Active Directory & Office 365 Reporting Tool

Secure Office 365 Email: Best Practices / Threat Prevention. Attacking through email communications remains one of the most common types of cyber attacks, therefore securing email communication is one of the most important tasks for IT administrators. This article focuses on best practices and threat prevention strategies for securing Microsoft 365 email communication. From spam and phishing prevention to spoofing and data loss prevention, we delve into comprehensive measures to fortify your email infrastructure.

Note, the availability of the described tools depends on your subscription type (the most advanced features require Defender for Office 365 Plan 2 or Microsoft 365 E5 licenses) and your infrastructure (some of the tools wouldn’t work for on-premises mailboxes in Hybrid deployments).

Let’s continue with the article how to Secure Office 365 Email: Best Practices / Threat Prevention next section.

Spam and Phishing Prevention Best Practices

The first thing to secure Microsoft 365 mail flow is configuration of the threat policies. They are found in Microsoft 365 Defender portal in Email & Collaboration section, under Policies & rules > Threat policies.

Use one of the preset policies (Standard or Strict), or customize depending on your needs. The Strict policy is more aggressive and quarantines more messages. These policies are assigned on user level and usually Strict policy is assigned to the most sensitive users, while Standard – to all others. The comparison of these policies is found in Microsoft documentation portal.

Or, you can create custom policies. There is 3 policies available for mail flow protection: anti-spam, anti-malware, and anti-phishing. They including various filters, actions and notification settings. More info is found here: Recommended settings for EOP and Microsoft Defender for Office 365 security.  The good practice is to create several different policies and assign the strict ones to the mailboxes that are most likely to be attacked (e.g. mailboxes available in the Contacts page of your corporate website).

Additionally, there is a Built-in protection policy, which is part of Microsoft Defender for Office 365 and only available if you have the required licenses. The policy applies Safe Links and Safe Attachments features only, and is enabled by default. Safe links is a premium feature that helps preventing phishing attacks by providing URL scanning. The service checks incoming message, and, if it contains any hyperlinks, analyses it for potentially harmful content. The information about this feature is found in Safe Links in Microsoft Defender for Office 365. Safe Attachments feature helps to protect malware in the attached files. It is more advanced than anti-malware protection: it blocks known and threats. When enabled, it downloads and tests the attachments in the sandbox environment, and if the attachment is malicious, it is blocks it. To learn more, see Safe Attachments in Microsoft Defender for Office 365.

During anti-phishing prevention planning, it is important to understand that no tool provides 100% guaranteed protection. User awareness helps to ensure the safety of your infrastructure. Keep users informed about the danger of opening the attachments and links sent from unknown senders. Microsoft 365 contains built-in tool called Attack simulation training that is used to simulate different types of phishing attacks to educate the employees. More details about this tool are here Get started using Attack simulation training. From my experience, user training is the most effective way of protection against the phishing. If you do not have budget for it consider third-party tools (the most popular is Knowbe4).

Spoofing (impersonation of the sending domain) is the common method used by spammers to trick users and make them open the malicious file or link. It is IT administrator’s responsibility to prevent your domain from being spoofed and to prevent emails that spoof other domains from being delivered. Microsoft 365 provides several tools that can be used for this purpose.

Warn users about External Senders

To protect users against spoofing, ensure to enable warning messages about the external senders. Use Get-ExternalInOutlook PowerShell cmdlet (Exchange Online PowerShell module is required) to view the current configuration status, and Set-ExternalInOutlook to alter it. When enabled, Outlook shows banner that warns user that the sender of the message is external, allowing identifying the malicious sender.

Configure Email Validation

 Implementation of proper email validation helps authorizing the sender and protects your domain from being spoofed. The common standards used to verify domain are SPF, DKIM and DMARC, ideally, you should use all three of them.

SPF is the most important one, it is a TXT DNS record that contains information about legit senders who can send messages using your domain name. For example, if you only use Microsoft 365 for email communication, the record should look like “v=spf1 include:spf.protection.outlook.com -all”, which mean that only Microsoft 365 can send messages using your domain. Common misconfiguration that can cause your domain being impersonated:

  • Using soft fail (“~all”) instead of hard fail (“-all”).
  • Adding of extra entries to the record (e.g. “A” – IPv4 address of domain’s DNS A-record, “MX” – IPv4 address of domains DNS MX-record, “ip4:xx.xx.xx.xx” – custom IPv4 address, etc.). Only specify entries that are necessary, not “just in case”.

However, adding of extra entries to the SPF record may be required in several scenarios:

  • Multiple email systems are used to send email messages using your domain.
  • Third-party email gateway is used for message routing.
  • SMTP direct send or SMTP relay features are used for message delivery from some applications/devices.

SPF record should be created in your external DNS zone and the configuration steps depend on the provider that host DNS for your zone. More about SPF -see How SPF works to prevent spoofing and phishing in Microsoft 365.

Further improve the validation process by setting up DomainKeys Identified Mail (DKIM). This allows singing of the messages digitally to prove that it was sent from a legit sender. The mechanics doesn’t differ from other signing methods: sending server uses private key to encode the signature and the receiving server decodes it using the public key.

In case of Microsoft 365, the key should be generated in the DKIM page of Microsoft 365 Defender portal at Email & Collaboration > Policies & rules > Threat policies > Email authentication settings. It saves the private key internally and returns the public key that should be placed as a CNAME record in the external DNS zone. For more info about DKIM configuration, see Use DKIM to validate outbound email sent from your custom domain.

When both SPF and DKIM are in place, Domain-based Message Authentication, Reporting and Conformance (DMARC) can be configured. Email headers contain 2 attributes that define the sender address – MailFrom and From. SPF record only helps to authenticate MailFrom address, which gives the malicious actors the spoofing opportunity. DMARC TXT record helps to close this vulnerability by authorizing From attribute of the header. To form the record content,  follow the instruction from Microsoft documentation.

Mail Flow Routing

Another thing to consider while planning email validation is the mail flow routing. If sent messages are processed and changed by another email system (e.g. on-premises data loss prevention solution) before being delivered, the message header is altered so the sender address and DKIM signature becomes invalid, which causes failure of email validation.

In this scenario Authenticated Received Chain (ARC) feature should be configured in Microsoft 365 Defender portal. It allows admins to configure other email systems as trusted third-party ARC sealers and improve the deliverability.

Use Digital Signatures

Ensure message authentication and non repudiation – digital signature of the message using Secure/Multipurpose internet Mail Extensions (S/MIME). It uses certificates to sign (and encrypt, if needed) the message to confirm the sender’s identity. It requires an individual certificate for each user and usually used with internal certification authority. More info found at Exchange Online documentation portal.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Data Loss Prevention Best Practices

Use digital encryption. The most effective way to ensure email confidentiality is to encrypt the message – so it can be decrypted only by the intended recipient. Microsoft 365 supports 3 encryption methods: Microsoft Purview Message Encryption, S/MIME and Information Rights Management (IRM). Compare them here.

Apply data usage restrictions. In this case you need to deploy IRM – the solution allows configuring the control over the message after it is sent. When IRM is implemented, you create sensitivity labels which restrict the usage of the data – for example, prevent data from the email messages to be edited or printed. The list of available permissions are here.

Use Microsoft Purview Data Loss Prevention. Another feature to avoid data leak is Data Loss Prevention (DLP) policies, that can be configured in Microsoft Purview portal, under Solutions > Data Loss Prevention. The policies ensure that the sensitive data won’t leave the company: DLP rules scan the email content and perform the configured actions in case they find confidential information. For example, medical organization configure DLP policies to block all outgoing messages that contain confidential medical information to avoid data leak.

Other Threat Prevention Practices

Use secure SMTP Sending Configuration

 If you need to use Microsoft 365 to send SMTP messages from your applications or multi-function devices, you have three options: SMTP client submission, Direct send and SMTP relay, as described here. Ensure to use SMTP client submission whenever possible, since it authenticates the sender on the mailbox level and is considered as the most secure way to send messages. In case your device doesn’t support authorized sending (which is very rare nowadays), use SMTP relay. While configuring connector for the relay, use certificate authentication, as it is more reliable than IP address-based connections.

Enable Zero-hour Auto Purge Feature

 All email messages routed through Exchange Online Protection are being scanned for malware to prevent the delivery of viruses. Zero-hour auto purge (ZAP) improves anti-malware system by removing malicious content not only on transition, as regular anti-malware policy does, but also at rest. Let’s imaging a scenario when a new virus is sent to your mailbox, and, because it is unknown to anti-malware filters, is being delivered. Later, when malware signatures in the service are updated, ZAP identifies the virus and removes it from your mailbox. ZAP is a part of anti-malware policy and is enabled by default. More info about ZAP: Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365.

Avoid using IP-based Whitelists

Exchange Online connection filter policies allow configure trusted IP addresses: all spam filters will be skipped for the messages sent from the specified IP (or IP address ranges). It is considered as a bad practice, since in case of change of the owner of the IP address block your email system will become vulnerable. In case you need to minimize false-positive message blocking from some sender, try to use other possible whitelisting options, such as Tenant Allow List.

This is it. I hope you enjoyed learning. Article Secure Office 365 Email: Best Practices / Threat Prevention is concluded.

Secure Office 365 Email: Best Practices / Threat Prevention Conclusion

Safeguarding Microsoft 365 email communication demands a multi-faceted approach, considering the evolving landscape of cyber threats. By implementing robust threat policies, configuring email validation and implementing data loss prevention measures, organizations can significantly enhance their email security posture. User awareness and continuous training, coupled with advanced features like Attack simulation training, contribute to a holistic defense against phishing attempts. As technology advances, staying informed and proactive in adopting the latest security features is crucial for maintaining a resilient email communication environment


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marat Mussabekov

Marat Mussabekov

System administrator with 14 years of practical experience. Specializes in Microsoft products such as Exchange Server, Active Directory, Microsoft 365 and Azure.

Leave a comment

Your email address will not be published. Required fields are marked *