Tech Tips

Secure Office 365 Emails through policies

Regardless of your business need or industry your organization belongs to, data security will play a role. How big of a role depends on many factors including your needs, regulatory and governmental requirements, and the needs of your clients and partners. Security can be very broad and there are many layers to consider. In this article I want provide information on securing your organizations Office 365 emails. You may also refer to this as outlook or Exchange security, however I’m not covering self hosted Exchange environments.

While there are use cases and arguments can be made for self hosting an Exchange environment, this is not something I recommend for most businesses unless you have a dedicated IT department who has knowledge and the skillset to manage it for you.

Check and create your necessary policies

First we’re going to visit the Microsoft 365 Defender page and create some policies. Login to Microsoft 365 and go to the Admin center. From there click the Show all tab from the left hand menu and click on the Security option. This will take you to the Microsoft 365 Defender page.

Select the Policies & rules option and you’ll be presented with 3 options. Select Threat policies and Anti-Phishing and from the pop-out menu on the right ensure Spoof intelligence is on. For the Actions option, you can select that Exchange move the message either to the recipients junk folder or quarantine the message. I chose to send it to the junk folder by default giving the user a way to find the email in the event its a false positive. Then enable all 3 options available.

  • Show first contact safety tip: This will display a message warning the receiver the first time they receive a message from that sender or that they don’t often get email from that sender
  • Show (?) for unauthenticated senders for spoof: This notification adds a question mark to the sender’s photo in the From box if the message does not pass SPF or DKIM checks and the message does not pass DMARC or composite authentication.
  • Show “via” tag?: This notification adds the via tag (contact@company.com via fabrikam.com) in the From box if the domain in the From address (the message sender that’s displayed in email clients) is different from the domain in the DKIM signature or the MAIL FROM address.

Anti-spam policies

Return to the threat policies page and select anti-spam. Just like before, go through the 3 default options and enable the necessary protections based on your needs. This will differ depending on your needs, for my business for example I don’t do business outside of the US and don’t commonly need to receive email from most countries outside of just a handful. So I tuned on the From these countries field then added a list of countries. Depending on your organization this may not apply.

Once you’ve gone through the 3 default options, create a new inbound policy. This will be used to manually add domains you receive phishing attempts from. Give it a name and description, select the users, groups, or entire domain you want to apply this to. Select the spam properties you wish to apply, you already did this in the last step so you shouldn’t need to add any. From the Actions select to quarantine the message on all available options. In this case quarantine is preferred since we already know these domains are controlled by bad actors.

If you have a list of domains, you can now add them to the blocked Domains list by clicking the Block domains link. If not then click next and the policy will be ready for you to add domains as necessary.

Additional protection

You should go through the Anti-malware policy and all other configuration pages here and review them as well. I would also recommend that you enable the User submissions, this allows users to report messages to Microsoft as well as your organization. By default Microsoft is reported, however I like them to report it to my administrative account so I can see the messages and if I decide to add the domain to the block list we created earlier. You can select what the message states and even a reply after the reporting has been done.

Secure score

Microsoft includes a Secure score on this page as well. Selecting this option from the left hand menu will provide you a score as a percentage and you can click Improvement actions from the top menu to see a list of suggestions. This will display what has already been completed as well as what you still need to address. I would suggest visiting this page and going down the list to enable anything that applies to your needs and improve your score.

Author

Josue Nolasco

I'm a former US Marine infantryman who made a switch to IT to provide cyber security services to SMB's. I'm as much a child of technology as I am of the great outdoors. I like spending time playing, experimenting with, and learning new technologies and whenever possible taking camping trips with friends and family.