MDE – Priority Account Protection

What is it?

Priority Account Protection allows you to “tag” accounts as a priority accounts and enables additional protection for malicious email patterns which commonly target company executives, and highly targeted employees. It also provides extra visibility for alerts and investigations which can help improve reporting.

This is a great feature as we are now really starting to understand that there are simply too many threats to address them all equally and so prioritising the biggest threats to our organisation is vital to reducing attack surface. Prioritising should not however be labour intensive and complicated, it needs to be simplified, and if at all possible, automated. Priority Account Protection uses an enhanced set of heuristic detection patterns designed specifically for C-suite execs to improve you phishing protection of these high risk users.

Why use it?

The majority of attacks are still launched via email, and despite best efforts to reduce this via user training, it’s clear attacks are becoming too sophisticated for users to spot, and so as defenders we need to use everything at our disposal to best protection users from email borne attacks, and to be able to quickly identify and respond when an incident occurs.

How does is work?

It allows us to use tags to identify high risk or high value targets within our organisation. We can tag users individually, or via groups, and we don’t need to worry about users being informed that they have been tagged as they will not see any changes in the way their email functions. False positives can be easily managed with the Tenant Allow Block List (TABL), and if there is an issue we can simply un-tag users if required, or completely disable the protection element of Priority Account Protection.

This protection should be reserved for a small amount of high value accounts as tagging all or most of the users in a tenant will lesson its impact and not provide the expected benefits.

If you want to read more on this you can use the links below.

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385

https://learn.microsoft.com/en-gb/microsoft-365/security/office-365-security/step-by-step-guides/protect-your-c-suite-with-priority-account-protection?view=o365-worldwide

https://learn.microsoft.com/en-gb/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection?view=o365-worldwide#review-differentiated-protection-from-priority-account-protection

Quick Setup Guide.

In the Security.microsoft.com portal go to Settings > Email and Collaboration > User tags > and here we can see the Priority Account tag is created by default.

Go to the option below “User Tags” in the centre menu and select “Priority Account Protection” where we can see this is enabled by default.

Go back to “User Tags” and select the “Priority Account” option and then edit from the top menu.

We add and select the users or groups we want tagged as high priority, click “next”, and on the final page review and hit “Submit”, and then “Done”.

Below we see the completed message.

That’s it, now we wait to see what information we get and how we can use it.

It can take 8 hours to apply, and we need some spam or malicious emails to come in, so we will come back and look at this in a future blog.