Collaboration Security - Protection for Microsoft Teams

Updated

This article explains how to set up and configure Protection for Microsoft Teams and describes its main features. It is intended for Administrators.

Overview

Protection for Microsoft Teams extends Mimecast’s world-class URL and attachment inspection capabilities to messages shared in the Microsoft Teams platform. Any content deemed malicious or suspicious is blocked, and a notification is sent to both the sender and the recipient.
Key features:

  • Best-in-class inspection of all URLs and attachments.
  • 14-day threat scan, to identify previously delivered malicious content.
  • End-user notification of blocked content.
  • Optimized default policy out of the box.
  • Ability to create custom policies for specific Microsoft Teams channels.
  • Full deployment in minutes.

How harmful items are managed:

  • Harmful attachments are removed from Microsoft Teams conversations and the Microsoft Teams files space in Microsoft SharePoint.
  • SharePoint links are also scanned, and if they are found to be harmful, they are removed.
  • Messages with harmful URLs are removed.

  • The sender sees that the message was blocked, due to the organizational policy.

    Protection for Microsoft Teams - sender perspective

    Protection for Microsoft Teams - sender perspective

  • The recipient sees that the message was blocked, due to the organizational policy.

    Protection for Teams - recipient perspective

  • You can access deleted attachments via Mimecast Administration Console | Collaboration Security | Detections

Considerations

  • Phishing & Impersonation as well as Untrustworthy Detection Sensitivity settings do not apply to Microsoft Teams.
  • Microsoft Teams doesn’t have the option to turn off external chat requests. See Communication with external users.
  • You'd be configuring and using Protection for Microsoft Teams in conjunction with Protection for Microsoft SharePoint & OneDrive.
  • Collaboration Security is not supported for:
    • Advanced Account Administration (AAA) setups.
    • Microsoft GCC High environments.
    • Customers needing to adhere to ITAR regulations.
    • The Mimecast Offshore / Jersey region.
  • Collaboration Security doesn't support Policy Inheritance on Federated Account Administration (FAA) setups.

Prerequisites

  • You are using Microsoft Teams, Microsoft SharePoint and Microsoft OneDrive.
  • You have an Email Security Cloud Gateway account.
  • You have an appropriate Mimecast Administration Console role:
    • Trials can be started by all Administrators with More Products | Enroll role permissions. By default, these are Partner, Full, and Super Administrators.

    • The Administrator will need Collaboration Full Permissions to create the initial Collaboration Security configuration.  

      • Default roles with Collaboration Full Permission are Super, Full, and Partner Administrators.
      • The default role with Collaboration Basic Permission is Basic Administrator.
      • The default role with Collaboration Helpdesk Permission is Help Desk.
  • You have Microsoft 365 Global Administrator Role to grant app consent.
  • Collaboration Security requires each user to have one of the following Microsoft 365 licenses to access the Teams DLP & Export API:

It is your responsibility to ensure that you have in place all required licenses and permissions needed for you to access Protection for Microsoft Teams.

Setting up Protection for Microsoft Teams

To set up Protection for Microsoft Teams, follow the steps below:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to More Mimecast Products from the left-hand menu.

  3. Click on Protection for Microsoft Teams.

    Protection for Microsoft Teams trial
  4. Depending on the status of your account, click on:
  •  

    • Free Trial to set up your free trial of Protection for Microsoft SharePoint & OneDrive.

      Only a Partner Administrator can start a trial if your account is associated with a Managed Service Provider.
    • Configure to configure Protection for Microsoft SharePoint & OneDrive.
  1. The Next Steps gives more information to guide you to complete the setup.

 

teamslicensereq.png
  1. Click Continue to review the Terms and Conditions.

Evaluation Agreement

The terms and conditions step is for Trial customers only, and will be skipped automatically if you are a new customer and have been provisioned with Protection for Microsoft Teams
You will not be prompted to accept the Terms and Conditions again, you have already configured Protection for Microsoft SharePoint & OneDrive.

  1. Once the Terms and Conditions are accepted, we’ll verify your details, and you'll see that your account is being prepared. Click on Continue.
Preparing Your Account

Once you can continue, you will see "Your trial is ready", and you will need to click on Configure Here, where prompted.

 

Trial Is Ready

The "chip" for More Mimecast Products | Protection for Microsoft Teams will change from "Preparing" to "Configure".
The More Mimecast Products | Protection for Microsoft Teams page action will update, from Trial Sign-up information, to Configuration details.
You will need to click on Get Started to continue.

Get configured
  1. You will be returned to the Next Steps screen. Click on Continue.
step8.png
  1. You can then select your Default Policy ConfigurationMonitor (recommended), or Protect.

TeamsMonitorMode.png

  1. Click on Save & Continue To Microsoft.
  2. Log in using your Microsoft Global Administrator Role credentials, and you’ll be redirected to the Microsoft application consent page to consent to the permissions required by the app.

MS Teams Permissions-2b-350-s.jpg

Where Microsoft requires you to accept any Terms and Conditions as part of the permission granting process, it is your responsibility to fully review and understand the content of such Terms and Conditions before accepting them.

  1. Once you've clicked on Accept, you’ll return to Microsoft Teams Configuration, which is now complete.

Configuration Complete

14-day Threat Scan

Mimecast will perform a historic scan after Protection for Microsoft Teams has been configured, and will identify malicious URLs (in Microsoft Teams messages), or attachments from Microsoft Teams (stored in Microsoft SharePoint), for the last 14 days. Once the scan is complete, you can select the action you would like to take.
You can see all detected threats or view the threats from the Detections page.

Upon purchase of Collaboration Security, attachments older than 14 days will be scanned too, when you’ve configured Protection for Microsoft SharePoint & OneDrive.

Product Trials

If you are using a free trial of Protection for Microsoft Teams, you can view the status of your Product Trials, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to  Account | Product Trials.
  3. The Product Trials page displays your Product Trials, and the corresponding subscription status(es).

Product Trials

Viewing Detected Threats

You can view all scanned messages from the Detections page. By default, you’ll see Malware, Phishing, and Untrustworthy messages. You can click on a message to see full details.

If you’re using Monitor mode or choose not to remove threats automatically, you can remove them manually by following the steps below.

You can navigate to the Detections page, by using the following steps:

  1. Log on to the Mimecast Administration Console.

  2. Navigate to MORE SERVICES | Collaboration Security.

     

Navigate to Collaboration Security

  1. The Collaboration Security Home page opens, and displays:
  •  
    •  
      • Statistics for Malware, Phishing and Untrustworthy messages (by default), that have been detected in the selected time period.
      • Detections Overview, with graphs to display data over the selected time period.

The default Date Range is 30 days, you can amend this to Last 24 hours, Last 7 days, Last 30 days, or Last 60 days, as required.

  1. Navigate to Detections. This will display the threats that have been detected.

The default Date Range is 30 days, you can amend this to Last 24 hours, Last 7 days, Last 30 days, or Last 60 days, as required.

Detections

Field Description
Content Displays the Teams Message or Filename associated with the detected threat.
Services Displays which service the detected threat was received from (e.g. Teams).
Analysis

Displays the type of threat that has been identified, e.g.:

  • Malware: Malicious software designed to disrupt, damage, and gain unauthorized access to a network and its linked devices.
  • Phishing: Social Engineering content, Malicious URLs, and Weaponized Attachments are some examples of phishing content.
  • Untrustworthy: Suspicious messages detected by Mimecast systems as untrustworthy could be from a known bad source or contain content we cannot be sure is safe.
  • Safe/Clean: Emails are determined as safe by Mimecast's detection engines.
Status

Displays the current state of the detected threat, examples:

  • Delivered.
  • Blocked.
  • Manually removed.
Recipient This displays the chat recipient of the detected threat, if applicable.
Policy / Rule Displays which Policy or Rule was triggered, which mode, and what action was taken.
Sender / Uploader or Sender

This displays the sender or name of the person who uploaded a file, for detected threats.

  • If you are using Microsoft SharePoint & OneDrive, you will see the Sender/Uploader column, containing the corresponding data.
  • Otherwise you will instead see the Sender column, containing the corresponding data.
Date / Time This displays the date when the detected message was processed by Mimecast.
  1. You can use advanced Filters on your detected threat data; the default filters are Malware, Phishing and Untrustworthy.
  2. You can click on the Filter button, to remove existing filters, clear all filters, or to drill down to filter by sub-categories:

Filter in Detections

 

Filter Categories Sub-items
Service Teams
SharePoint
Analysis
Malware 
Phishing 
Safe/Clean 
Untrustworthy
Block Rule
Status
Blocked 
Delivered 
Manually quarantined 
Manually restored 
Quarantined
Quarantine failed 
Quarantine in progress 
Manually removed
Remove failed 
Remove in progress
Restore failed 
Restore in progress 
Scanned
  1. You can Apply the filter customizations that you have made, or click on Cancel to close without applying changes.

Searching Detected Threats

You can search within Detections, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Detections.
  3. The Search section allows you to specify:
  •  
    • Date Range: This field is used to specify the Date Range for your search:
      • Last 24 hours.
      • Last 7 days.
      • Last 30 days (this is the default value).
      • Last 60 days.
    • Target / Operator: Select a Target to search by, a relevant Operator and a corresponding Expression, to create your search criteria. The available Operators will depend on the Target type selected.
Target Operator Expression
Content, Recipient or Sender/Uploader: Select this field to search by message title or filename associated with the detected threat.
  • is.
  • is not.
  • contains.
 Enter a string, without double quotes.
Contains only takes a single
value.

 

• For Contains searches, case is not considered, and partial matches are included.
OR conditions for the same field can be aggregated into the row via comma or the use of OR.
AND conditions for the same field can be added as multiple sets of search criteria.

  •  
    • +Add Criteria: Click on this to add the criteria that you have entered. The Query View updates, to display your search criteria.
  1. Click on Search to run the search. The list of detected threats is updated, to display items corresponding to your search criteria.
  2. You can enter further set(s) of criteria, by:
  •  
    • Selecting the Condition of AND.
    • Entering the TargetOperator and Expression for the additional search criteria.
    • Clicking on +Add Criteria to add them. The Query View updates, to display your search criteria, and the list of detected threats is updated accordingly.
  1. You can remove search criteria, by clicking on Remove Criteria next to the item.
  2. You can click on Clear Search to clear the search criteria. The list of detected threats is updated accordingly.

Search

Managing Detected Threats

You can manage detected threats, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Detections.

  3. You can click on a detected threat to display threat details.
    Each detected threat is displayed using detail panels, displaying a deep analysis:

    Panel Description
    Analysis The analysis panel displays the type of threat, the status, and the recipients.
    Policy Displays the policy name, mode, and action performed.
    Instant Message

    Displays details about the detected message. 
    This contains the following:
     

    • Sender.
    • Recipients.
    • Date/Time.
    • Content.
    Detailed Analysis Display detailed data about the message:
    This includes:
    • Attachment.
    • Detection.
  4. You can carry out an action on the selected detected threat, depending on its state:
  •  
    • Safe/Clean, with status Delivered: You can click on Remove, Report As Malicious, or click the Back arrow to return to Detections.

Safe/Clean item

 

  •  
    • Malware, with status Delivered: You can click on Remove, Report As Safe, or click the Back arrow to return to Detections.

Malware, Delivered

  •  
    • Malware, with status Blocked: You can click on Report As Safe, or click the Back arrow to return to Detections.

Malware, Blocked

  1. Once you've completed an action, you will return to the Detections page, and notified when the action is complete.
  2. The Status for the actioned item will update accordingly.

Policy Management

The Default Policy protects your whole organization; however, if you need to make changes, then you can create a new policy.

You can manage Policies for Instant Messaging, by using the following steps:

  1. Open the Collaboration Security area.

  2. Click on Policies | Instant Messaging.

     
Instant Messaging Policies
  1. In the Instant Messaging Policies screen, you can:
  •  
    • Click on the ellipsis "..." for an existing Policy, and select an action:
      • View: Selecting this option opens the Policy.
      • Delete: Selecting this option deletes the Policy.
      • Duplicate: Selecting this option duplicates a Policy, allowing you then make and save changes.
      • Move Policy Up: Selecting this option allows you to move a Policy further up the list of Policies.

      • Move Policy Down: Selecting this option allows you to move a Policy further down the list of Policies.

        The Default Policy cannot be moved up or down, deleted, duplicated, or disabled.

Policy Actions
  •  
    •  
      • Click on New Policy and add details for the Policy:
New Policy
New Policy
  •  
    •  
      • Enter a Name for the Policy.
      • Enter a Description (optional).
      • Select the targetAll Users & Channels, or Teams Channels.
        • If you select Teams Channels, then you’ll be able to search for channel names.
        • Policies can be used to create exceptions, i.e. Target MSOC channel, Detection Action, Block Malware, Do nothing Phishing, Do nothing Suspicious.
      • Select a Mode of Protect, or Disabled.
      • Select the Detection Actions for Malware, Phishing and Untrustworthy.
      • Select your required Detection Engine settings:
        • Phishing: Choose how aggressively the system acts on threats, either Moderate (recommended), or Aggressive.
        • Untrustworthy: Choose how aggressively the system acts on threats, either Moderate (recommended), or Aggressive.
        • Attachment: Choose whether to enable or disable the checking of vulnerable file types for threats in the sandbox.

      • Set your alert preferences. You can use this to ensure a message is sent to the administrator email address(es) you specify, when the selected detection categories are matched by the Policy.

        Microsoft Teams detection alert
  •  
    •  
      • Click on Save.

Configuration 

Service Authorizations

You can view and re-authorize your subscribed services, by using the following steps:

  1. Open the Collaboration Security area.

  2. Click on Configuration | Service Authorizations.

    Service Authorizations

  3. You can click on Settings to see your subscription details for Microsoft Teams:

    Details for Microsoft Teams

  4. You can click on Re-Authorize if you need to re-authorize Microsoft Teams:

    You would use the re-authorize option if you need to carry out "clean" re-installation.

    Re-Authorize Microsoft Teams
  5. You can then click on Cancel, or on Re-Authorize to sign in as your Microsoft 365 Global Administrator, then authorize the application.

Settings

You can view and update your Settings, by using the following steps:

  1. Open the Collaboration Security area.

  2. Click on Configuration | Settings.

    Managed URLs
  3. You can use the TTP managed URLs confirmation tick-box to select whether Targeted Threat Protection (TTP) Managed URLs is enabled for Microsoft Teams, SharePoint & OneDrive. Click on Save to save your changes.

Reporting

You can set up Reports for your Detections data, including the frequency and who receives them.

You can manage Reports, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Reports. This contains two tabs:
  •  
    • Archive: This shows a list of reports to date, where you can carry out the following actions, via the ellipsis "..." :
      • Resend a Report.
      • View a Report.

Reports

View Report

  •  
    • Settings: You can use this to select which day of the week the Report is created on, and to choose which users and groups it's sent to.
       
Settings for Reports

Audit Logs

You can search for, review and export Audit Logs relating to your Collaboration Security service via the Mimecast Administration Console, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Account | Audit Logs.

  3. Collaboration Security data is shown under the Collaboration Security Logs Category.


    Audit Logs New-b-1000-s.jpg

Communication with external users

Protection for Microsoft Teams can only inspect URLs and attachments within your Microsoft Teams tenant. If employees accept invitations to collaborate using the Microsoft Teams tenant of a third party, Mimecast cannot inspect content. Based on our research, competitive products operate in the same way.  
 

Our recommendation to customers is always to have third parties collaborate within the customer’s Microsoft Teams tenant.   


Scenarios when an external user is communicating within the customer’s Microsoft Teams tenant:  

  1. Internal user invites external users to a Channel - Inspection occurs.
  2. Internal user invites external users to a chat 1:1 - Inspection occurs.
  3. Internal user invites external users to a meeting (same as chat) - Inspection occurs.

Microsoft Teams does not support file uploads in 1:1 chats between internal and external users and meetings.


Scenarios when customers are communicating using a third party’s Microsoft Teams tenant:  

  1. External user invites internal user  to a Channel -  No protection.
  2. External user invites internal user  to a chat -  No protection. 
  3. External user invites internal user  to a meeting -  No protection.

Removing Mimecast app consent

If your trial has expired, or you no longer use Protection for Microsoft Teams, you can delete the app consent from the Microsoft Entra admin center. See Microsoft's page for more details.

Fair Usage Policy

Protection for Microsoft Teams is subject to fair usage limits. Each user is limited to a certain number of messages per month. Details can be found on Microsoft's page. If an account’s fair usage limits are exceeded, Mimecast may throttle the service and will work with the customer to reduce the customer’s usage to conform to that limit.

Mimecast also reserves the right to ask you to pay applicable excess usage fees in certain circumstances.

Troubleshooting

In some instances, Remove Failed may appear under message Status, for a specific item on the Detections page.

  1. This error indicates a license issue. The message could not be blocked, because the user does not have the license that is required. Please see Prerequisites, and ensure that you have all of the required licenses.

    License Issues

  2. This error indicates that we were unable to block a message, because we had previously blocked it. This can occur when a blocked message is edited by the sender with updated content that may include a harmful URL or file.

    Unable to block

  3. This error indicates that we do not have permission to block the message. This happens when the sender is external and not part of the tenant we are protecting.

See Also..

 

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.