Most organisations have users they want to pay special attention to. They might be the C-suite members, managers, or they might even be someone who has a high profile outside the organisation. For these people Microsoft have introduced a capability called Priority Accounts in Microsoft 365. Once designated, these accounts are tagged to leverage app-specific features designed for them. Initially Microsoft have made two capabilities available for priority accounts: priority account protection and premium mail flow monitoring.
PRIORITY ACCOUNT PROTECTION
Priority accounts are often the targets of phishing campaigns and other cyber-attacks, either because they have access to sensitive data or because they are more prominent outside of the organisation. Using Microsoft Defender for Office 365 (formerly Office 365 Advance Threat Protection) any alerts generated on accounts tagged as Priority Accounts are highly visible in the alert queue, allowing security teams to focus on these alerts first. If you have a team dedicated to support Priority Accounts, you can even direct alerts related to Priority Accounts specifically to the members of that team for further investigation and allow other teams to investigate alerts from other users.
Microsoft have also made it much clearer in Threat Explorer when attacks have impacted Priority Accounts and provided the ability to filter on Priority Accounts to further help prioritise certain investigations.
Campaign views within Defender for Office 365 also provide the ability to filter on Priority Accounts, allowing security teams to identify campaigns that impact Priority Accounts.
Microsoft also announced the following features would be available in the coming months:
- Submissions from Priority Accounts via the Report message add-in will be tagged allowing security teams to focus on these submissions over others
- Emails targeted at Priority Accounts and quarantined will be tagged as such, allowing security teams to look specifically at malicious emails for these users
All of these features utilise the ability to tag certain users as Priority Account. Security teams can also optimise their focus and customise tags for their specific use case. For example, security teams can choose to define a tag called ‘susceptible users’ to describe those users who have an increased propensity to fall prey to attacks, and these tags will be available in the security workflows mentioned above.
PREMIUM MAIL FLOW MONITORING
Timely email is critical for certain people within an organisation. Once Priority Accounts have been designated they are monitored for mail flow issues. When an issue occurs, an alert will be generated to notify the admin and they will be able to view the detailed information in the Exchange admin centre.
Unfortunately, what you need to meet the requirements for Priority Accounts is a bit confusing. The Microsoft Docs page for Priority Accounts (found here) states an organisation must be using Office 365 E3 or Microsoft 365 E3, or Office 365 E5 or Microsoft 365 E5 and have at least 10,000 licenses and at least 50 monthly active Exchange Online users. For the Priority Account Protection feature the licensing requirement is Defender for Office 365 Plan 2, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security. The 10,000 licenses limit rules out a significant number of organisations, so whether you can have one without the other is unknown for now. Hopefully this licensing requirement is just in place until Microsoft can scale the solution and guarantee performance.
Configuring premium mail flow is also the only documented way to assign the Priority Account tag to users, however during my testing I’ve found you can edit the Priority Account tag by accessing https://protection.office.com/userTags and add users to it. You can also create new tags here as well.