[Cloud Protection] Operation Policy Consideration

・Automatically delete the entire Exchange Online item or only the malware file 
・Automatically quarantine the entire Exchange Online item or only the malware file
・Take no specific action

Explanation:
If you choose to delete, the Exchange Online item or malware file cannot be restored and will be completely deleted.
If you choose to quarantine, the Exchange Online item or malware file will be temporarily hidden from Microsoft 365, preventing it from spreading to end-user devices.
Files in quarantine can be checked by admins on the HENNGE Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.
Once released, if the file is detected again, it will be quarantined.

・Automatically delete the Exchange Online item
・Automatically quarantine the Exchange Online item
・Change the subject and disable the URL link
・Take no specific action

Explanation:
If you choose to delete, the Exchange Online item cannot be restored and will be completely deleted.
If you choose to quarantine, the Exchange Online item will be temporarily hidden from Microsoft 365, preventing it from spreading to end-user devices.
Items in quarantine can be checked by admins on the HENNGE Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.

・Detect suspicious rules in inbox rules

Explanation:
If suspicious inbox rules that perform actions such as moving, forwarding, or deleting emails are detected,
notifications can be sent to admins or users.

・Detect if there is a leakage of Microsoft 365 accounts to third parties

If a leakage of Microsoft 365 accounts to third parties is detected,
notifications can be sent to admins or users.

When any of the above processes are detected, you can define the notification destination.
・Email notification to users
・Email notification to admin email addresses
・Perform both of the above actions

・Automatically quarantine malware files
・Automatically delete malware files
・Take no specific action

Explanation:
If you select Delete, malware files uploaded to the SharePoint Online site cannot be restored and will be completely deleted.
If you select Quarantine, malware files are temporarily quarantined, preventing them from spreading to end users' devices.
Files in quarantine can be checked by the admin on the HENNGE Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by the user.
Furthermore, it is recorded as a safe file within HENNGE Cloud Protection, and even if the same file is uploaded in the future, it will be [detected] but not [quarantined]. (In Exchange protection, even files that have been released once will be quarantined)
Also, you cannot revert this action (return it to be quarantined again).
※ The quarantine method varies depending on the connection status with Teams.
・Team sites and communication sites not connected to Teams: Malware files are temporarily hidden from Microsoft 365.
・Team sites not connected to Teams: Malware files are moved to the quarantine area, and the file is replaced with one appended with [HARMFUL_CONTENT_REMOVED].

When each of the above processes is detected, you can define the notification destination.
・Email notification to the admin's email address

・Automatically quarantine malware files
・Automatically delete malware files
・Take no specific action

Explanation:
If you select Delete, malware files uploaded to OneDrive cannot be restored and will be completely deleted.
If you select Quarantine, malware files are temporarily hidden from Microsoft 365, preventing them from spreading to end users' devices.
Files in quarantine can be checked by the admin on the HENNGE Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by the user.
Furthermore, it is recorded as a safe file within HENNGE Cloud Protection, and even if the same file is uploaded in the future, it will be [detected] but not [quarantined]. (In Exchange protection, even files that have been released once will be quarantined)
Also, you cannot revert this action (return it to be quarantined again).

When each of the above processes is detected, you can define the notification destination.
・Email notification to the admin's email address

・Automatically quarantine malware files
・Automatically delete malware files
・Take no specific action

If you select Delete, files containing malware uploaded to Teams cannot be restored and will be completely deleted.
If you select Quarantine, malware files are temporarily quarantined, preventing them from spreading to end users' devices.
※ The behavior during quarantine differs between Teams chat and Teams channel.
・Teams chat: Files remain displayed in both the [Chat] tab and the [Shared] tab, while the main body is quarantined.
※ Please note that only PDF files can be previewed in chats with others.
・Teams channel: Files remain displayed in the [Posts] tab, while the main body is quarantined. In the [Files] tab, the file name is replaced with one appended with [HARMFUL_CONTENT_REMOVED], and the main body is quarantined.
Files in quarantine can be checked by the admin on the HENNGE Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by the user.
Furthermore, it is recorded as a safe file within HENNGE Cloud Protection, and even if the same file is uploaded in the future, it will be [detected] but not [quarantined]. (In Exchange protection, even files that have been released once will be quarantined)
Also, you cannot revert this action (return it to be quarantined again).

When each of the above processes is detected, you can define the notification destination.
・Email notification to the admin

Configure the policy with the following settings.

[How to Set]

Set the processing for malware scan and URL scan as follows.

Processing: Do Nothing

Reference Article: Create a New Policy

[Content]

In this setting, malware and malicious URLs are detected, but no actual processing is performed. By checking the detection status, you can first confirm how much malware is detected within the company.
By understanding the detection status, you can consider how much effort is needed for future operations.
It is also possible to notify users as needed.
Since no quarantine is performed, it is easy to implement, and this setting is recommended initially.

Specify the users to be protected for each service.

Reference Article: Connection Procedure for Protected Mailboxes

[How to Set]

Select the target service (Exchange, SharePoint, etc.) from the cloud service.
Exchange: Select Customize Mailbox Protection
SharePoint / OneDrive / Teams: Turn off Automatically Protect Newly Added SharePoint, Teams, and OneDrive Assets

[Content]

In this setting, if quarantine, etc., is defined in the policy, you can deploy the behavior when quarantined and notification behavior to only some users.
By narrowing down the target, you can consider creating manuals and timing for user notification in line with actual operations before full deployment. You can verify the processing defined in various policies and start phased operations.

You can immediately deploy company-wide and start operations.
If quarantine processing is applied in the policy, users' emails will be quarantined, so caution is needed when starting operations.

[How to Set]

Select the target service (Exchange, SharePoint, etc.) from the cloud service.
Exchange: Protect All Mailboxes
Protect all other services.

Reference Article: Connection Procedure for Protected Mailboxes

[Content]

In this setting, it is applied to all users.
If a quarantine policy is defined, files will be quarantined.
If there are no concerns, you can immediately start security measures.