Updates from: 01/15/2021 04:14:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
@@ -83,9 +83,9 @@ If you're working with a Microsoft partner, you can assign them admin roles. The
A partner can assign these roles: -- **Full administration** Privileges equivalent to a global admin, with the exception of managing multi-factor authentication through the Partner Center.
+- **Admin Agent** Privileges equivalent to a global admin, with the exception of managing multi-factor authentication through the Partner Center.
-- **Limited administration** Privileges equivalent to a helpdesk admin.
+- **Helpdesk Agent** Privileges equivalent to a helpdesk admin.
Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see [Authorize or remove partner relationships](https://docs.microsoft.com/microsoft-365/admin/misc/add-partner).
business https://docs.microsoft.com/en-us/microsoft-365/business/threats-detected-defender-av https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/threats-detected-defender-av.md
@@ -59,9 +59,12 @@ When threats are detected by Microsoft Defender Antivirus, the following things
- Users receive [notifications in Windows](https://support.microsoft.com/windows/8942c744-6198-fe56-4639-34320cf9444e). - Detections are listed in the [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) on the **Protection history** page. -- If you've [secured your Windows 10 devices](secure-win-10-pcs.md) and [enrolled them in Intune](/mem/intune/enrollment/windows-enrollment-methods), you'll see threat detections and insights in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> on the **Active threats** page, which you can access from the **Microsoft Defender Antivirus** card on the **Home** page (or from the navigation pane by selecting **Health** > **Threats & antivirus**).
+- If you've [secured your Windows 10 devices](secure-win-10-pcs.md) and [enrolled them in Intune](/mem/intune/enrollment/windows-enrollment-methods), and your organization has 800 or fewer devices enrolled, you'll see threat detections and insights in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> on the **Threats and antivirus** page, which you can access from the **Microsoft Defender Antivirus** card on the **Home** page (or from the navigation pane by selecting **Health** > **Threats & antivirus**).
+
+ If your organization has more than 800 devices enrolled in Intune, you'll be prompted to view threat detections and insights from [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) instead of from the **Threats and antivirus** page.
+
> [!NOTE]
- > The **Microsoft Defender Antivirus** card and **Active threats** page are being rolled out in phases, so you may not have immediate access to them.
+ > The **Microsoft Defender Antivirus** card and **Threats and antivirus** page are being rolled out in phases, so you may not have immediate access to them.
In most cases, users don't need to take any further action. As soon as a malicious file or program is detected on a device, Microsoft Defender Antivirus blocks it and prevents it from running. Plus, newly detected threats are added to the antivirus and antimalware engine so that other devices and users are protected, as well.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
@@ -34,7 +34,7 @@ You can create and manage audit log retention policies in the Security & Complia
Advanced Audit in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of **AzureActiveDirectory**, **Exchange**, or **SharePoint** for the **Workload** property (which is the service in which the activity occurred). The default policy can't be modified. See the [More information](#more-information) section in this article for a list of record types for each workload that are included in the default policy. > [!NOTE]
-> The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users in your organization, their corresponding audit records are retained for 90 days.
+> The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 90 days.
## Before you create an audit log retention policy
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md
@@ -44,28 +44,26 @@ Compliance Manager uses a role-based access control (RBAC) permission model. Onl
### Where to set permissions
-The person holding the global admin role for your organization can set user permissions in the Microsoft 365 compliance center, as well as in Azure Active Directory (Azure AD).
+The person holding the global admin role for your organization can set user permissions for COmpliance Manager. Permissions can be set in the Office 365 Security & Compliance center as well as in Azure Active Directory (Azure AD).
> [!NOTE] > Customers in US Government Community (GCC) High environments can only set user permissions and roles for Compliance Manager in Azure AD. See below for Azure AD instructions and role type definitions.
-To set permissions and assign roles from within the Microsoft 365 compliance center, follow the steps below:
+To set permissions and assign roles in the Office 365 Security & Compliance center, follow the steps below:
-1. Select **Permissions** on the left navigation from anywhere in the [Microsoft 365 compliance center](https://compliance.microsoft.com/).
+1. Go to the [Office 365 Security & Compliance Center](https://protection.office.com/) and select **Permissions** on the left navigation.
-2. Near the top, select the link at **ΓÇ£To view and manage roles in Office 365, please go here.ΓÇ¥** A new tab will open to the Office 365 Security & Compliance Center ([learn why youΓÇÖre redirected](microsoft-365-compliance-center.md#frequently-asked-questions)).
+2. Find the role group to which you want to add one or more users, and check the box to the left of the group name. (See the [list of roles and related functions below](#role-types). The role group names mimic the role name.)
-3. Find the role group to which you want to add one or more users, and check the box to the left of the group name. (See the [list of roles and related functions below](#role-types). The role group names mimic the role name.)
+3. On the flyout pane for that group, select **Edit** under the **Members** header.
-4. On the flyout pane for that group, select **Edit** under the **Members** header.
+4. Select **Choose members**. Another flyout window will appear.
-5. Select **Choose members**. Another flyout window will appear.
+5. Select **+ Add** to choose one or more users to add to the group.
-6. Select **+ Add** to choose one or more users to add to the group.
+6. Select the checkbox next to the names you want to add, then select the **Add** button at the bottom.
-7. Select the checkbox next to the names you want to add, then select the **Add** button at the bottom.
-
-8. When youΓÇÖre done assigning users, select **Done**, then select **Save**, then **Close**.
+7. When youΓÇÖre done assigning users, select **Done**, then select **Save**, then **Close**.
##### More about the Office 365 Security & Compliance Center
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-unlimited-archiving https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-unlimited-archiving.md
@@ -35,6 +35,8 @@ You can use the Exchange Online auto-expanding archiving feature to enable unlim
- Auto-expanding archiving also supports shared mailboxes. To enable the archive for a shared mailbox, an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving license is required.
+- Auto-expanding archiving prevents you from recovering or restoring an [inactive mailbox](inactive-mailboxes-in-office-365.md#what-are-inactive-mailboxes). That means if you enable auto-expanding archiving for a mailbox and the mailbox is made inactive at a later date, you won't be able to [recover the inactive mailbox](recover-an-inactive-mailbox.md) (by converting it to an active mailbox) or [restore it](restore-an-inactive-mailbox.md) (by merging the contents to an existing mailbox). If auto-expanding archiving is enabled on an inactive mailbox, the only way to recover data is by using the Content search tool in the Microsoft 365 compliance center to export the data from the mailbox and import to another mailbox. For more information, see the "Inactive mailboxes and auto-expanding archives" section in [Overview of inactive mailboxes](inactive-mailboxes-in-office-365.md#inactive-mailboxes-and-auto-expanding-archives).
+ - You can't use the Exchange admin center or the Security & Compliance Center to enable auto-expanding archiving. You have to use Exchange Online PowerShell. To connect to your Exchange Online organization using remote PowerShell, see [Connect to Exchange Online PowerShell](https://go.microsoft.com/fwlink/p/?linkid=396554). ## Enable auto-expanding archiving for your entire organization
@@ -88,8 +90,16 @@ To verify that auto-expanding archiving is enabled for a specific user, run the
Get-Mailbox <user mailbox> | FL AutoExpandingArchiveEnabled ```
-A value of `True` indicates that auto-expanding archiving is enabled for the user.
+A value of `True` indicates that auto-expanding archiving is enabled for the user.
+
+To determine if auto-expanding archiving is enabled for inactive mailboxes, run the following command in Exchange Online PowerShell.
+```powershell
+Get-Mailbox -InactiveMailboxOnly | FL UserPrincipalName,AutoExpandingArchiveEnabled
+```
+
+A value of `True` indicates that auto-expanding archiving is enabled for the inactive mailbox. A value of `False` indicates that auto-expanding archiving isn't enabled.
+ Keep the following things in mind after you enable auto-expanding archiving: - If you run the **Set-OrganizationConfig -AutoExpandingArchive** command to enable auto-expanding archiving for your organization, you don't have to run the **Enable-Mailbox -AutoExpandingArchive** on individual mailboxes. Running the **Set-OrganizationConfig** cmdlet to enable auto-expanding archiving for your organization doesn't change the *AutoExpandingArchiveEnabled* property on user mailboxes to `True`.
@@ -108,7 +118,7 @@ Keep the following things in mind after you enable auto-expanding archiving:
- After you turn on auto-expanding archiving for your organization or for a specific user, an archive mailbox is converted to an auto-expanding archive when the archive mailbox (including the Recoverable Items folder) reaches 90 GB. It can take up to 30 days for the additional storage space to be provisioned. -- After you turn on auto-expanding archiving, it can't be turned off.
+- After you turn on auto-expanding archiving, it can't be turned off. Additionally, administrators can't adjust the storage quota for auto-expanding archiving.
- Auto-expanding archiving is supported for cloud-based archive mailboxes in an Exchange hybrid deployment for users who have an on-premises primary mailbox. However, after auto-expanding archiving is enabled for a cloud-based archive mailbox, you can't off-board that archive mailbox back to the on-premises Exchange organization. Auto-expanding archiving isn't supported for on-premises mailboxes in any version of Exchange Server.
@@ -116,7 +126,5 @@ Keep the following things in mind after you enable auto-expanding archiving:
- As previously explained, 10 GB is added to the storage quota of the user's primary archive mailbox (and to the Recoverable Items folder if the mailbox is on hold) when you run the **Enable-Mailbox -AutoExpandingArchive** command. This provides additional storage until the auto-expanded storage space is provisioned (which can take up to 30 days). This additional storage space isn't added when you run the **Set-OrganizationConfig -AutoExpandingArchive** to enable auto-expanding archiving for all mailboxes in your organization. If you enabled auto-expanding archiving for the entire organization, but need to add the additional 10 GB of storage space for a specific user, you can run the **Enable-Mailbox -AutoExpandingArchive** command on that mailbox. You will receive an error saying that auto-expanding archiving has already been enabled, but the additional storage space will be added to the mailbox. -- Administrators can't adjust the storage quota.- > [!IMPORTANT] > Auto-expanding archiving is only supported for mailboxes used for individual users or shared mailboxes with a growth rate that doesn't exceed 1 GB per day. Using journaling, transport rules, or auto-forwarding rules to copy messages to an archive mailbox for the purposes of archiving is not permitted. A user's archive mailbox is intended for just that user. Microsoft reserves the right to deny unlimited archiving in instances where a user's archive mailbox is used to store archive data for other users or in other cases of inappropriate use.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
@@ -79,7 +79,11 @@ Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
1. Must be running Windows 10 x64 build 1809 or later.
-2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. Note: None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status.
+2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.
+
+> [!NOTE]
+> None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status, but the [Real-time protection and Behavior monitor](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)) must be enabled.
+
3. The following Windows Updates are installed. Note: These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/mailitemsaccessed-forensics-investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/mailitemsaccessed-forensics-investigations.md
@@ -182,3 +182,9 @@ If any of the properties listed in the table in the [previous section](#filterin
For example, in audit records shown in the following screenshot, though we are accessing mail from EWSEditor and OWA simultaneously, the access activity is collated in different audit records depending on the context in which the access took place. In this case, the context is defined by different values for the ClientInfoString property. ![Different audit records based on context](../media/MailItemsAccessed4.png)+
+Here is the syntax for the command shown in the previous screenshot:
+
+```powershell
+Search-MailboxAuditLog -Identity admin -ShowDetails -Operations MailItemsAccessed -ResultSize 2000 | Select LastAccessed,Operation,AuditOperationsCountInAggregatedRecord,ClientInfoString
+```
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
@@ -74,7 +74,7 @@ Enabling sensitivity labels for containers means that you can now configure prot
When only this scope is selected for the label, the label won't be displayed in Office apps that support sensitivity labels and can't be applied to files and emails. Having this separation of labels can be helpful for both users and administrators, but can also add to the complexity of your label deployment.
- For example, you need to carefully review your [label ordering](sensitivity-labels.md#label-priority-order-matters) because SharePoint detects when a labeled document is uploaded to a labeled site. In this scenario, an audit event and email is automatically generated when the document has a higher priority sensitivity label than the site's label. For more information, see the [Auditing sensitivity label activities](#auditing-sensitivity-label-activities) section on this page.
+ For example, you need to carefully review your [label ordering](sensitivity-labels.md#label-priority-order-matters) because SharePoint detects when a labeled document is uploaded to a labeled site. In this scenario, an audit event and email are automatically generated when the document has a higher priority sensitivity label than the site's label. For more information, see the [Auditing sensitivity label activities](#auditing-sensitivity-label-activities) section on this page.
2. Then, on the **Define protection settings for groups and sites** page, select one or both of the available options:
@@ -272,9 +272,10 @@ The following apps and services support sensitivity labels configured for sites
- SharePoint - Teams
- - Outlook on the web and for Windows, MacOS, iOS, and Android
+ - Outlook on the web and for Windows, macOS, iOS, and Android
- Forms - Stream
+ - Planner (rolling out)
The following apps and services don't currently support sensitivity labels configured for sites and group settings:
@@ -288,7 +289,6 @@ The following apps and services don't currently support sensitivity labels confi
- Dynamics 365 - Yammer
- - Planner
- Project - Power BI
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/conditional-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/conditional-access.md
@@ -27,9 +27,9 @@ After youΓÇÖve completed enrollment in Microsoft Managed Desktop, some managemen
- Autopilot deployment profile: if you use any Autopilot policies, update each one to exclude the **Modern Workplace Devices -All** Azure AD group. To update them, in the **Excluded groups** section under **Assignments**, select the **Modern Workplace Devices -All** Azure AD group that was created during Microsoft Managed Desktop enrollment. Microsoft Managed Desktop will also have created an Autopilot profile, which will have "Modern Workplace" in the name (the **Modern Workplace Autopilot Profile**). When you update your own Autopilot profiles, make sure that you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from the **Modern Workplace Autopilot Profile** that was created by Microsoft Managed Desktop. -- Conditional Access policies: for conditional access policies you've created, exclude the **Modern Workplace Service Accounts** Azure AD group. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop will also have created some conditional access policies, all of which will have "Modern Workplace" in the name (for example, **Modern Workplace Secure Workstation**). When you update your own conditional access policies, make sure you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop.
+- Conditional Access policies: If you create any new conditional access policies related to Azure AD, Microsoft Intune, or Microsoft Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the **Modern Workplace Service Accounts** Azure AD group from them. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop maintains separate conditional access policies to restrict access to these accounts. To review the Microsoft Managed Desktop conditional access policy (**Modern Workplace ΓÇô Secure Workstation**), go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Don't modify any Azure AD conditional access policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name.
-- Multifactor authentication: make sure any of your conditional access policies that require multifactor authentication exclude the **Modern Workplace Service Accounts** Azure AD group. For more information, see [Conditional access policies](../get-ready/readiness-assessment-fix.md#conditional-access-policies) and [Conditional Access: Require MFA for all users](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).
+- Multifactor authentication: If you create any new multifactor authentication requirements in conditional access policies related to Azure AD, Intune, or Microsoft Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the **Modern Workplace Service Accounts** Azure AD group from them. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop maintains separate conditional access policies to restrict access to members of this group. To review the Microsoft Managed Desktop conditional access policy (**Modern Workplace -**), go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**.
- Windows 10 update ring: for any Windows 10 update ring policies you've created, exclude the **Modern Workplace Devices -All** Azure AD group from each policy. For steps, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings). Microsoft Managed Desktop will also have created some update ring policies, all of which will have "Modern Workplace" in the name (for example **Modern Workplace Update Policy [Broad]**, **Modern Workplace Update Policy [Fast]**, **Modern Workplace Update Policy [First]**, and **Modern Workplace Update Policy [Test]**). When you update your own policies, make sure that you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from those that Microsoft Managed Desktop created.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md new file mode 100644
@@ -0,0 +1,107 @@
+---
+title: "Get started using Attack simulation training"
+f1.keywords:
+- NOCSH
+ms.author: chrisda
+author: chrisda
+manager: dansimp
+audience: ITPro
+ms.topic: how-to
+ms.service: O365-seccomp
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+ms.assetid: da5845db-c578-4a41-b2cb-5a09689a551b
+ms.collection:
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.custom:
+- seo-marvel-apr2020
+description: "Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations."
+---
+
+# Get started using Attack simulation training
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+
+[!INCLUDE [Prerelease information](../includes/prerelease.md)]
+
+If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack simulation training in the Microsoft Security Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
+
+> [!NOTE]
+> Attack simulation training replaces the old Attack Simulator v1 experience that's described in [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md).
+
+## What do you need to know before you begin?
+
+- To open the Microsoft Security Center, go to <https://security.microsoft.com/>. Attack simulation training is available at **Email and collaboration** \> **Attack simulation training**. To go directly to Attack simulation training, open <https://security.microsoft.com/attacksimulator>.
+
+- For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
+
+- You need to be assigned permissions in the Security & Compliance Center or in Azure Active Directory before you can do the procedures in this article. Specifically, you need to be a member of **Organization Management**, **Security Administrator**, or one of the following roles:
+ - **Attack Simulator Administrators**: Create and managed all aspects of attack simulation campaigns.
+ - **Attack Simulator Payload Authors**: Create attack payloads that an admin can initiate later.
+
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) or [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles).
+
+- There are no corresponding PowerShell cmdlets for Attack simulation training.
+
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation is currently not available in the following regions: SGP, NOR, UAE, ZAF, GER, BRA, and CHE.
+
+## Simulations
+
+*Phishing* is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. *Phishing* is a part of a subset of techniques we classify as _social engineering_.
+
+In Attack simulation training, multiple types of social engineering techniques are available:
+
+- **Credential harvest**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+
+- **Malware attachment**: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+
+- **Link in attachment**: This is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL inside of an attachment. When the recipient opens the attachment and clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+
+- **Link to malware**: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens and arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+
+- **Drive-by-url**: An attacker sends the recipient a messages that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a _watering hole attack_.
+
+> [!NOTE]
+> Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. While we work with many URL reputation vendors to always allow these simulation URLs, we don't always have full coverage (for example, Google Safe Browsing). Most vendors provide guidance that allows you to always allow specific URLs (for example, <https://support.google.com/chrome/a/answer/7532419>).
+
+The URLs that are used by Attack simulation training are described in the following list:
+
+- <https://www.mcsharepoint.com>
+- <https://www.attemplate.com>
+- <https://www.doctricant.com>
+- <https://www.mesharepoint.com>
+- <https://www.officence.com>
+- <https://www.officenced.com>
+- <https://www.officences.com>
+- <https://www.officentry.com>
+- <https://www.officested.com>
+- <https://www.prizegives.com>
+- <https://www.prizemons.com>
+- <https://www.prizewel.com>
+- <https://www.prizewings.com>
+- <https://www.shareholds.com>
+- <https://www.sharepointen.com>
+- <https://www.sharepointin.com>
+- <https://www.sharepointle.com>
+- <https://www.sharesbyte.com>
+- <https://www.sharession.com>
+- <https://www.sharestion.com>
+- <https://www.templateau.com>
+- <https://www.templatent.com>
+- <https://www.templatern.com>
+- <https://www.windocyte.com>
+
+### Create a simulation
+
+For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](attack-simulation-training.md).
+
+### Create a payload
+
+For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md).
+
+### Gaining insights
+
+For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
@@ -48,4 +48,8 @@ The recommended actions section details recommendations as available in [Microso
## Related Links
-**Attack Simulator** [Create a phishing attack simulation](attack-simulation-training.md) and [create a payload for training your people](attack-simulation-training-payloads.md)
+[Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+[Create a phishing attack simulation](attack-simulation-training.md)
+
+[create a payload for training your people](attack-simulation-training-payloads.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
@@ -59,3 +59,11 @@ You're done building your payload. Now it's time to review the details and see a
> [!IMPORTANT] > Payloads that you've created will have **Tenant** as their source. When selecting payloads, make sure that you don't filter out **Tenant**.+
+## Related links
+
+[Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+[Create a phishing attack simulation](attack-simulation-training.md)
+
+[Gain insights through Attack simulation training](attack-simulation-training-insights.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
@@ -19,6 +19,8 @@ Attack simulation training in Microsoft Defender for Office 365 lets you run ben
[!INCLUDE [Prerelease information](../includes/prerelease.md)]
+For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+ To launch a simulated phishing attack, open the [Microsoft 365 security center](https://security.microsoft.com/), go to **Email & collaboration** \> **Attack simulation training**, and switch to the [**Simulations**](https://security.microsoft.com/attacksimulator?viewid=simulations) tab. Under **Simulations**, select **+ Launch a simulation**.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
@@ -27,11 +27,8 @@ description: "Admins can learn how to use Attack Simulator to run simulated phis
If your organization has Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack Simulator in the Security & Compliance Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
-> [!NOTE]
-> Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations).
- > [!TIP]
-> Attack simulation training is available for public preview in the Microsoft 365 security center. Check out [Simulate a phishing attack with Microsoft Defender for Office 365](attack-simulation-training.md) to learn more.
+> Attack simulation training is available for Public Preview in the Microsoft 365 security center. Check out [Simulate a phishing attack with Microsoft Defender for Office 365](attack-simulation-training.md) to learn more.
## What do you need to know before you begin?
@@ -45,6 +42,8 @@ If your organization has Microsoft Defender for Office 365 Plan 2, which include
- Phishing campaigns will collect and process events for 30 days. Historical campaign data will be available for up to 90 days after you launch the campaign.
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations).
+ - There are no corresponding PowerShell cmdlets for Attack Simulator. ## Spear phishing campaigns
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
@@ -24,7 +24,7 @@ ms.custom: seo-marvel-apr2020
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] > [!IMPORTANT]
-> Evaluate Microsoft Defender for Office 365 will soon be in public preview. This preview version is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
+> Microsoft Defender for Office 365 evaluation is in public preview. This preview version is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
Conducting a comprehensive security product evaluation can help give you informed decisions on upgrades and purchases. It helps to try out the security product's capabilities to assess how it can help your security operations team in their daily tasks.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
@@ -205,6 +205,10 @@ Once you have published the CNAME records in DNS, you are ready to enable DKIM s
#### To enable DKIM signing for your custom domain by using PowerShell
+> [!IMPORTANT]
+>:::image type="content" source="../../media/DKIMNoKeysSavedForThisDomain.PNG" alt-text="The 'No DKIM keys saved for this domain.' error.":::
+> If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain.' complete the command in step 2, below (for example, *Set-DkimSigningConfig -Identity contoso.com -Enabled $true*) to see the key.
+ 1. [Connect to Exchange Online PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the following command:
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/configure-teams-highly-sensitive-protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md
@@ -28,7 +28,7 @@ For this tier of protection, we create a sensitivity label that can be used acro
The highly sensitive tier offers the following additional protections over the baseline tier: -- A sensitivity label for the team that allows you to turn guest sharing on or off and limits access to SharePoint content to web-only for unmanaged devices. This label can also be used to classify and encrypt files.
+- A sensitivity label for the team that allows you to turn guest sharing on or off and blocks access to SharePoint content for unmanaged devices. This label can also be used to classify and encrypt files.
- A more restrictive default sharing link type - Only team owners can create private channels. - Access requests for the associated SharePoint site are turned off.
@@ -58,7 +58,7 @@ To create a sensitivity label
1. Open the [Microsoft 365 compliance center](https://compliance.microsoft.com). 2. Under **Solutions**, click **Information protection**. 3. Click **Create a label**.
-4. Give the label a name. We suggest **Sensitive**, but you can choose a different name if that one is already in use.
+4. Give the label a name. We suggest **Highly sensitive**, but you can choose a different name if that one is already in use.
5. Add a display name and description, and then click **Next**. 6. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and click **Next**. 7. On the **Choose protection settings for files and emails** page, select **Encrypt files and emails**, and then click **Next**.
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/secure-teams-security-isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/secure-teams-security-isolation.md
@@ -102,7 +102,7 @@ To create a sensitivity label
1. Open the [Microsoft 365 compliance center](https://compliance.microsoft.com). 2. Under **Solutions**, click **Information protection**. 3. Click **Create a label**.
-4. Give the label a name. We suggest **Sensitive**, but you can choose a different name if that one is already in use.
+4. Give the label a name. We suggest naming it after the team that you'll be using it with.
5. Add a display name and description, and then click **Next**. 6. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and click **Next**. 7. On the **Choose protection settings for files and emails** page, select **Encrypt files and emails**, and then click **Next**.