Active Directory & Office 365 Reporting Tool

Protecting Against Phishing Attacks in Office 365. Sorry to start on an alarmist note, but here are the facts: 3.4 billion phishing emails and phishing attacks are predicted to compromise 33 million data records in 2023 alone.

By definition, phishing is an online social engineering attack in which the attacker tries to deceive a user into divulging personal information or downloading malware. It is estimated that 36% of all security breaches start with a phishing attack.

The costliest recorded phishing attack compromised thousands of emails, caused a financial loss of $100 million, and caused the company immense reputational damage.

With this in mind, it is therefore no surprise that Office 365 admins are to make sure their organizations are well-proofed against phishing attacks. Therefore, this article is a well detailed analysis of the best practices to make sure your Office 365 is well protected.

Let’s start, by first learning about the types of phishing attacks. 

Types of phishing attacks

1. Email Phishing

Image source: Malwarebytes

With this type of attack, the fraudster creates an email account with a phony domain that looks like a legitimate organization and sends hundreds of bogus generic requests.

2. Spear Phishing

Spear Phishing employs targeted, personalized info, designed for the intended users. The attacker often has access to the victim’s name, address, phone number, and maybe even their employment data and tries to use this information to gain trust.

3. Whaling Attacks

Image source: Pandasecurity

Whaling emails often use the trick that a CEO who is very busy needs a favour from an employee. These emails are not as sophisticated as spear phishing emails. They are effective, though, because they take advantage of employees’ proclivity to follow directions from their boss.

4. Vishing and Smishing

Image source: projectfiveuk

These types of attacks utilize telephones. Smishing entails cybercriminals sending bogus text messages to victims, whereas vishing entails a phone chat with the victim. Text messages purporting to be from your bank warning you of suspicious activity are a common smishing pretext.

Other types of phishing attacks include:

  • Angler phishing.
  • HTTPS phishing.
  • Pharming.
  • Pop up phishing.
  • Clone phishing.
  • Watering hole phishing.

EOP and Defender for Office 365 anti-phishing Protection

Microsoft has recognized phishing as a potent cyberthreat and implemented stringent safeguards for Office 365 users. There are 2 solutions, Exchange Online Protection (EOP) and Microsoft Defender for Office 365, that it has developed to address this cybercrime.

By using these and other best practices recommended by cyber security experts you can protect your systems from phishing attacks. 

Anti-phishing protection in EOP

Spoof Intelligence

Image source: Vimeo

Spoof intelligence insights allow you to review external and internal messages sent by spoofed senders. Thereafter, you can decide whether or not to manually allow or block the senders in question.

As part of EOP’s anti-phishing policies, you can choose to enable or disable spoofing intelligence, display or hide Outlook’s unauthenticated sender indicators, and set an action for spoofing senders that are prohibited.

A tenant allow/block List

This list allows you to manually allow or ban a spoofed sender from the tenant allow or block list. Click the “Spoofed senders” tab and override the spoof intelligence insight assessment to do this.

It also allows you to manually create allow or ban entries for spoof senders before spoof intelligence detects them.

Automatic Email Verification

By using sender reputation, sender history, receiver history, behavioural analysis, and other methods, EOP improves upon the traditional methods of authenticating incoming emails (SPF, DKIM, and DMARC) to better detect fraudulent senders.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Additional Defender anti-phishing Protection

The following additional anti-phishing protection is available for users with Microsoft Defender for Office 365.

Microsoft Defender for Office 365 anti-phishing Policies

There are impersonation protection settings that are configured for specific message senders and sender domains in Microsoft Defender.

This is in addition to mailbox intelligence settings and customizable advanced phishing thresholds. Let’s have a quick overview of them

Attack Simulation Practices

Microsoft Defender enables this by allowing admins to develop bogus phishing messages and disseminate them to internal users for training purposes.

Campaign Views

This is enabled by Defender through the use of machine learning and other algorithms to detect and analyze service-wide and business wide phishing attacks.

Best Practices to keep phishing attacks at bay

Fix Compromised Accounts

Image source: Pixabay

It is vital to first deal with the recipient’s account that was compromised in case your system is the victim of a phishing attack and block any more phishing messages. This is vital to quarantine the threat, so you must take the right procedures to block the attack.

Additionally, also use Microsoft Defender for Office 365 Threat Intelligence to find other victims of this phishing attack.

Notify Microsoft of the Phishing Attack

This is very vital since reporting phishing attacks aids in fine-tuning the filters used to safeguard all Microsoft 365 users. 

Use Microsoft Secure Score

Run Secure Score on a monthly basis to evaluate your organization’s security settings. A higher Microsoft Secure Score indicates that more security recommendations have been adopted. The higher your score, the more foolproof your systems are.

Examine the Message Headers

Check the headers of the phishing message to determine, if there is anything to stop the further transmission of phishing messages.

Often, the phishing message headers reveal your organization’s settings that allow phishing mails in.

In particular, it is important to check the Spam Filtering Verdict (SFV) value in the X-Forefront-Antispam-Report header field in message headers for indications of skipped filtering for spam or phishing.

Turn on Spoof Intelligence

In Microsoft Defender for Office 365, spoofed senders are messages where the From address of the message doesn’t match the source of the message.

The spoof intelligence insight shows spoofed senders that spoof intelligence automatically identified as allowed or prohibited.

Periodically review allowed and blocked spoof senders and make custom configurations to the spoof intelligence settings.

Check the Threat Protection Status Report on a regular basis

The Threat protection status report is a consolidated view of dangerous material and malicious email discovered and prevented by Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

The report includes email messages with malicious content, such as files or URLs, blocked by the anti-malware engine, zero-hour auto purge (ZAP), and Defender for Office 365. That way it identifies trends and assembles data that you can use to decide whether or not your organizational policies need to be adjusted.

Deliver domain email directly to Microsoft 365 whenever possible

Simply put, set your MX record for your domain to point to Microsoft 365. This is because when email is sent directly to Microsoft 365, Exchange Online Protection (EOP) offers the highest level of security for your cloud users. Use Enhanced Filtering for Connectors in front of EOP if you have to employ a third-party email hygiene solution.

Employ Multi-factor Authentication

Often, account compromises are avoided with the help of multi-factor authentication (MFA for all users.

To avoid this, it’s recommended to implement multi-factor authentication (MFA) in stages, beginning with the most important users (admins, executives, etc.).

Periodically review mailbox Forwarding Rules

Locate and disable rules that route mail to external recipients by using the data in Microsoft Secure Score’s Evaluate mailbox forwarding rules section.

This is important because attackers frequently employ forwarding rules to external receivers to extract data.

Configure the SPF, DKIM, and DMARC in DNS Records

Completely configuring the SPF, DKIM, and DMARC records in the DNS for all of your email domains is the best way to deal with legitimate messages that are blocked by Microsoft 365 (false positives) that involve senders in your domain.

To do so:

  • Make sure your SPF record specifies all known senders from your domain, including any third-party services.
  • If your email server is set up to reject messages from unknown senders, then you should use the hard fail (-all) option. To add permitted third party senders to your SPF record, use spoof intelligence to identify authorized domain senders. Doing this stops phishing vulnerabilities, which happen when some users accidentally let phishing happen by putting their own domains in the anti-spam policy’s.
  • Allow sender or Allow domain list to let legitimate emails that were blocked get through. 

Protecting Against Phishing Attacks in Office 365 Conclusion

Unfortunately phishing is still a common and often disastrous type of cyber attack. According to a Proofpoint study, 60% of firms lose data as a result of a successful phishing assault, while 52% have their passwords or accounts compromised.

Therefore, it is vital to take precautions to secure your Office 365 to safeguard against costly attacks that are detrimental to your organisation. That way, you will be ready for any phishing attacks that may come your way in 2023.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Josiah Mutuma

Josiah Mutuma

Josiah is a tech security expert and has been a writer for over 5 years. Follow this blog to learn more on Microsoft and Cyber security.

Leave a comment

Your email address will not be published. Required fields are marked *