[Suggestion] - Configure NetworkPredictionOptions for Edge device policy #163
Description
Policy: Win - OIB - SC - Microsoft Edge - D - Security
Suggestion: Enable NetworkPredictionOptions, set value to NetworkPredictionNever (2).
Reasoning: We just had an incident logged in Defender for Endpoint from a device that had a hit against a known IoC ("Initial access" and "Command and control"). The request was successfully blocked, but we still investigated to find the root cause. Investigation showed that the user had not actually visited the malicious site with intent, nor was there any sign of harmful popups, iframes or redirect on any of the pages that had been visited.
After looking at the device timeline, we determined that the browser had made new connections to about twenty new web sites within less than a second, where the first was the result page of a search on a known indexing site. The next hits were apparently random, one of which was the IoC.
Our theory here is that the browser preload feature connected the browser to all of the search engine results that were visible on the first result page because of the prediction feature.
Even if the browser doesn't fully load remote (malicious) content on a preload, IMO the added benefit of displaying search results slightly faster is overshadowed by the unnecessary network traffic and potential network protection triggers that could be generated by having the feature enabled. We customized the policy in our tenant to configure the setting to disable network preduction, perhaps it could be considered a default setting for OIB as well.