Vade For M365 Administrator Guide
Vade For M365 Administrator Guide
Vade For M365 Administrator Guide
Administrator Guide
Version 2.53.
VADE USA, INCORPORATED – 100 Pine Street, Suite 1250 – San Francisco CA 94111
Contents
Chapter 1: Overview.......................................................................................................4
What is Vade for M365?........................................................................................................................4
Architecture Diagram............................................................................................................................5
Activation process.................................................................................................................................5
Retrieve the Tenant ID..............................................................................................................................6
Create a new client on the Partner Portal...........................................................................................6
Order a license for a new client..............................................................................................................6
Activate your license..................................................................................................................................7
Confirm permissions.................................................................................................................................7
Define an email address for undeliverable journal reports............................................................8
Create a journal rule via the Microsoft Purview compliance portal..............................................8
Create a journal rule with command lines using Powershell..........................................................9
Frequently Asked Questions................................................................................................................9
How to use admin whitelists?...............................................................................................................11
How to bypass the anti-malware filter for whitelisted emails?.....................................................12
How to manage reports?.......................................................................................................................13
How to revoke the rights of Vade for M365?....................................................................................14
How to grant my partner access to my admin console?...............................................................14
How to revoke access to the admin console?..................................................................................15
How to retrieve emails?..........................................................................................................................15
How to export email logs?.....................................................................................................................16
Support.................................................................................................................................................16
Chapter 2: Dashboard...................................................................................................18
Dashboard............................................................................................................................................18
Chapter 3: Logs..............................................................................................................20
Email logs.............................................................................................................................................20
Filtering use cases...................................................................................................................................24
Filtering log fields.....................................................................................................................................25
Remediate and report emails...............................................................................................................26
Remediation logs.................................................................................................................................28
URL logs - Time-of-Click......................................................................................................................28
Time-of-Click log storage........................................................................................................................30
Event logs.............................................................................................................................................31
Reported emails..................................................................................................................................33
Chapter 4: Reports........................................................................................................34
Threat Report.......................................................................................................................................34
Low priority Report.............................................................................................................................35
Chapter 6: Toolbox........................................................................................................40
Time-of-Click URL decoding...............................................................................................................40
File Inspector.......................................................................................................................................41
Chapter 7: Settings........................................................................................................42
Global....................................................................................................................................................42
User group restriction............................................................................................................................42
Incident Response...............................................................................................................................45
Anti-Malware.............................................................................................................................................45
Anti-Phishing.............................................................................................................................................46
Anti-Spear Phishing.................................................................................................................................47
Anti-Spam..................................................................................................................................................48
Classification.............................................................................................................................................49
Vade Threat Coach..............................................................................................................................50
RBAC......................................................................................................................................................50
Add mapping............................................................................................................................................51
Chapter 8: Developers..................................................................................................52
Vade for M365 API...............................................................................................................................52
Overview
Our filtering solution is based on machine learning models which perform real-time behavioral analysis
to check the whole email, URLs and attachments.
Vade integrates seamlessly with your Microsoft 365 messaging solution and increases its security
thanks to Artificial Intelligence.
You can enable Vade for M365 in just a few clicks without any architecture change (no MX record
changes). The administration UI was designed to provide simple configuration and full reports and
analysis information about blocked attacks. Your users won't have to change the way they access their
emails or use a new interface.
Supported browsers
The Vade for M365 admin console has been tested and is fully functional with the last version of the
following browsers:
• Google Chrome
• Firefox
• Edge
• Safari
How it works
1. When you receive a new message, Microsoft 365 scans it with EOP/ATP protection.
2. A copy of the email is then sent to Vade for M365 through the Microsoft 365 journal rules.
3. Vade for M365 performs the analysis on the copy of the message.
4. Vade for M365 connects to Microsoft 365 using MS Graph API, to retrieve the user preferences, etc.
5. Vade for M365 then moves the message to the proper subfolder, or deletes it using MS Graph API.
Activation process
Follow the steps below to set up Vade for M365.
Procedure
1. Retrieve the Tenant ID on page 6
2. Create a new client on the Partner Portal on page 6
3. Order a license for a new client on page 6
4. Activate your license on page 7
5. Confirm permissions on page 7
6. Create a journal rule
• Create a journal rule via the Microsoft Purview compliance portal on page 8
• Create a journal rule with command lines using Powershell on page 9
Procedure
1. Log in to the Microsoft Azure Portal with your admin credentials.
2. Select Azure Active Directory under Azure services.
Results
You will find the Tenant ID in the Overview.
What to do next
Your Vade Sales representative will create your client account and order a license for you.
Procedure
1. Access the Portal at https://partner.vadesecure.com.
2. Click the Clients & Licenses tab in the left menu.
3. Click the + Order button.
4. Click New client.
5. Enter the required information.
6. Click Next.
Note: You can also create a client profile via the Partner API (see the “Vade Partner API Guide”,
“Create a client” section).
Results
You added a new client.
Procedure
1. Log in to the Portal at https://partner.vadesecure.com.
2. Click the Clients & Licenses tab in the left menu.
3. Click the + Order button.
4. Click New client.
5. Enter the required information.
6. Click Next.
7. Select the type of license you want:
• TRIAL: Trial of all features for 15 days.
• MONTHLY: Flexible.
• YEARLY: 1-year or 3-year plans.
8. Click Next.
9. Select the add-ons you want.
Note: You can also add the add-ons of your choice later on.
Procedure
1. Check your emails for an activation email sent by Vade.
2. Click Activate your license in your activation email.
A window opens.
3. Check I accept to read and accept the Terms of service.
Note: You can check the information about your license by clicking My license.
Results
Your license is active.
Confirm permissions
Procedure
1. Log into the Vade admin console using a Microsoft 365 Global Admin account.
• For Europe: https://m365.eu.vadesecure.com/
Note: Germany: https://m365.de.vadesecure.com/
Note: You can type Vade Secure MS 365 in the search bar.
Procedure
1. Go to the Microsoft Purview compliance portal.
2. Click Data lifecycle management > Exchange (legacy) in the left menu.
3. Click Settings at the top right of the page.
4. Enter an email address outside your protected domain under send undeliverable journal reports
to.
Note: You can use Vade special addresses for this purpose:
• For Europe:
• Servers based in France:
undeliverable@bounce.eu.vadesecure.com
• Servers based in Germany:
undeliverable@bounce.de.vadesecure.com
5. Click Save.
Results
Microsoft will send undeliverable journal reports to the address you entered.
Procedure
1. Log in to the Microsoft Purview compliance portal.
2. Click Data lifecycle management > Exchange (legacy).
3. Open the Journal rules tab.
4. Click + New rule.
5. Enter your dedicated address under Send journal reports to:
Results
You can now see your newly created journal rule in the list of rules. Make sure it is checked.
Related tasks
Define an email address for undeliverable journal reports on page 8
Related information
Create a journal rule with command lines using Powershell on page 9
Import-Module ExchangeOnlineManagement
4. Enter the following command to send undeliverable journal reports to the address provided by
Vade:
Set-TransportConfig -JournalingReportNdrTo
undeliverable@bounce.eu.vadesecure.com
Note:
• For Europe:
5. Enter the following command to create and activate your journal rule:
Do I need Exchange Online Protection (EOP) as well as the Vade solution to work effectively?
Exchange Online Protection is included within all Microsoft cloud email services such as Exchange
Online and Microsoft 365, so no extra license is required. Vade can work as a standalone or as layered
protection on top of EOP.
What happens in the case I have blacklisted an address which a user has whitelisted?
Filtering rules created on Microsoft 365 always take precedence over the filter decisions, or inbox rules
created by the user.
Procedure
1. Log in to the Microsoft 365 admin center.
2. Go to Mail flow > Rules > + Add a rule > Bypass spam filtering.
The New transport rule window opens.
3. Create a new mail flow rule:
a) Enter a name for the rule.
b) Select The sender in the Apply this rule if drop-down menu.
• Select domain is to whitelist a domain, or
4. Add the following actions in the New transport rule window for Vade to stop filtering the emails
specified earlier:
Note: Spam confidence level should be automatically set to -1 by Microsoft 365 admin center,
but if it is not, follow steps 4.a. and 4.b. If it is, go to step 4.c.
a) Select Modify the message properties > set the spam confidence level (SCL) in the Do the following
drop-down menus.
b) Set the spam confidence level to - 1.
c) Click + next to the Do the following drop-down menus.
d) Select Modify the message properties > set a message header in the And drop-down menus.
e) Click the first Enter text link in the Set the message header Enter text to the value Enter text text.
The message header pop-in window is displayed.
f) Enter the following value: X-VADE-O365.
g) Click Save.
h) Click the second Enter text link.
The message header pop-in window is displayed.
i) Enter the name of the client.
j) Click Save.
5. Click Next.
6. Click Next.
7. Click Finish.
Results
The new rule is now on display in your Rules.
Tip: Make sure the new rule is checked in the Rules list.
Procedure
1. Log in to the Microsoft 365 admin center.
2. Go to Mail flow > Rules.
3. Click on the mail flow rule that you have already created to share your Microsoft 365 whitelist to
Vade for M365.
4. Click Edit rule conditions in your rule's pop-in window.
5. Click the 'X-VADE-O365' link in the Do the following section.
Results
The mail flow rule has been edited to bypass Vade for M365's anti-malware filtering for emails
whitelisted on Microsoft 365.
Tip: Make sure the rule is checked in the Rules list.
Procedure
1. Delete the journal rule.
a) Log in to the Microsoft Purview compliance portal.
b) Click the Data lifecycle management > Exchange (legacy).
c) Open the Journal rules tab.
d) Check the box next to the journal rule to delete.
e) Click Delete.
The journal rule is deleted.
2. Remove the application.
a) Log in to the Azure Portal
b) Go to left menu > Azure Active Directory > Enterprise applications.
The application list is displayed.
c) Click Vade for M365 in the table.
The Vade for M365 window opens.
d) Click Properties under Manage in the middle menu.
e) Click the Delete button to delete the application and revoke rights.
The application is removed.
Vade for M365 cannot access or process your emails anymore.
Procedure
1. Log in to the Partner Portal.
2. Click the Clients & Licenses tab.
3. Click the Request access of a specific client.
Results
Access pending is now displayed after refreshing the page. You or your administrative contact will
receive an email inviting you to log in to your admin console.
Note: After logging in to your Vade for M365 admin console, go to Settings > Global and enable
the Grant partner access to my admin console toggle. The partner will receive an email confirming
their access to your console and have a direct access to the admin console via an Access button.
Procedure
1. Log in to the Vade for M365 admin console.
2. Click Settings > Global in the left menu.
3. Disable the Grant partner access to my admin console toggle in the Partner access section.
Results
The toggle turns gray. Your partner will be informed by email that they no longer have access to the
admin console.
Procedure
1. Log in to the Microsoft 365 Security & Compliance Center.
2. Add a new eDiscovery Administrator:
a) Click Permissions in the left menu.
b) Check the eDiscovery Manager box.
The eDiscovery Manager pop-in window opens.
c) Click Edit next to eDiscovery Administrator.
The Editing Choose eDiscovery Administrator window opens.
d) Click Choose eDiscovery Administrator.
e) Click Add.
f) Check the box of the administrator in the list.
g) Click Add > Done > Save > Close.
You are now a member of the eDiscovery Manager group. You must log off and log back in to
benefit from your new rights.
3. Click Search > Content search in the left menu.
The Content search window opens.
4. Run a new search query.
a) Click + New search.
b) Enter a name and a description.
c) Click Next.
d) Turn on all Specific locations in the status column.
e) Click Next.
f) Add conditions and Keywords of the emails you wish to retrieve.
g) Click Next > Submit.
Your search is added to the list.
5. Check the box of your search in the list of search.
A window of your search opens.
Procedure
1. Apply any search criteria.
You can now click the Export to CSV button if less than 1,000 logs are available.
2. Click the Export to CSV button.
Results
Your browser downloads your filtered log list as a .csv file.
Note: The log file contains the following information, separated by semi-colon:
Date and time
The date and time of the email.
Sender
The sender of the email (MAILFROM).
Sender Header
The header of the sender (FROM).
To
The recipient of the email (RCPT TO).
Subject
The subject of the email.
URL
The URLs contained in the email, separated by a space.
Attachments
The attachments contained in the email, separated by a space.
Status
The status of the email.
Action
The actions applied to the email.
Destination
The destination folder of the email if one of the actions was MOVED.
Remediation
The remediation status of the email, if any (manual or auto).
Support
Vade provides technical support by phone or email for Vade for M365.
Dashboard
Dashboard
The dashboard provides a global insight of the last detected threats filtered by
the platform.
The dashboard provides figures and charts representing the number of threats by type over time and
a detail of the last threats identified.
The dashboard can be configured to provide details over a 1-day, 7-day (default) or 30-day periods.
On this page, you can:
Threats detected
This section offers an overview of the threats detected by Vade for M365 during the period of time
you selected in the top right-hand corner.
Note: Whitelisted emails are not taken into account in this analysis.
Above each category of threat (malware, phishing, spear phishing, spam and scam), you can see how
many of them were detected during the selected period of time and their share in percentage among
all threats.
You can also check the chart below to get a visual representation of the threats our solution has
detected.
Tip: Click a threat to display the email log page filtered on this specific threat.
Related information
Settings - Global on page 42
Email logs on page 20
Threat Report on page 34
Logs
Email logs
This page displays filtering logs in real time, allows you to search for specific log
entries and to remediate and report emails.
Log search
You can search for specific log entries by providing search criteria in the search bar, and a specific
period.
Notice: If you do not use any filter, the search string will match the following fields: FROM, SUBJECT,
TO, REMEDIATION ID, REPORT ID and REPORTED EMAILS ID.
Period field
This field allows you to limit the search to a given period of time. Available default ranges
are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by providing
a start and end date as well as an exact time of day by clicking on the Custom button.
Filters
The search field allows you to search for a sender, a recipient, a subject, an action, a status,
emails with attachments and emails with URLs.
You can apply one or several filters after clicking on the Filters button.
Note: Select CONTAINS for FROM, SUBJECT or TO if you want to display emails
matching partially what you are looking for, or IS if you want to display emails
matching perfectly what you are looking for.
FROM
Type in an email address or part of an email address to display all the emails sent from
the matching addresses.
TO
Type in an email address or part of an email address to display all the emails sent to the
matching addresses.
SUBJECT
Type in the whole subject or part of a subject to display all emails matching those words.
REMEDIATION ID
Type in a remediation ID to display all emails impacted by specific remediation campaigns.
REPORT ID
Type in a report ID to display all emails impacted by specific report campaigns.
REPORTED EMAIL ID
Type in a reported email ID to display details of the emails reported via the Outlook
add-in.
ACTION
Moved
Emails Vade for M365 moved.
Banner
Emails detected as spear phishing with a Vade for M365 warning banner.
Deleted
Emails Vade for M365 deleted.
Attach. removed
Emails Vade for M365 removed malicious attachments from.
No action
Emails Vade for M365 did not handle.
REMEDIATED
Auto
Auto-remediated emails.
Manual
Manually remediated emails.
Not remediated
Emails not remediated.
MANUAL REPORTS
Reported as legitimate
Emails that have been reported as legitimate.
Reported as malicious
Emails that have been reported as malicious.
Not reported
Emails that have not been reported.
URL
ALL
Emails, with or without URLs.
WITH
Emails with at least one URL.
WITHOUT
Emails without any URLs.
Real-time logs
In order to view the real-time processing logs of the filtering solution, enable the Real-time log mode
by clicking the switch button.
This will display the processing logs of all incoming emails processed by the platform.
Note: When the Real-time log mode is enabled, the Export to CSV and Remediate button are not
available.
Search results
The logs matching the search criteria will be displayed in a table providing:
Date & Time
The date and time the email was originally processed.
From
The email address of the sender.
To
The email address of the recipient.
Subject
The subject of the email.
Status
The filtering status for the email, which corresponds to one of the status that can be
configured under the Settings page for spam, phishing, etc. The list of potential status is:
Legitimate
The Vade filter identified the email as legitimate.
Phishing
The Vade filter identified the email as a phishing attempt.
Malware
The Vade filter identified a malware contained in the email.
Spear phishing
The Vade filter identified the email as a spear phishing attempt (because of partial or
complete spoofing, etc.).
Low spam
The Vade filter identified the spam as an emailing campaign sent through professional
routing platforms (ESP). These market players follow the rules of use for email advertising,
by providing unsubscribe links, list cleaning, etc.
Action
The action taken on the message depending on the action configured for the message status.
Potential actions are:
Moved
The email was moved from the inbox to another folder.
Deleted
The email was deleted.
Banner
A warning banner was added to the email.
No action
No action was performed on the email.
Note: Click the dot icon > Details next to a specific email and check the
No action section to know why no action was performed.
• In the Attachments section, click the icon to download the attachment, or click the
icon to analyze the attachment further.
Note: This feature is part of the Threat Intel & Investigation
add-on.
Important: We can only analyze PDF, Microsoft Word, Excel and PowerPoint files
under 15 Mb.
Export to CSV
Select a filter and click the Export to CSV button to export a .csv file of the list on display.
Remediate
Select a filter and click the Remediate button to remediate and report emails.
Related tasks
How to export emails logs? on page 16
Related information
How to search more accurately with a dedicated syntax in the search bar? on page 24
How to remediate emails? on page 26
Now, you want to search for all the emails you received from Tom Watson. You will have to use the
filter from:
from:"tom.watson@test.com"
Note: Make sure you use quotation marks if you want a perfect match in your search results.
If you want to search for all the emails Tom Watson sent to Emma Tomson. You will have to use from
and to filters:
8. Click Confirm.
The pop-in window displays the information of the selected email, and the available actions.
6. Click Next.
7. Check the Remediate box.
8. Choose a folder to move the emails into.
Note: You can also report the emails as legitimate or malicious by checking the corresponding
box.
9. Click Confirm.
Tip: The console displays up to 100 emails by default, but you can select as many as 500 emails
in the pop-in window.
Tracking
It is mandatory to keep track of remediation actions in logs, i.e. who moved the
emails, when, and which one(s).
Event Logs
This page displays all actions taken by users like remediations, setting updates, etc.
1. Click the Filters button and select Remediate to display all remediated emails.
2. You can check who used the Remediate action and the date of the action in the event list.
3. Click the icon > View logs to see how many emails were remediated for that event, and what
folder they were moved to.
Note: In case of remediation of an email in another pending remediation, the description shows:
[NUMBER OF MESSAGES] messages skipped due to pending remediation.
Remediation logs
This page displays remediated campaigns by type of remediation and
auto-remediation.
Any remediation is recorded and displayed in the remediation logs. You can filter them to analyze all
actions taken on the emails of your users.
Type
The type of remediation: auto-remediation or manual remediation.
Date
The date of the remediation.
Remediation ID
The ID of the remediation campaign.
Affected users
Percentage of users that opened the email before remediation.
Remediated
The number of remediated or auto-remediated emails.
Updated status
The last status of a campaign.
Action
The action performed on the campaign.
Details
The View logs buttons redirects the user to the logs of the selected campaign.
Log search
You can search for specific log entries by providing search criteria in the search bar, and a specific
period.
Period field
This field allows you to limit the search to a given period of time. Available default ranges
are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by providing
a start and end date as well as an exact time of day by clicking on the Custom button.
[Filters]
The search field allows you to search for a sender, a recipient and URLs.
You can apply one or several filters after clicking on the Filters button.
Note: Select CONTAINS for FROM or TO if you want to display emails matching
partially what you are looking for, or IS if you want to display emails with URLs
matching perfectly what you are looking for.
FROM
Type in an email address or part of an email address to display all the emails sent from
the matching addresses.
TO
Type in an email address or part of an email address to display all the emails sent to the
matching addresses.
URL
Type in a URL or part of a URL to display all emails containing a specific link.
STATUS
Clean
Displays all emails identified as legitimate.
Phishing
Displays all emails identified as phishing.
Timeout
Displays all emails that could not be analyzed due to a timeout.
Error
Displays all emails that could not be analyzed due to an internal error.
ACTION
Visited
Displays all URLs a user has visited.
Blocked
Displays all malicious URLs blocked by Vade.
Warning - Visited
Displays all URLs a user has visited after the warning.
Warning - Not visited
Displays all URLs a user has not visited after the warning.
Real-time logs
In order to view the real-time processing logs of the Time-of-Click protection, enable the Real-time log
mode by clicking the switch button.
This will display the processing logs of all URLs scanned by the Time-of-Click protection.
Search results
The logs matching the search criteria will display in a table providing:
url
In the context of a Time-of-Click analysis log entry, this contains the URL that was analyzed.
Event logs
The event logs track the activity performed on the filtering solution by
administrators or users.
Any connection, configuration change, remediation, auto-remediation etc. will be recorded and
displayed in the event logs.
Log search
You can search for specific event logs by providing search criteria in the search bar, and a specific
period.
Notice: If you do not use any filter, the search string will match any field (user, event, etc.).
Period field
This field allows you to limit the search to a given period of time. Available default ranges
are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by providing
a start and end date as well as an exact time of day by clicking on the Custom button.
[Search field]
The search field allows you to search for a user or an event.
You can apply one or several filters after clicking on the Filters button:
USER
Type in the name of a user or part of the name of a user to display all actions they have
taken.
Note: Select CONTAINS if you want to display users matching partially what
you are looking for, or IS if you want to display users matching perfectly what
you are looking for.
EVENTS
Logged in
All connection events.
Auto-Remediate campaign sent
A training campaign is sent automatically via Auto-Remediate.
Admin campaign sent
The administrator manually sends a training campaign.
Time-of-Click campaign sent
A training campaign is sent automatically via Time-of-Click.
License activated
A user activates a license.
License deactivated
A user deactivates a license.
Settings updated
A user updates settings.
Real-time logs
In order to view the new events in real time, enable the Real-time logs mode by clicking the switch
button.
Search results
The logs matching the search criteria will be displayed in a table providing:
Date & Time
The date and time of the event.
User
The user behind the event.
Events
The type of event.
Log details
Click the icon to display a pop-in window with information such as the time, the date and
the user involved.
Note: In the case of remediation, you will find the remediation ID, the report ID,
and the View logs in order to display the involved emails.
Note: This feature is part of the Threat Intel & Investigation add-on.
The Reported emails page displays email clusters to help you prioritize emails that have been reported
the most by your colleagues, as well as report details.
You can sort reported emails by date, number of reports, or number of affected users.
Alert settings
Activate the alert settings to send email alerts to the email addresses of your choice when an end-user
makes a new report.
Note: The alert settings are only available for administrators.
Reports
Threat Report
The Threat Report provides a detailed summary of the threats identified by type
(malware, spear phishing, etc.) and can be used to investigate on a specific type
of threat.
The dropdown menu in the top left corner allows you to choose between All domains or a specific
domain you want the data of.
The Period field in the top right corner allows you to limit the search to a given period of time. Available
default ranges are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by
providing a start and end date as well as an exact time of day by clicking on the Custom button.
The different bar charts show how many emails were identified as threats during the period of time
set in the Period field. The percentage indicates the part of a specific threat compared to the total
number of threats received. Click any of them to display the filtered email logs.
Notice: If you want to use the special Current Events filter, go to Logs > Emails, apply the Current
Events filter and go back to Reports > Threats to have your reports filtered.
Threats
The Threats charts provide visual representations of the identified threats distribution. You
can click each threat label to get more details for a specific threats.
Time-of-Click
The Time-of-Click charts provide insights regarding the phishing and URL protection. It lists
the number of phishing links detected, the number of times the users visited the phishing
sites, etc.
Phishing
This chart shows the part of phishing attempts identified either by the filter or by Time-of-Click.
Spam
This chart shows the part of spams identified as high spams, medium spams or low spams.
Spear Phishing
This chart shows the part of the different kinds of spear phishing attempts.
Top attachments
This list provides insights about the attachment names that have been identified the most
frequently by the platform in messages that were identified as threats.
Top extensions
This list provides the attachment extensions that have been seen the most frequently in
messages that were identified as threats.
Top sender domains
Provides the list of domains which are sending the largest number of emails identified as
threats to your domains.
Related information
How to manage reports? on page 13
The report provides figures and charts representing the number of messages by type (newsletters,
social notifications, etc.) over time and the possibility to detail each type.
The dropdown menu in the top left corner allows you to choose between All domains or a specific
domain you want the data of.
The Period field in the top right corner allows you to limit the search to a given period of time. Available
default ranges are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by
providing a start and end date as well as an exact time of day by clicking on the Custom button.
The different bar charts show how many emails were identified as low priority messages during the
period of time set in the Period field. The percentage indicates the part of a specific low priority email
compared to the total number received. Click any of them to display the filtered email logs.
Low priority emails
Provides details regarding the classification that was performed over the messages, by
category: Newsletters, Social, Purchase and Travel.
Top sender domains
Provides the list of the top sender domains for low priority emails.
Top sender addresses
Provides the list of the top sender email addresses for low priority emails.
Top recipient addresses
Provides the list of email addresses which receive most of the messages for low priority
emails.
Related information
How to manage reports? on page 13
Auto-remediation Report
This report provides information about auto-remediated messages.
The dropdown menu in the top left corner allows you to choose between All domains or a specific
domain you want the data of.
Available in the Reports menu, this page shows all the threats detected by Vade, in addition to the
ones detected by Microsoft.
The Period field in the top right corner allows you to limit the search to a given period of time. Available
default ranges are 1 hour, 4 hours, 1 day and 7 days. You may also specify a custom range by
providing a start and end date as well as an exact time of day by clicking on the Custom button.
Additional threats detected by Vade
Each colored square represents a threat. The number indicates how many emails
Vade for M365 has identified after the Microsoft analysis and the curve shows the evolution
of the detection.
Vade Threat Coach is a platform with various exercises aiming to train users and improve their behavior
regarding their emails. This platform is accessible via campaigns you triggered manually or automatically.
Launch campaign
The Launch campaign feature allows to manually send training campaigns to different groups of users
using the name of a brand for the exercises. The users receive an email inviting them to take the
course.
Note: The groups of users are the ones set in your Microsoft account and the top 10 recipient
addresses.
Overview
7 days and 30 days buttons allow to display the figures of the last 7 or 30 days.
The bar charts show different interesting numbers:
Campaigns
Total number of campaigns sent
Trainings
Total number of trainings received (admin campaigns, warning pages, ...)
Started
Total number of trainings started
Completed
Total number of trainings successfully completed
Failed
Total number of trainings with at least 1 mistake
Recent Campaigns
The Recent Campaigns logs allow you to see the last campaigns that has been sent thanks to
Vade for M365. They display the following information:
Note: You can export the details of recent campaigns as a .csv file by clicking the Export to CSV
button.
Sensitive users
The Sensitive users section displays the users who have had the least satisfying results after 1 or
several campaigns, from most sensitive to less sensitive. As these users are more likely to be victims
of phishing attacks, it is necessary to keep a close eye on their online behavior.
Note: You can export the details of sensitive users as a .csv file by clicking the Export to CSV button.
User
Email address of the user
Campaigns
Total number of campaign received
Failures
Total number of failed trainings
Last failure
Date and time of the last failed training
Details
Clicking the dot icon displays a new window with information about the user such as:
• Date & Time: date and time of the campaign received.
• Brand: brand used for the campaign.
• Type: type of the campaign.
• Started: did the user clicked the link to the training?
Toolbox
If you activated the Time-of-Click feature, the URLs in your emails are automatically rewritten for them
to be analyzed by Vade for M365. Sometimes, you might want to know what the original URL was
before being rewritten. To do so, you can navigate to the Toolbox in the Vade for M365 admin console.
1. Log in to the Vade for M365 admin console.
2. Click Toolbox in the left menu.
3. Enter the URL you want to decrypt in the field.
4. Click Decrypt.
The decrypted URL is displayed under the field. You can copy it using the Copy button on the right.
Important:
You can only decrypt rewritten URLs in a specific format. They should start as follows:
• <host>/v2?...,
• <host>/v3?..., or
• <host>/v4?....
Trying to decrypt older URL formats will trigger a "We can't decrypt this URL" warning.
Make sure the URL you are trying to decrypt are safe before accessing any website!
Related information
URL logs - Time-of-Click on page 28
Settings - Anti-Phishing on page 46
Note: This feature is part of the Threat Intel & Investigation add-on.
Some files, especially received via email, may seem suspicious to you. With File Inspector, you can get
a deep analysis to perform a detailed investigation.
1. Log in to the Vade for M365 admin console.
2. Click Toolbox in the left menu.
3. Select the file you want to analyze under File Inspector.
You will find the following information about the file:
• Properties: First-level analysis.
• Features: Main attributes.
• Embedded links: URL or mailto links found in the file.
• Code Analysis: Details of the code detected in the file.
• Embedded files: Details of the different files included in the file.
Note: We do not store information retrieved in the Toolbox.
Settings
Global
Here you can choose your protection mode and manage your partner's access
to your administration console.
Global settings
Protection
Click Protection to enable active filtering of Vade for M365.
Tip: Once enabled, Protection mode enabled will be displayed on the Dashboard
on page 18 page.
Monitoring
Click Monitoring if you simply want the Vade for M365 to log detections (and not block
anything) to monitor the solution.
Partner access
Activate Partner access to grant your partner access to your admin console
Tip: The logs only show the data of the users inside the user group. The other email adresses
associated with the tenant are not protected: you cannot see them in the admin interface, logs,
graphs, etc.
Procedure
1. Click Clients & Licenses on the Partner Portal.
2. Click the Details icon in front of the client name in the list.
3. Click Edit in front of the license in the Licenses tab.
4. Click Allow user group restriction.
5. Click Edit a license after the icon turns green.
6. Click Access on the right after the window closes.
Results
The Vade for M365 admin console opens in a new tab after you click Access.
Note: You can also allow the feature when you add a license from the Add a license window.
Procedure
1. Click Settings > User group restriction in the left menu.
Tip: If the user group is appropriately set up, the administration console automatically detects
it. If it does not, select your group in the drop-down menu.
Results
The user group restriction is now enabled, and will restrict the actions taken by the Vade for M365 to
the list of users selected.
Procedure
1. Click Settings in the Vade for M365 admin console.
a) Click Enable user group restriction in the Global tab.
b) Click Apply to confirm.
Results
The user group restriction is now disabled and configured filtering actions will now be performed for
all users.
Enabled
Disabled
The user group restriction is inactive, and all users are protected by Vade for M365. The client
may not have enabled the feature in their admin console.
Invalid
Warning: The user group is inactive, the users are not protected by Vade for M365
and their messages are not logged.
The user group is not active, and all users are protected by Vade for M365. An error may
have occurred between the Partner Portal and the admin console.
Incident Response
Here you can manage the filtering of different types of emails.
Anti-Malware
This tab allows you to configure the actions to take upon detecting malware in
attachments.
Folder
The name of the inbox folder to move the message to.
Auto-Remediate
Activated by default, this feature learns over time and can fix automatically email verdicts
received over the last seven days.
Important: Auto-Remediate is disabled in Monitoring mode and not applicable in
the following cases:
• From legit to graymail (Newsletter, Social, Purchase...) and the other way around.
• On whitelisted email addresses (unless a malware is detected).
• In Monitoring mode.
• If the license is expired or suspended.
• If the email has already been moved by a user rule to another folder.
• If the email has already been remediated manually.
Note: To bypass Vade's anti-malware filtering for whitelisted senders, add the header
X-VADE-O365-MALWARE-BYPASS to your mail flow rules in the Microsoft 365 admin center. Refer
to How to use admin whitelists? on page 11 for more information.
Anti-Phishing
This tab allows you to configure the detection and actions to take upon detecting
phishing attempts.
Time-of-Click
Allows you to enable the Time-of-Click protection, which provides real-time protection against
phishing URLs.
If this feature is enabled, the URLs contained in the emails received will be rewritten to point
to a proxy, which will scan each target URL before redirecting the user to the original URL,
or display a warning if a phishing site is discovered.
Note: This feature does not apply to whitelisted messages, unless detected as
malware.
Anti-Spear Phishing
The Anti-Spear Phishing tab allows you to configure the action to take upon
detecting the various types of targeted attacks.
Identity Spoofing
Vade Anti-Spear Phishing engine combines the analysis of an AI-based natural language
processing and end-users' communication habits to flag email address, alias or domain
impersonation attempts. You may customize a different action for each threat type.
Anti-Spam
This tab allows you to configure the actions to take upon detecting various spam
types.
Status
The spam level returned by the filter.
High spam
High-volume spams that do not respect emailing campaigns best practices.
Recommended action is to Delete these messages.
Classification
This tab allows you to configure the actions to take for the various low-priority
email types.
Status
The type of message detected by the filter.
Newsletters
Newsletter messages.
Social
Social media messages.
Purchase
Order/confirmation, invoices, etc.
Travel
Travel booking, reservation, confirmation, etc.
Action
The action the platform should take upon detecting a message of this type. Options are:
Admin test
Generate a training for your own test
Click Launch a test to receive a campaign email like any user would if you launched a campaign
automatically.
Note: The brand used in the exercises is Microsoft by default. The test is sent to the email address
you used to log in to the console.
RBAC
With RBAC, map Azure AD roles to Vade for M365 roles for customized user
permissions.
RBAC, or Role-Based Access Control, helps you define users' rights on your administration console by
mapping Microsoft Azure AD roles to Vade for M365 roles.
List of mappings
All Azure AD roles mapped to Vade for M365 roles you can edit or delete .
Search role
Type in any Azure AD role in the search bar.
Add mapping
Click the Add mapping button to map Azure AD roles to Vade for M365 roles.
Add mapping
You can associate Azure AD roles to Vade for M365 roles to define users' rights.
Procedure
1. Go to Settings > RBAC.
2. Click the Add mapping button.
3. Search the Azure AD role to map to a Vade for M365 role.
4. Click Next.
5. Select a Vade for M365 role.
6. Click Next.
7. Click Associate.
Note: You can edit or delete mappings from the list of mappings.
Developers
Note: This feature is part of the Threat Intel & Investigation add-on.
The Vade for M365 API is a RESTful API that allows you to search for email logs, auto-remediation logs
and manual remediation logs. You can also integrate our API into your SIEM for better threat
investigation and threat intelligence.
Note: This feature is only available in English.
Use case #1: Retrieving URLs and attachments from a specific sender
As a user based in Europe, you want data about the URLs and attachments sent by zzz@yyy.com.
1. Retrieve your TOKEN by following the instructions in the Get started tab.
2. Enter this request in your terminal:
curl -X POST
"https://m365.eu.vadesecure.com/api/v1/tenants/{tenant_id}/logs/emails/search"
\
-H "authorization: Bearer <YOUR_TOKEN>" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"fields": [
"urls",
"attachments"
],
"query": {
"eq": {
"from": "zzz@yyy.v"
}
}
}'
1. Retrieve your TOKEN by following the instructions in the Get started tab.
curl -X POST
"https://m365.asia.vadesecure.com/api/v1/tenants/{tenant_id}/logs/emails/search"
\
-H "authorization: Bearer <YOUR_TOKEN>" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"sort": [
"date",
"id"
],
"query": {
"range": {
"date": {
"gte": "` date --date='5 minutes ago' --rfc-3339 `"}
}
}
}'
1. Retrieve your TOKEN by following the instructions in the Get started tab.
2. Enter this request in your terminal:
curl -X 'POST' \
'https://m365.eu.vadesecure.com/api/v1/files/analysis' \
-H 'Authorization: Bearer <YOUR_TOKEN>' \
-H "accept: application/json" \
-H 'Content-Type: application/json' \
-d '{
"content": "your file in Base64",
"filename": "file name.file extension"
}'
3. The terminal returns the data of your file: Embedded documents, extension accuracy, number of
images in the file...
Note: You will find information about the different fields and parameters in the API tab.