Detections
Analytics

2.4.1 Ensure Priority account protection is enabled and configured

Information

Identify priority accounts to utilize Microsoft 365's advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information.

Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams.

Rationale:

Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.

To address this, Microsoft 365 and Microsoft Defender for Office 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate with a 3-step process

Step 1: Enable Priority account protection in Microsoft 365 Defender:

Navigate to Microsoft 365 Defender https://security.microsoft.com/

Select Settings > E-mail & Collaboration > Priority account protection

Ensure Priority account protection is set to On

Step 2: Tag priority accounts:

Select User tags

Select the PRIORITY ACCOUNT tag and click Edit

Select Add members to add users, or groups. Groups are recommended.

Repeat the previous 2 steps for any additional tags needed, such as Finance or HR.

Next and Submit.

Step 3: Configure E-mail alerts for Priority Accounts:

Expand E-mail & Collaboration on the left column.

Select New Alert Policy

Enter a valid policy Name & Description. Set Severity to High and Category to Threat management.

Set Activity is to Detected malware in an e-mail message

Mail direction is Inbound

Select Add Condition and User: recipient tags are

In the Selection option field add chosen priority tags such as Priority account.

Select Every time an activity matches the rule.

Next and Verify valid recipient(s) are selected.

Next and select Yes, turn it on right away. Click Submit to save the alert.

Repeat steps 10 - 18 for the Activity field Activity is: Phishing email detected at time of delivery

NOTE: Any additional activity types may be added as needed. Above are the minimum recommended.

Default Value:

By default, priority accounts are undefined.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8, 800-53|SI-16

Plugin: microsoft_azure

Control ID: b28125d8d2520deaaeb9a6540d83e4e78f9bbf4efd2cb1717967d6b758ffe39d