This article contain security best practices to use when you’re designing, deploying, and managing your Exchange Online solution by using Microsoft 365. The best practices are intended to be a resource for IT pros. This might include designers, architects, developers, and testers who build and work with secure Exchange Online solutions.
Note: An overall security model is needed for today’s organizations that can better adjust to the modern environment’s complexity, support the hybrid workplace, and secure people, devices, apps, and data in any location. This is why you should follow the guidelines in our Zero Trust Guidance Center to learn security guidelines across the entire Microsoft and Azure cloud, its principles, and how to implement a Zero Trust architecture using the deployment plans.
1. Identity and Access Management
‘Hackers don’t break in, they log in’ (Bret Arsenault, CISO at Microsoft). Most attacks on enterprise and consumer accounts exploit weak passwords. Password attacks happen at an alarming rate of 579 per second, or 18 billion annually. Thus it is very important that you are securing your accounts, especially those with more or high privileges, like tenant administrators and security analysts.
1.1 Enable Entra ID Security Defaults
We want everyone to have access to these preconfigured security settings, because security management can be difficult. We learned that multifactor authentication (MFA) and blocking legacy authentication prevent more than 99.9% of common identity-related attacks. Our aim is to help all organizations achieve a basic security level with an easy implementation and configuration policy. Enable security defaults controls include:
- Requiring all users to register for multifactor authentication
- Requiring administrators to do multifactor authentication
- Requiring users to do multifactor authentication when necessary
- Blocking legacy authentication protocols
- Protecting privileged activities like access to the Microsoft 365 portal
If your tenant was created on or after October 22, 2019, security defaults may be enabled already.
Note: enabling security defaults might require your users to handle additional steps prior login, like register MFA with a valid authentication method with the Microsoft Authenticator App. Please make sure to discuss any changes with the applicable department and user proper change management tools and reports to track it. We also recommend to rollout features in stages and not for the entire organization to avoid authentication issues.
1.2 Privilege Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about, like the Exchange Online Administrator role. You can reduce the risk of:
- unauthorized access by malicious actors
- accidental impact by authorized users on sensitive information or resources by limiting the number of people who have access to them and when.
You can also give users just-in-time privileged access to Azure and Entra ID resources and track their activities. You can find more information in our docs on how to plan a PIM deployment and start using it.
1.3 Continuous Access Evaluation
OAuth 2.0 access tokens authorize client applications like Outlook to connect to services like Exchange Online. The tokens expire after one hour and the client is sent to Entra ID to refresh them. This refresh period can be used to check user access policies.
One hour can be too long in urgent cases, such as immediate employee changes within your organization. Continuous Access Evaluation (CAE) solves this problem by enabling Entra ID and the application to communicate with each other. If either one detects any unusual activity, it alerts the other. This allows for immediate actions on the user if their account changes based on Conditional Access (CA) policies. More information about the implementation and configuration can be found here.
1.4 Privileged Access Devices
Device security is the basis of zero trust security for privileged access. Other security assurances for the session depend on how strong the device security is. An attacker who controls this device can pretend to be users on it or take their credentials for later use. This risk weakens other assurances on the account, intermediaries like jump servers, and on the resources themselves. You might consider Privileged Access Devices or Privileged Access Workstations (PAW) in your organization as well to secure access to administrative tasks within your Microsoft 365 tenant, for example to administrate Exchange Online.
2. Enable Preset Security Policies in Exchange Online
Preset security policies allow you to apply protection features to users based on our recommended setting across Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO). Preset security policies are based on our datacenter observations and have almost no configurable settings, unlike custom policies that can be configured in any way. The preset security policies balance between blocking harmful content and avoiding unnecessary disruptions. The following policies are available:
- Standard preset security policy
- Strict preset security policy
- Built-in protection preset security policy (default policies for Safe Attachments and Safe Links protection in Defender for Office 365)
When you apply the Standard protection or Strict protection preset security policies to users, EOP and Microsoft Defender for Office 365 create special versions of the individual protection policies. These are the preset security policies.
- EOP policies: These policies are in all Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:
- Anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy.
- Anti-malware policies named Standard Preset Security Policy and Strict Preset Security Policy.
- Anti-phishing policies (spoofing protection) named Standard Preset Security Policy and Strict Preset Security Policy (spoof settings).
- Microsoft Defender for Office 365 policies: These policies are in organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
- Anti-phishing policies in Defender for Office 365 named Standard Preset Security Policy and Strict Preset Security Policy, which include:
- The same spoof settings that are available in the EOP anti-phishing policies.
- Impersonation settings
- Advanced phishing thresholds
- Safe Links policies named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy.
- Safe Attachments policies named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy.
You can apply EOP protections to different users than Defender for Office 365 protections, or you can apply EOP and Defender for Office 365 protections to the same recipients. More information about the policies and how to configure them can be found in our docs.
3. Email Authentication
To prevent email messages from fake senders (also known as spoofing), email authentication (also known as email validation) uses a set of rules that check if the messages are genuine and come from expected sources for that email domain (for example, contoso.com). Microsoft 365 checks inbound email using these rules:
- Sender Policy Framework (SPF): helps validate outbound email sent from your smtp domain. In Microsoft 365, the SPF TXT record will be created in your external DNS system for any custom domains or subdomains. This kind of allow list verifies the outbound hostname or IP address and validates the sender to prevent spoofing. Read more on how to implement and configure SPF for your custom domains in Exchange Online.
- DomainKeys Identified Mail (DKIM): you can attach a digital signature to the message header of outbound email messages. This signature uses cryptographic authentication to authorize your domain to associate, or sign, its name to an email message. Email systems that receive email from your domain can use this signature to help confirm whether incoming email is genuine. The public key is published in your external domain’s DNS record, and the private key encrypts the header in a domain’s outgoing email. Microsoft is taking care of key management and exchange for your Microsoft 365 custom domains.
The addition of using SPF and DKIM is important, because email forwarding might change or remove portions of the message’s envelope. Since DKIM works even when a message has been forwarded, it preserves the encrypted signature. Read more on how to implement and configure DKIM for your custom domains in Exchange Online.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): works with SPF and DKIM to authenticate mail senders. DMARC makes the destination email systems trust messages sent from your domain. By using DMARC with SPF and DKIM, organizations can get more protection against spoofing and phishing email. It helps receiving mail systems decide what to do with messages from your domain by authorization and that the email (including attachments) has not been modified during transport. It also helps you to decide what should happen if the email fail SPF or DKIM checks by configuring your domain’s external DNS record. Please note that you should implement this step-by-step and monitor the emails sent by your systems, because it might block legitimate sender systems as well if they are not configured correctly. Read more on how to implement and configure DMARC for your custom domains in Exchange Online.
Email authentication confirms that email messages from a sender (for example, dominik@contoso.com) are valid and match the email domain.
Note: there might some legitimate services which are making changes to the email between the sender and recipient, for example a third-party disclaimer software. In Microsoft 365 Defender, Authenticated Received Chain (ARC) will help reduce SPF, DKIM, and DMARC delivery failures that happen due to legitimate indirect mail flows. More information about ARC can be found here.
4. Tenant Allow Block List
You might not agree with the filtering verdicts of EOP or Microsoft Defender for Office 365. For example, a bad message might be marked as good (a false negative), or a good message might be blocked (a false positive). The Tenant Allow/Block List in the Microsoft 365 Defender portal lets you manually override the filtering verdicts of Defender for Office 365 or EOP. The list is used during mail flow for incoming messages from external senders.
The Tenant Allow/Block List doesn’t affect internal messages within the organization. However, block entries for Domains and email addresses stop users in the organization from sending email to those blocked domains and addresses.
Note: You can’t create allow entries directly. Unnecessary allow entries make your organization vulnerable to malicious email that could have been filtered by the system. Microsoft creates allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that identified the message as malicious. Read more on how to manage allows and blocks in Exchange Online.
5. Control Automatic External Email Forwarding
You might need to limit or control automatically forwarded messages to external recipients (recipients outside of your organization) as an admin. Email forwarding can be helpful, but can also pose a security risk due to the potential exposure of information. Attackers might use this information to attack your organization or partners.
You can use outbound spam filter policies to control automatic forwarding to external recipients. Three settings are available:
- Automatic – System-controlled: This is the default setting. This setting is now the same as Off. When this setting was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, this setting was gradually changed to Off for all customers.
- On: Automatic external forwarding is allowed and not restricted.
- Off: Automatic external forwarding is disabled and will result in a non-delivery report (also known as an NDR or bounce message) to the sender.
For instructions on how to configure these settings, see Configure outbound spam filtering in EOP.
6. Block User Consent to Applications
An application needs permissions from a user to access your organization’s data. Different permissions allow different levels of access. By default, users can consent to applications for permissions that don’t need administrator consent. For example, by default, a user can consent to let an app access their mailbox but can’t consent to let an app read and write to all files in your organization.
To prevent malicious applications from trying to trick users into granting them access to your organization’s data, we recommend that you only allow user consent for applications that have a verified publisher. Or if you want be more strict, applications can only get permissions by approved admins within your organization. Read more about how to configure how users consent to applications.
7. Data Loss Prevention
DLP is a key issue for enterprise message systems because email is widely used for business critical communication that contains sensitive data. To comply with the requirements for such data, and manage its use in email, without affecting the productivity of workers, DLP features make handling sensitive data easier. DLP policies are simple packages that contain sets of conditions, which are made up of mail flow rule (also known as transport rule) conditions, exceptions, and actions that you create in the Exchange admin center (EAC) and then activate to filter email messages and attachments. In addition to the customizable DLP policies themselves, you can also inform email senders that they may be about to violate one of your policies, even before they send an offending message. You can accomplish this by configuring Policy Tips. When you create or change DLP policies, you can include rules that checks for sensitive information, like credit card information as well. See Data Loss Prevention in Exchange Online for more information.
8. Email Encryption
Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. You may have the requirement to protect data from unauthorized access or to control that attachments cannot be forwarded to other recipients than the original one. The following options in Microsoft 365 are available to help secure email in Exchange Online:
- Microsoft Purview Message Encryption: Message encryption is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address.
- Secure/Multipurpose Internet Mail Extensions (S/MIME): S/MIME is a certificate-based encryption solution that allows you to both encrypt and digitally sign a message.
- Information Rights Management (IRM): IRM is an encryption solution that also applies usage restrictions to email messages. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
9. User Awareness Training and Reporting
Most successful attacks target end users in some way or another. Usually, attackers trick a company’s employees into either giving away company secrets or passwords, or clicking links or visiting websites that put malware on their computers. In the worst case scenario, this happens to a user with domain administrator privileges and your whole network becomes an attacker’s playground.
In addition, it is important that you allow your users to report Junk and Phishing emails to your security team and Microsoft, in order to prevent future attacks and help to improve the security posture, like adding phishing campaigns and bad senders to the list of known indicators and block lists.
9.1 Enable External Email Tagging
External email tagging means that messages from any domain except those registered for the tenant are labeled as “external” by Exchange when they move through the transport service. This simple capability protects employees to easily and quickly detect Business Email Compromise (BEC) or CEO Fraud. External email tagging is not enabled by default and can be done via Exchange Online PowerShell with the Set-ExternalInOutlook command. You don’t need to use mail flow rules anymore.
9.2 Attack Simulation Training
Attack simulation training in Microsoft Defender for Office 365 helps you to run realistic attack scenarios in your organization. These mock attacks can help you detect and locate vulnerable users before a real attack affects your bottom line.
Phishing is a general term for email attacks that try to get sensitive information in messages that look like they are from legitimate or trusted senders. Phishing is one of the techniques we classify as social engineering.
In Attack simulation training, you can use multiple types of social engineering techniques:
- Credential Harvest
- Malware Attachment
- Link in Attachment
- Link to Malware
- Drive-by-url
- OAuth Consent Grant
This feature, including the available reporting and training materials for both your admins and workers can be used to drive security awareness within your organization. Read more on how to configure simulated attacks, get reporting insights, and how to suggest training materials to your organization.
10. Security Monitoring and Automated Response
Cyber Security Monitoring is an automated process of continuously watching the behaviour on an organization’s network, or in other words monitoring the traffic of an organization’s network that are aimed to damage its data (data breach) and creating cyber threats. Even with the best security tools in place, you need to be aware of alerts and incidents happening across your organization’s network and assets.
An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 alerts, automated investigation and response (AIR), and the outcome of the investigations are natively integrated and correlated on the Incidents page in Microsoft 365 Defender. Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources.
In Microsoft Defender for Office 365, we have native capabilities for handling alerts and incidents, but if are a Microsoft Sentinel customer you could also leverage our built-in solutions from the Content Hub like the Microsoft 365 Defender and the Microsoft Exchange Security solutions.