An email server with weak security settings is like a castle without a wall. The bad guys will walk right in! Unfortunately, Microsoft Office 365 email security leaves much to be desired. Frankly, their default settings are horrible!
Email security is important because it is the most common attack vector for attackers looking to gain entry into an enterprise network. It is the easiest way for bad guys to spread ransomware, spyware, worms, different types of malware, social engineering attacks and other cyber threats. Once a hacker has bypassed your email, it’s easy for them to steal sensitive data like Personally Identifiable Information (PII), Protected Health Information (PHI) and even intellectual property.
The cloud email application for Office 365 users has always been a breeding ground for phishing, malware and very targeted data breaches. Microsoft has been improving its security features but its default settings are frankly terrible. There’s lots of configuration on your end to maximize your MIcrosoft Office 365 email security
Before I dive deeper, Microsoft 365 was formerly known as Office 365. People refer to it as both those terms and shorthand as M365 and O365. I have also used it interchangeably. If you think that is confusing, wait till you see the licensing model…
So… after getting a degree in Microsoft licensing (I’m totally kidding, but you wished there was such a course, didn’t you?), I dug deeper into Microsoft Office 365 email security features that each of the licenses offer.
While security should be standard, Microsoft unfortunately gates many settings behind more expensive licenses, leaving smaller businesses more vulnerable.
I’m going to run through each of Office 365’s email settings and explain what the most secure option is. I’ll also note what Microsoft license that setting requires, and make note of issues that may crop up when implementing them.
So if you are an existing user/admin, go back to your settings and verify that you have these controls in place. If you don’t, implement them! You will make big improvements your Office 365 email security and reduce the chance your business is compromised by a hacker in the process.
All these settings are applicable to E3 Level 1 unless indicated otherwise.
Microsoft Office 365 Email Security
Outbound Spam Policies
A business email system without spam filtering is highly vulnerable if not unusable. Not only can they be a nuisance in your inbox, but with spammers getting more and more sophisticated and creative with their tactics, it is very important to address this evolving threat.
Most email services have default settings to filter out spam and junk and return such emails to the sender. Microsoft does too. In theory, when admins find that certain accounts are sending too many outbound spam emails, they should disable the account to prevent the IP from getting blocked. (A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam). So outbound spam control is highly crucial to help prevent the IP from being blacklisted.
Best outbound spam policies setting for Microsoft Office 365
- Default setting: Off
- Recommended Setting: On
- Set the Exchange Online Spam Policies to copy emails and notify someone (the admin) when a sender is blocked for sending spam emails.
- Turning this on should cause no impact to users.
Go to Security > Threat Management > Policy > Anti- Spam > Outbound Policy.
Make sure that ‘send a copy of outbound messages that exceed these limits to these users and groups’ is ON. Select +Add people. Also verify that ‘notify specific people if senders are blocked’ is set to ON and add people to receive notifications.
Attaching malicious software in emails can turn an innocent email into a gateway to your computer. Scanning email attachments can help block known malicious files and prevent malware infected files from infecting the host. This particular setting lets organizations block known and custom malicious files that are commonly used to send malware.
Best Attachments setting for Microsoft Office 365 Email Security
- Default setting: Disabled
- Recommended Setting: Enabled.
- This should always be enabled. It’s pretty easy to turn on and shouldn’t have any user impact.
- Ideally, attachments should be scanned. Just blocking a few file types is not enough. (Why Microsoft? It’s selfish to not offer this to paying customers!)
To work with what you’ve got go to Security > Threat Management > Policy > Anti-Malware. Edit the Default profile and under the Protection settings tab, set “enable the common attachments filter” to Always On.
Notification for internal user sending malware
This will alert administrators that an internal user sent a message containing malware which may indicate an account or machine compromise that needs to be investigated.
Turning this on will not cause an impact to the users nor would the notification of the account with potential issues.
Turn on internal malware notifications to improve Microsoft Office 365 email security
- Default: Disabled
- Recommended Setting: Enable
- Turning this on should not cause any impact to the users
Admin Center > Security > Threat Management > Policy > Anti-malware > Enable Notify administrator about undelivered messages from internal senders and ensure that there is at least one email address under ‘administrator email address’
Picture this hypothetical scenario: Somehow someone (outsider or insider) gets into a senior leader’s email account. They sneakily come in and set all emails to be forwarded to ‘[email protected]’. They keep receiving a copy of your emails and you may never even find out. To avoid this, you should set your rules to not forward email to domains outside of your organization.
If you are setting up a new company email system, go right ahead and block this; make it a policy. If not, make sure that there is no existing business use for case-by-case auto-forwarding because disabling this setting may affect users at your organization.
How to setup mail forwarding in Office 365
- Default: None
- Recommended Setting: No rules forward to external domain
To stop forwarding emails to external domains, go to the Admin Center. Select Exchange > Mail Flow and Rules > verify that none of the rules are forwards to an external domain. For each rule (forwarding to external domain) select and click delete.
Additionally, the E3 L2 license also comes with: (absolutely recommend enabling these if you have the license)
- the ability to ‘disable auto-forwarding’ to prevent users from auto- forwarding mail through Outlook and Outlook on the Web and
- the ability to use ‘Client Rules Forwarding Block’ to prevent use of any client side rules that would forward emails to an external domain.
I am rolling my eyes, these seem like basic email protection features that should be enabled by default, let alone have to pay extra to be able to use them.
SPF for Microsoft Office 365 Email Security
Sender Policy Framework (SPF) records are used to prevent spammers from spoofing your domain name and help prevent your outgoing messages from being marked as spam. It allows mail systems to know where messages from your domains are allowed to generate. hence allowing the system to determine whether it is being spoofed or not.
- Default: Not set up
- Recommended Settings: Set it up!
- There is no easy SPF setting to toggle on or off, and full instructions are outside the scope of this guide. Microsoft has its own guide to help users get this set up properly.
- There should be minimal impact to the users but be careful improper setup could result in your emails being flagged as spam.
DMARC for Office 365 Email Security
Domain-based Message Authentication, Reporting & Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and protects your brand by preventing unauthenticated parties from sending mail from your domain. DMARC not only prevents spoofing of your domain but also authenticates your legitimate emails. DMARC has a great ROI- if you implement it, it is more likely that your emails will be delivered thereby making your marketing campaigns more effective too.
- Default: Not set up
- Recommended Settings: Set it up – this is a must-do!
- Microsoft has their own guidelines to help users set this up.
There should be minimal impact but to ensure continuous flow make sure that it is set up appropriately.
DKIM for Office 365 Email Security
DomainKeys Identified Mail (DKIM) helps fight against spoofing by adding a digital signature to your emails which are always examined by the ISP. It is an email authentication technique that allows receivers to check if an email was sent and authorized by the listed domain. You should absolutely use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. When you have all domains across your entire organization using DKIM, you are also making yourself a reputable sender in the eyes of partners, customers or any other third-party service you may come in contact with. Remember, DKIM works best when more organizations use it.
- Default: Not set up
- Recommended Settings: Absolutely set this up.
- Microsoft has a comprehensive guide. Though, it may be slightly more complicated than they paint it out to be.
- There should be no impact just as long as you make sure that the setup is done correctly to ensure continuous email flow.
Admin Center > Security > Threat Management > Policy > DKIM > (for each domain) enable Sign messages for this domain with DKIM signature.
Legacy Authentication Protocols
Basic authentication protocols may allow users to access using legacy or unapproved email clients that do not support modern authentication mechanisms like Multi-factor authentication.
Makes it incredibly easy for the bad guys to brute-force a password. They’ll send you a phishing email, somehow get you to think that you are logging into O365, you’ll probably think that I don’t need to worry because we have MFA. But they have your pw now and can use SMTP or those old protocols and can go in there to change settings and send out phishing emails (except, now they look more legit, cause well, they are actually coming from a legit source)
How to disable legacy authentication for Microsoft Office 365
- Default: Not disabled
- Recommended Setting: Disable Legacy Authentication
- Disabling legacy authentication can have a large impact on your users. Your users are probably accessing their email through a web browser or Outlook and they will be limited in their ability to use other email apps that are supported.
So start small. You could first try the report only mode when you’re creating a conditional access policy. This will allow you to see what would happen when you enable it, but the users will not be impacted. Or you could build a policy for a small pilot group and keep adding more to this policy.
Go into Azure Active Directory as Global Administrator to block legacy authentication protocols in Office 365.
Admin Center > Azure Active Directory > Security > Conditional Access > New Policy. Then set these conditions within the policy:
Go to Conditions then Client apps and enable the settings for Exchange ActiveSync Clients and other clients. Under access controls, set the Grant section to Block access. Under Assignments, enable All Users.
Additionally, the E3 L2 license would let you use automated disabling of basic authentication for Exchange Online.
Disabling this will prevent use of legacy and unapproved email clients with weaker authentication mechanisms that increase the risk of email account credential compromise.
MailTips (E3 L2)
MailTips for end users that give users a visual aid when they send emails to large groups of recipients or send emails to recipients not within the tenant.
- Recommended Setting: On
- Not cybersecurity but job security – think twice before replying to all with less than a thoughtful response!
Microsoft Office 365 Email Security E5 License Features
If you are using E5 licenses, congratulations! You have the ability to be much more secure. Make sure you are making the most of that E5 license and have an expert configure these features. They will likely need periodic updates to continue keeping your Microsoft Office 365 email security as strong as possible.
Anti-phishing policy (E5 L1)
You can set up additional policies to increase Microsoft’s existing protection from phishing attacks. The E5 L1 license gives admins the ability to create custom policies that can be configured specific users, groups or domains and the actions to be taken.
Advanced Threat Protection Safe Links (E5 L2)
Enabling this will allow emails that include URLs to be processed and rewritten required. This control extends phishing protection and will block malicious hyperlinks even after the email has been delivered to the end user.
Advanced Threat Protection Safe Attachments (E5 L2)
This setting extends attachment protection and malware protection and checks to see if email attachments are malicious. Attachments without a known malware signature are sent to a special hypervisor environment where behavioral analysis is performed to detect malicious intent.
This protection can also be extended to files in SharePoint Online, OneDrive for business and Microsoft Teams.
Maintain your Microsoft Office 365 Email Security Settings
Microsoft 365 has its strengths and weaknesses. It is the most used platform and as such is also the most attacked. An advanced license can offer better security features but so could a 3rd party email security solution. (That’s a whole different conversation.)
There are multiple layers to security (yes, even email security) that involves software, technology, and people too. There are multiple aspects to ensuring the security of enterprise email accounts and the best way is to use a combination. Don’t just rely on service providers technical controls, make sure to combine it with employee education and endpoint protection.
Remember, none of this is a ‘set it and forget it’ thing. These features will likely need periodic audits and updates. That said, I hope this guide will help you get your Office 365 security settings in the right place!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.