-Spam Policy (Stap 5 van 6):
  46. - Navigate naar Anti-spam policies
  47. - Click 'Create' β†’ Name: 'ATP Anti-Spam - Company Wide'
  48. - Spam and bulk actions:
  49. - Spam: Quarantine (aanbevolen) of Move to Junk
  50. - High confidence spam: Quarantine (altijd)
  51. - Phishing: Quarantine (altijd)
  52. - High confidence phishing: Quarantine (altijd)
  53. - Bulk email: Move to Junk (aanbevolen)
  54. - End-user spam notifications: Enable β†’ Notify users daily over quarantined spam
  55. - Assign to: All users
  56. Configureer Priority Account Protection (Stap 6 van 6 - Optioneel maar AANBEVOLEN):
  57. - Navigate naar Email & collaboration β†’ Threat policies β†’ Priority account protection
  58. - Add priority accounts: Executives, finance team, IT admins
  59. - Apply stricter ATP policies: Enable
  60. - Safe Attachments: Use stricter policy (Block mode)
  61. - Safe Links: Use stricter policy (Always rewrite, block malicious)
  62. - Anti-Phishing: Use stricter policy (Quarantine, higher sensitivity)
  63. Test comprehensive ATP protection:
  64. - Test Safe Attachments: Verzend test email met EICAR test file β†’ Verifieer quarantine
  65. - Test Safe Links: Verzend email met malicious URL β†’ Verifieer link rewriting en blocking
  66. - Test Anti-Phishing: Verzend impersonation email β†’ Verifieer detection en quarantine
  67. - Test Anti-Malware: Verzend email met known malware β†’ Verifieer quarantine
  68. - Test Anti-Spam: Verzend spam test email β†’ Verifieer filtering
  69. - Verifieer false positives: Test business-critical emails β†’ Zorg dat legitieme emails niet worden geblokkeerd

Testing en validatie van gelaagde bescherming:

  1. Multi-vector attack test: Verzend email met malicious attachment + malicious link + impersonation β†’ Verifieer dat alle layers detecteren
  2. Zero-day simulation: Test met unknown malware sample β†’ Verifieer Safe Attachments sandbox detonation
  3. Phishing simulation: Test impersonation attack β†’ Verifieer Anti-Phishing detection
  4. URL threat test: Test malicious URL β†’ Verifieer Safe Links rewriting en blocking
  5. Priority account test: Test stricter protection voor executives β†’ Verifieer enhanced security
  6. Performance impact: Monitor email delivery delays β†’ Zorg dat ATP scanning geen significante delays veroorzaakt
  7. False positive analysis: Review quarantined items β†’ Identificeer en whitelist legitieme senders indien nodig
  8. Integration test: Verifieer dat alle ATP policies samenwerken zonder conflicts

Monitoring

Gebruik PowerShell-script advanced-threat-protection-policies.ps1 (functie Invoke-Monitoring) – Controleert of alle Advanced Threat Protection policies zijn geconfigureerd en rapporteert status van Safe Attachments, Safe Links, Anti-Phishing, Anti-Malware en Anti-Spam policies.

Continue monitoring van Geavanceerde Bedreigingsbescherming Beleidsregels:

  1. Microsoft 365 Defender portal β†’ Email & collaboration β†’ Threat policies β†’ Overview dashboard
  2. Safe Attachments monitoring:
  3. - Review quarantined attachments: Security.microsoft.com β†’ Threat management β†’ Review β†’ Quarantine
  4. - Monitor detection rates: Threat Explorer β†’ Filter op 'Safe Attachments' β†’ Analyseer detected threats
  5. - Check scanning performance: Monitor average scanning time β†’ Zorg dat delays acceptabel zijn
  6. - Review false positives: Identificeer legitieme attachments die false positive zijn β†’ Whitelist indien nodig
  7. Safe Links monitoring:
  8. - Review clicked malicious URLs: Threat Explorer β†’ Filter op 'Safe Links blocked' β†’ Analyseer blocked clicks
  9. - Monitor link rewriting: Verifieer dat links correct worden herschreven in emails
  10. - Check user click-through rates: Analyseer hoeveel users malicious links proberen te openen
  11. - Review safe links statistics: Dashboard toont aantal scanned links, blocked links, en click-through attempts
  12. Anti-Phishing monitoring:
  13. - Review quarantined phishing emails: Quarantine β†’ Filter op 'Phishing' β†’ Analyseer detected attacks
  14. - Monitor impersonation detections: Threat Explorer β†’ Filter op 'Impersonation' β†’ Analyseer patterns
  15. - Check spoof intelligence detections: Review detected spoofed senders β†’ Verifieer accuracy
  16. - Analyze mailbox intelligence alerts: Review unusual sender patterns β†’ Identificeer compromised accounts
  17. Anti-Malware monitoring:
  18. - Review quarantined malware: Quarantine β†’ Filter op 'Malware' β†’ Analyseer detected threats
  19. - Monitor malware detection rates: Threat Explorer β†’ Filter op 'Malware' β†’ Track trends over tijd
  20. - Check common attachment types blocking: Verifieer dat blocked file types correct worden gefilterd
  21. Anti-Spam monitoring:
  22. - Review spam quarantine: Quarantine β†’ Filter op 'Spam' β†’ Analyseer filtered emails
  23. - Monitor spam confidence levels: Analyseer spam scores β†’ Tune thresholds indien nodig
  24. - Check bulk email filtering: Verifieer dat bulk emails correct worden geΓ―dentificeerd
  25. Comprehensive ATP dashboard:
  26. - Threat Explorer: security.microsoft.com β†’ Threat Explorer β†’ Analyseer alle detected threats across alle ATP layers
  27. - Email & collaboration reports: Review ATP protection statistics β†’ Track effectiveness metrics
  28. - Security recommendations: Review ATP-related recommendations β†’ Implementeer suggested improvements
  29. Policy compliance monitoring:
  30. - Verify policy assignments: Controleer dat alle users correcte ATP policies hebben toegewezen
  31. - Check policy conflicts: Identificeer overlapping policies β†’ Resolve conflicts
  32. - Review policy effectiveness: Analyseer detection rates per policy β†’ Tune settings indien nodig
  33. Quarterly ATP review:
  34. - Evaluate overall ATP effectiveness: Analyseer threat detection rates en false positive rates
  35. - Review policy settings: Update thresholds en actions op basis van threat landscape changes
  36. - Assess priority account protection: Verifieer dat executives adequate protection hebben
  37. - Update threat intelligence: Integreer nieuwe threat feeds en update detection rules

Remediatie

Gebruik PowerShell-script advanced-threat-protection-policies.ps1 (functie Invoke-Remediation) – Herstelt ontbrekende Advanced Threat Protection policies of configureert comprehensive ATP protection volgens best practices.

Voor problemen met Geavanceerde Bedreigingsbescherming Beleidsregels:

  1. Ontbrekende ATP policies:
  2. - Identificeer welke policies ontbreken via monitoring script
  3. - Configureer ontbrekende policies via portal of PowerShell script
  4. - Verifieer policy assignments: Zorg dat alle users policies hebben toegewezen
  5. - Test policies na configuratie: Valideer dat protection werkt
  6. False positive blocking:
  7. - Review quarantined items: Identificeer legitieme emails die false positive zijn geblokkeerd
  8. - Whitelist legitieme senders: Voeg toe aan allowed senders lijst in Anti-Spam policy
  9. - Adjust policy thresholds: Verlaag sensitivity indien te veel false positives
  10. - Create exceptions: Configureer policy exceptions voor business-critical senders
  11. - Document false positives: Houd log bij van false positives voor policy tuning
  12. Performance issues (email delays):
  13. - Check Safe Attachments scanning time: Monitor average detonation time β†’ Optimize indien nodig
  14. - Consider Dynamic Delivery mode: Switch van Block naar Dynamic Delivery voor betere user experience
  15. - Review Safe Links scanning: Verifieer dat URL scanning geen significante delays veroorzaakt
  16. - Optimize policy scope: Reduceer protection scope indien performance issues (niet aanbevolen)
  17. Policy conflicts:
  18. - Identify overlapping policies: Review alle ATP policies β†’ Identificeer conflicts
  19. - Resolve priority conflicts: Bepaal welke policy voorrang heeft β†’ Update policy priority
  20. - Consolidate duplicate policies: Merge policies met vergelijkbare settings
  21. - Document policy hierarchy: Maak overzicht van policy precedence
  22. Insufficient protection:
  23. - Review detection rates: Analyseer threat detection effectiveness β†’ Identificeer gaps
  24. - Enable additional protection: Schakel extra ATP features in (bijv. real-time URL scanning)
  25. - Upgrade to stricter policies: Switch van Move to Junk naar Quarantine voor betere security
  26. - Implement priority account protection: Configureer stricter policies voor executives
  27. Integration issues:
  28. - Verify API connections: Controleer ExchangeOnlineManagement module connectivity
  29. - Check permissions: Verifieer dat service accounts correcte permissions hebben
  30. - Review audit logs: Analyseer errors in policy configuration attempts
  31. - Test PowerShell cmdlets: Valideer dat alle ATP management commands werken

Compliance en Auditing

Geavanceerde Bedreigingsbescherming Beleidsregels vormen een critical component van email security en zijn essentieel voor compliance met verschillende security frameworks. CIS Microsoft 365 Foundations Benchmark - control 2.1 (Zorg ervoor dat Advanced Threat Protection is geconfigureerd), control 2.2 (Safe Attachments policy geconfigureerd), control 2.3 (Safe Links policy geconfigureerd), control 2.4 (Anti-Phishing policy geconfigureerd), en control 2.5 (Anti-Malware policy geconfigureerd). BIO Baseline Informatiebeveiliging Overheid - Thema 13.02.01 (Overdracht van informatie - Email beveiligingscontroles met multi-layer protection), Thema 13.02.02 (Malware bescherming - Sandbox detonation en signature-based scanning), en Thema 13.02.03 (Phishing bescherming - Impersonation detection en URL scanning). ISO 27001:2022 A.8.16 (Security event monitoring - Threat detection en response), A.13.2.1 (Information transfer beleidsregels - Email security controls), en A.8.2 (Information classification - Sensitive data protection via ATP). NIS2 Artikel 21 (Cybersecurity risicobeheer - Threat detection en prevention maatregelen) en Artikel 23 (Incident response - Threat detection capabilities). Advanced Threat Protection policies moeten worden behandeld als critical security controls die regelmatig worden gereviewd, getest en geΓΌpdatet op basis van emerging threats. Alle policy wijzigingen moeten worden gelogd voor audit doeleinden en policy effectiveness moet worden gemeten via threat detection rates en false positive rates.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Advanced Threat Protection Policies voor Microsoft Defender voor Office 365 .DESCRIPTION Configureert comprehensive Advanced Threat Protection policies in Microsoft Defender voor Office 365 inclusief Safe Attachments, Safe Links, Anti-Phishing, Anti-Malware en Anti-Spam policies. Implementeert een gelaagde verdedigingsstrategie (defense-in-depth) voor email security. .NOTES Filename: advanced-threat-protection-policies.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/m365/defender-email/advanced-threat-protection-policies.json #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement [CmdletBinding()] param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Advanced Threat Protection Policies" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Monitoring:" -ForegroundColor Yellow Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop $results = @{ isCompliant = $false safeAttachmentsConfigured = $false safeLinksConfigured = $false antiPhishingConfigured = $false antiMalwareConfigured = $false antiSpamConfigured = $false policies = @() } Write-Host "`n Checking Advanced Threat Protection policies..." -ForegroundColor Cyan # Check Safe Attachments Policy Write-Host "`n Safe Attachments Policies:" -ForegroundColor Cyan $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue if ($safeAttachmentPolicies.Count -gt 0) { $results.safeAttachmentsConfigured = $true foreach ($policy in $safeAttachmentPolicies) { $policyInfo = @{ Name = $policy.Name Enabled = $policy.Enabled Action = $policy.Action Redirect = $policy.Redirect ActionOnError = $policy.ActionOnError } $results.policies += @{ Type = "SafeAttachments"; Policy = $policyInfo } if ($policy.Enabled) { Write-Host " ENABLED: $($policy.Name)" -ForegroundColor Green Write-Host " Action: $($policy.Action)" -ForegroundColor Gray Write-Host " Redirect: $($policy.Redirect)" -ForegroundColor Gray } else { Write-Host " DISABLED: $($policy.Name)" -ForegroundColor Yellow } } } else { Write-Host " No Safe Attachments policies found" -ForegroundColor Red } # Check Safe Links Policy Write-Host "`n Safe Links Policies:" -ForegroundColor Cyan $safeLinksPolicies = Get-SafeLinksPolicy -ErrorAction SilentlyContinue if ($safeLinksPolicies.Count -gt 0) { $results.safeLinksConfigured = $true foreach ($policy in $safeLinksPolicies) { $policyInfo = @{ Name = $policy.Name Enabled = $policy.Enabled AllowClickThrough = $policy.AllowClickThrough ScanUrls = $policy.ScanUrls DeliverMessageAfterScan = $policy.DeliverMessageAfterScan } $results.policies += @{ Type = "SafeLinks"; Policy = $policyInfo } if ($policy.Enabled) { Write-Host " ENABLED: $($policy.Name)" -ForegroundColor Green Write-Host " Allow Click Through: $($policy.AllowClickThrough)" -ForegroundColor Gray Write-Host " Scan URLs: $($policy.ScanUrls)" -ForegroundColor Gray } else { Write-Host " DISABLED: $($policy.Name)" -ForegroundColor Yellow } } } else { Write-Host " No Safe Links policies found" -ForegroundColor Red } # Check Anti-Phishing Policy Write-Host "`n Anti-Phishing Policies:" -ForegroundColor Cyan $antiPhishPolicies = Get-AntiPhishPolicy -ErrorAction SilentlyContinue if ($antiPhishPolicies.Count -gt 0) { $results.antiPhishingConfigured = $true foreach ($policy in $antiPhishPolicies) { $policyInfo = @{ Name = $policy.Name Enabled = $policy.Enabled PhishThresholdLevel = $policy.PhishThresholdLevel EnableMailboxIntelligence = $policy.EnableMailboxIntelligence EnableSpoofIntelligence = $policy.EnableSpoofIntelligence } $results.policies += @{ Type = "AntiPhishing"; Policy = $policyInfo } if ($policy.Enabled) { Write-Host " ENABLED: $($policy.Name)" -ForegroundColor Green Write-Host " Phish Threshold: $($policy.PhishThresholdLevel)" -ForegroundColor Gray Write-Host " Mailbox Intelligence: $($policy.EnableMailboxIntelligence)" -ForegroundColor Gray Write-Host " Spoof Intelligence: $($policy.EnableSpoofIntelligence)" -ForegroundColor Gray } else { Write-Host " DISABLED: $($policy.Name)" -ForegroundColor Yellow } } } else { Write-Host " No Anti-Phishing policies found" -ForegroundColor Red } # Check Anti-Malware Policy Write-Host "`n Anti-Malware Policies:" -ForegroundColor Cyan $malwarePolicies = Get-MalwareFilterPolicy -ErrorAction SilentlyContinue if ($malwarePolicies.Count -gt 0) { $results.antiMalwareConfigured = $true foreach ($policy in $malwarePolicies) { $policyInfo = @{ Name = $policy.Name Enabled = $policy.Enabled Action = $policy.Action QuarantineTag = $policy.QuarantineTag } $results.policies += @{ Type = "AntiMalware"; Policy = $policyInfo } if ($policy.Enabled) { Write-Host " ENABLED: $($policy.Name)" -ForegroundColor Green Write-Host " Action: $($policy.Action)" -ForegroundColor Gray } else { Write-Host " DISABLED: $($policy.Name)" -ForegroundColor Yellow } } } else { Write-Host " No Anti-Malware policies found" -ForegroundColor Red } # Check Anti-Spam Policy Write-Host "`n Anti-Spam Policies:" -ForegroundColor Cyan $spamPolicies = Get-HostedContentFilterPolicy -ErrorAction SilentlyContinue if ($spamPolicies.Count -gt 0) { $results.antiSpamConfigured = $true foreach ($policy in $spamPolicies) { $policyInfo = @{ Name = $policy.Name Enabled = $policy.Enabled HighConfidenceSpamAction = $policy.HighConfidenceSpamAction SpamAction = $policy.SpamAction BulkThreshold = $policy.BulkThreshold } $results.policies += @{ Type = "AntiSpam"; Policy = $policyInfo } if ($policy.Enabled) { Write-Host " ENABLED: $($policy.Name)" -ForegroundColor Green Write-Host " Spam Action: $($policy.SpamAction)" -ForegroundColor Gray Write-Host " High Confidence Spam Action: $($policy.HighConfidenceSpamAction)" -ForegroundColor Gray } else { Write-Host " DISABLED: $($policy.Name)" -ForegroundColor Yellow } } } else { Write-Host " No Anti-Spam policies found" -ForegroundColor Red } # Determine overall compliance $allConfigured = $results.safeAttachmentsConfigured -and $results.safeLinksConfigured -and $results.antiPhishingConfigured -and $results.antiMalwareConfigured -and $results.antiSpamConfigured Write-Host "`n Summary:" -ForegroundColor Cyan Write-Host " Safe Attachments: $(if ($results.safeAttachmentsConfigured) { 'CONFIGURED' } else { 'MISSING' })" -ForegroundColor $(if ($results.safeAttachmentsConfigured) { 'Green' } else { 'Red' }) Write-Host " Safe Links: $(if ($results.safeLinksConfigured) { 'CONFIGURED' } else { 'MISSING' })" -ForegroundColor $(if ($results.safeLinksConfigured) { 'Green' } else { 'Red' }) Write-Host " Anti-Phishing: $(if ($results.antiPhishingConfigured) { 'CONFIGURED' } else { 'MISSING' })" -ForegroundColor $(if ($results.antiPhishingConfigured) { 'Green' } else { 'Red' }) Write-Host " Anti-Malware: $(if ($results.antiMalwareConfigured) { 'CONFIGURED' } else { 'MISSING' })" -ForegroundColor $(if ($results.antiMalwareConfigured) { 'Green' } else { 'Red' }) Write-Host " Anti-Spam: $(if ($results.antiSpamConfigured) { 'CONFIGURED' } else { 'MISSING' })" -ForegroundColor $(if ($results.antiSpamConfigured) { 'Green' } else { 'Red' }) if ($allConfigured) { $results.isCompliant = $true Write-Host "`nCOMPLIANT: All Advanced Threat Protection policies are configured" -ForegroundColor Green exit 0 } else { Write-Host "`nNON-COMPLIANT: One or more ATP policies are missing or not configured" -ForegroundColor Red Write-Host " Configure missing policies via: Security portal > Threat policies" -ForegroundColor Yellow exit 1 } } catch { Write-Host "`nERROR: $_" -ForegroundColor Red Write-Host " StackTrace: $($_.ScriptStackTrace)" -ForegroundColor Gray exit 2 } } function Invoke-Remediation { try { Write-Host "Remediation:" -ForegroundColor Yellow Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "`n Advanced Threat Protection policies must be configured via:" -ForegroundColor Cyan Write-Host " Microsoft 365 Defender portal" -ForegroundColor Yellow Write-Host " Security.microsoft.com > Email & collaboration > Threat policies" -ForegroundColor Gray Write-Host "`n Required ATP Policies:" -ForegroundColor Cyan Write-Host " 1. Safe Attachments Policy" -ForegroundColor Yellow Write-Host " - Sandbox detonation van email attachments" -ForegroundColor Gray Write-Host " - Action: Block (aanbevolen) of Dynamic Delivery" -ForegroundColor Gray Write-Host " - Scope: Exchange, SharePoint, OneDrive, Teams" -ForegroundColor Gray Write-Host "`n 2. Safe Links Policy" -ForegroundColor Yellow Write-Host " - URL scanning en rewriting" -ForegroundColor Gray Write-Host " - Real-time URL scanning: Enable" -ForegroundColor Gray Write-Host " - Block malicious URLs: Enable" -ForegroundColor Gray Write-Host "`n 3. Anti-Phishing Policy" -ForegroundColor Yellow Write-Host " - Impersonation detection" -ForegroundColor Gray Write-Host " - Mailbox Intelligence: Enable" -ForegroundColor Gray Write-Host " - Spoof Intelligence: Enable" -ForegroundColor Gray Write-Host " - Action: Quarantine (aanbevolen)" -ForegroundColor Gray Write-Host "`n 4. Anti-Malware Policy" -ForegroundColor Yellow Write-Host " - Signature-based malware scanning" -ForegroundColor Gray Write-Host " - Action: Quarantine message" -ForegroundColor Gray Write-Host " - Common attachment types filter: Enable" -ForegroundColor Gray Write-Host "`n 5. Anti-Spam Policy" -ForegroundColor Yellow Write-Host " - Spam en bulk email filtering" -ForegroundColor Gray Write-Host " - Spam Action: Quarantine (aanbevolen)" -ForegroundColor Gray Write-Host " - High Confidence Spam: Quarantine" -ForegroundColor Gray Write-Host "`n Example PowerShell configuration:" -ForegroundColor Cyan Write-Host " # Safe Attachments Policy" -ForegroundColor Gray Write-Host " New-SafeAttachmentPolicy -Name 'ATP Safe Attachments - Company Wide' `" -ForegroundColor Gray Write-Host " -Action Block `" -ForegroundColor Gray Write-Host " -Redirect $true `" -ForegroundColor Gray Write-Host " -RedirectAddress 'security-team@company.com' `" -ForegroundColor Gray Write-Host " -ActionOnError Block `" -ForegroundColor Gray Write-Host " -Enable $true" -ForegroundColor Gray Write-Host "`n # Safe Links Policy" -ForegroundColor Gray Write-Host " New-SafeLinksPolicy -Name 'ATP Safe Links - Company Wide' `" -ForegroundColor Gray Write-Host " -EnableSafeLinksForEmail $true `" -ForegroundColor Gray Write-Host " -EnableSafeLinksForOffice $true `" -ForegroundColor Gray Write-Host " -EnableSafeLinksForTeams $true `" -ForegroundColor Gray Write-Host " -AllowClickThrough $false `" -ForegroundColor Gray Write-Host " -ScanUrls $true `" -ForegroundColor Gray Write-Host " -Enable $true" -ForegroundColor Gray Write-Host "`n # Anti-Phishing Policy" -ForegroundColor Gray Write-Host " New-AntiPhishPolicy -Name 'ATP Anti-Phishing - Company Wide' `" -ForegroundColor Gray Write-Host " -EnableMailboxIntelligence $true `" -ForegroundColor Gray Write-Host " -EnableSpoofIntelligence $true `" -ForegroundColor Gray Write-Host " -PhishThresholdLevel 2 `" -ForegroundColor Gray Write-Host " -Enable $true" -ForegroundColor Gray Write-Host "`n # Anti-Malware Policy" -ForegroundColor Gray Write-Host " New-MalwareFilterPolicy -Name 'ATP Anti-Malware - Company Wide' `" -ForegroundColor Gray Write-Host " -Action DeleteMessage `" -ForegroundColor Gray Write-Host " -Enable $true" -ForegroundColor Gray Write-Host "`n # Anti-Spam Policy" -ForegroundColor Gray Write-Host " New-HostedContentFilterPolicy -Name 'ATP Anti-Spam - Company Wide' `" -ForegroundColor Gray Write-Host " -SpamAction Quarantine `" -ForegroundColor Gray Write-Host " -HighConfidenceSpamAction Quarantine `" -ForegroundColor Gray Write-Host " -BulkThreshold 6 `" -ForegroundColor Gray Write-Host " -Enable $true" -ForegroundColor Gray Write-Host "`n IMPORTANT:" -ForegroundColor Yellow Write-Host " - Configure all ATP policies for comprehensive protection" -ForegroundColor Red Write-Host " - Assign policies to all users or appropriate groups" -ForegroundColor Red Write-Host " - Test policies after configuration to avoid false positives" -ForegroundColor Red Write-Host " - Review policy effectiveness quarterly" -ForegroundColor Red Write-Host " - Consider Priority Account Protection for executives" -ForegroundColor Red Write-Host "`n Manual configuration recommended via Security portal for better governance" -ForegroundColor Yellow exit 0 } catch { Write-Host "`nERROR: $_" -ForegroundColor Red Write-Host " Manual configuration: Security Admin Center > Threat policies" -ForegroundColor Yellow exit 2 } } function Invoke-Revert { try { Write-Host "Revert:" -ForegroundColor Yellow Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host " WARNING: Reverting ATP policies will remove all Advanced Threat Protection!" -ForegroundColor Red Write-Host " This action should only be performed for testing or troubleshooting." -ForegroundColor Red if (-not $WhatIf) { $confirm = Read-Host "`n Are you sure you want to remove all ATP policies? (yes/no)" if ($confirm -ne "yes") { Write-Host " Revert cancelled" -ForegroundColor Yellow exit 0 } } Write-Host "`n Searching for ATP policies..." -ForegroundColor Gray # Remove Safe Attachments Policies $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue foreach ($policy in $safeAttachmentPolicies) { if ($WhatIf) { Write-Host " [WhatIf] Would remove Safe Attachments Policy: $($policy.Name)" -ForegroundColor Yellow } else { Write-Host " Removing Safe Attachments Policy: $($policy.Name)" -ForegroundColor Gray Remove-SafeAttachmentPolicy -Identity $policy.Identity -Confirm:$false -ErrorAction SilentlyContinue } } # Remove Safe Links Policies $safeLinksPolicies = Get-SafeLinksPolicy -ErrorAction SilentlyContinue foreach ($policy in $safeLinksPolicies) { if ($WhatIf) { Write-Host " [WhatIf] Would remove Safe Links Policy: $($policy.Name)" -ForegroundColor Yellow } else { Write-Host " Removing Safe Links Policy: $($policy.Name)" -ForegroundColor Gray Remove-SafeLinksPolicy -Identity $policy.Identity -Confirm:$false -ErrorAction SilentlyContinue } } # Remove Anti-Phishing Policies $antiPhishPolicies = Get-AntiPhishPolicy -ErrorAction SilentlyContinue foreach ($policy in $antiPhishPolicies) { if ($WhatIf) { Write-Host " [WhatIf] Would remove Anti-Phishing Policy: $($policy.Name)" -ForegroundColor Yellow } else { Write-Host " Removing Anti-Phishing Policy: $($policy.Name)" -ForegroundColor Gray Remove-AntiPhishPolicy -Identity $policy.Identity -Confirm:$false -ErrorAction SilentlyContinue } } # Remove Anti-Malware Policies (be careful - default policy cannot be removed) $malwarePolicies = Get-MalwareFilterPolicy -ErrorAction SilentlyContinue | Where-Object { $_.IsDefault -eq $false } foreach ($policy in $malwarePolicies) { if ($WhatIf) { Write-Host " [WhatIf] Would remove Anti-Malware Policy: $($policy.Name)" -ForegroundColor Yellow } else { Write-Host " Removing Anti-Malware Policy: $($policy.Name)" -ForegroundColor Gray Remove-MalwareFilterPolicy -Identity $policy.Identity -Confirm:$false -ErrorAction SilentlyContinue } } # Remove Anti-Spam Policies (be careful - default policy cannot be removed) $spamPolicies = Get-HostedContentFilterPolicy -ErrorAction SilentlyContinue | Where-Object { $_.IsDefault -eq $false } foreach ($policy in $spamPolicies) { if ($WhatIf) { Write-Host " [WhatIf] Would remove Anti-Spam Policy: $($policy.Name)" -ForegroundColor Yellow } else { Write-Host " Removing Anti-Spam Policy: $($policy.Name)" -ForegroundColor Gray Remove-HostedContentFilterPolicy -Identity $policy.Identity -Confirm:$false -ErrorAction SilentlyContinue } } Write-Host "`n Revert completed" -ForegroundColor Green Write-Host " Note: Default policies may still be active" -ForegroundColor Yellow exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow Write-Host "`n -Monitoring : Check current ATP policies configuration" -ForegroundColor Gray Write-Host " -Remediation : Show ATP policies configuration instructions" -ForegroundColor Gray Write-Host " -Revert : Remove ATP policies (use -WhatIf for dry-run)" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: Zonder Geavanceerde Bedreigingsbescherming Beleidsregels zijn organisaties kwetsbaar voor zero-day malware, geavanceerde phishing-aanvallen, ransomware, credential harvesting en business email compromise. Een enkele security layer is onvoldoende omdat moderne aanvallen multi-vector zijn en meerdere technieken combineren. Zonder gelaagde verdedigingsstrategie kunnen aanvallers eenvoudigweg een andere attack vector gebruiken wanneer één layer faalt, wat leidt tot successful breaches met catastrofale gevolgen.

Management Samenvatting

Configureer comprehensive Advanced Threat Protection policies met Safe Attachments (sandbox detonation), Safe Links (URL scanning), Anti-Phishing (impersonation detection), Anti-Malware (signature scanning), Anti-Spam (bulk filtering) en Threat Intelligence integratie. Implementeer defense-in-depth strategie waarbij meerdere security layers simultaan werken. Voldoet aan CIS 2.1-2.5 (L1), BIO 13.02, ISO 27001 A.8.16/A.13.2.1, NIS2. Implementatie: 8 uur technisch + 12 uur voor governance, testing en documentatie. CRITICAL voor moderne threat protection.