15 Email Security Best Practices that Every Microsoft 365 Admins Must Configure

15 Email Security Best Practices That Every Microsoft 365 Admin Must Configure! 

Is your Microsoft 365 email security a cause for concern? This question arises because we know that Microsoft 365 mailboxes are central hubs for sensitive information flow, and connecting teams, partners, and clients. However, they also present an enticing target for cybercriminals aiming to steal your data and disrupt your operations.🧑‍💻 

That’s precisely why ensuring the security of your Exchange Online environment is absolutely crucial! 💯 It’s not merely a desirable option; it’s an absolute necessity in today’s ever-evolving landscape of threats. In this blog post, we will delve into the top 15 best practices for enhancing Microsoft 365 email security that every Exchange Online administrator should put into action!  

Ready to learn how to protect your Exchange Online inboxes from cyber-attacks? Then read on! 👇 

Top 15 Exchange Online Security & Compliance Features: 

Microsoft 365 is a moving target, with new threats emerging all the time. Therefore, to keep your mailboxes safe, it is important to configure all available security settings and keep your mailboxes secure.  Take action now by configuring the Exchange Online security settings below and keep your email safety tight! 

  1. Block Email Auto-forwarding to External Domains
  2. Enable External Email Warning Tag in Microsoft Outlook
  3. Zero-hour Auto Purge in Exchange Online Protection
  4. Disable Access to Exchange Online PowerShell
  5. Configure SPF, DKIM, and DMARC for Email Authentication
  6. Enable First Contact Safety Tip for Exchange Online
  7. Configure Outbound Spam Policy in Microsoft 365
  8. Require Message Approval in Microsoft Outlook
  9. Enable Preset Security Policies in Microsoft 365 Defender
  10. Enable Data Loss Prevention in Exchange Online
  11. Encrypt Emails in Outlook and Send Secured Email
  12. Configure Domain Allow and Block List in Exchange Online
  13. Block Shared Mailboxes Sign-in in Microsoft 365
  14. Report Suspicious Messages in Shared Mailboxes and Delegated Mailboxes
  15. Enable Archive Mailboxes in Microsoft 365

Want a quick rundown of all the settings without diving into a wall of text? Well, guess what? We’ve prepared an awesome cheat sheet featuring all those essential email security settings. Just flip through whenever you need and set things up!  

Download Cheat sheet: Microsoft 365 email security settings.pdf

1. Block Email Auto-forwarding to External Domains: 

Think of a case like this where an employee’s email account is compromised, and the attackers set up auto-forwarding to their own account. This would let cybercriminals effortlessly redirect sensitive emails to external accounts, potentially resulting in data breaches and whatnot! 😫None of us want that to happen, right?  

So, it’s crucial to never allow anyone to forward emails to external recipients. Disable external forwarding right now and avoid data thefts! 

More info: https://blog.admindroid.com/block-email-auto-forwarding-to-external-domain/ 

Configure here: https://admin.exchange.microsoft.com/#/transportrules

2. Enable External Email Warning Tag in Microsoft Outlook: 

Are you tired of scam emails and struggling to identify phishing emails? Most phishing emails come from external sources and pose the biggest security threats! 💯 Users often have trouble differentiating them, leading to inadvertent clicks on malicious links.  

Therefore, to prevent such incidents, it’s a smart move to mark all external emails with an “EXTERNAL” tag. Label it now and avoid phishing links! 

More info: https://blog.admindroid.com/protect-o365-from-phishing-attack-using-external-email-tagging/ 

Download Script: EnableEXTWarning.ps1

3. Zero-hour Auto Purge in Exchange Online Protection: 

Despite having multiple layers of anti-spam and anti-malware filters in place, a few malicious emails might still slip through and end up in your inbox! 😑Sometimes, attackers will be clever and would weaponize the URL after delivery. So, if you’re tired of playing hide-and-seek games with spam and malware in your organization’s mailboxes, Zero-hour auto purge is your saving grace!  

This Zero-hour auto purge is a feature in Exchange Online that offers real-time protection, swiftly identifying and removing spam and malware messages, even if they’ve landed in your inbox.   

More info: https://blog.admindroid.com/zero-hour-auto-purge-in-exchange-online/ 

Configure here: https://security.microsoft.com/antispam

4. Disable Access to Exchange Online PowerShell: 

While it’s true that Microsoft 365 users can access Exchange Online PowerShell, it’s important to note that their capabilities are still governed by role-based access control (RBAC) and their assigned roles. Even though there may not be many risks, it’s better to close the door, isn’t it? Because the potential dangers include privilege escalation, unauthorized access, and compliance violations awaiting! ⚠️So, disable the access and lock the door now! 

More info: https://blog.admindroid.com/disable-access-to-exchange-online-powershell/ 

5. Configure SPF, DKIM, and DMARC for Email Authentication:

Lately, impersonation attacks like phishing, spoofing, etc., have become more common. Consider a case where a cybercriminal attempts to impersonate your organization through phishing emails. Afraid of your brand reputation degrading? 😫No need to fret. In such situations, SPF, DKIM, and DMARC come to the rescue by working together to verify the authenticity of these emails, effectively preventing them from reaching your employees’ inboxes and safeguarding your brand’s reputation. 

  • SPF (Sending Policy Framework)- Prevents unauthorized senders from using your domain. 
  • DKIM (Domain Keys Identified Mail) – Digitally sign your email messages and ensure the integrity of your email content.  
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) – Ties it all together by providing visibility and control over email authentication. It gives the ability to know whether your domain is being used by someone to spoof. 

More info: https://blog.admindroid.com/a-guide-to-spf-dkim-and-dmarc-to-prevent-spoofing/ 

Configure here: https://security.microsoft.com/authentication?viewid=DKIM

6. Enable First Contact Safety Tip for Exchange Online: 

As the name goes, these are brief tips that appear when a user communicates with someone they haven’t interacted with before or receives an email from an unfamiliar sender. This is shown as a matter of making aware! ✅ 

With the first contact safety tip enabled in your organization, you can provide additional protection against Business Email Compromise (BEC) attacks, particularly for executives, by identifying emails from impersonated senders. 

More info:  https://blog.admindroid.com/enable-first-contact-safety-tip/ 

Configure here: https://security.microsoft.com/antiphishing

7. Configure Outbound Spam Policy in Microsoft 365: 

Imagine your organization just dispatched a vital email campaign to thousands of customers. But much to your horror, all these emails ended up in the recipient’s spam folders. 😯This is certainly not the impression you want to create with your customers, right? So, what’s the solution? That’s where the Office 365 Outbound Spam Policy comes to save your day! 

The Outbound Spam Policy in Microsoft 365 scans all emails sent for phishing & spam contents and blocks potentially malicious messages before they reach the recipients. 

Don’t delay – configure it now and safeguard your organization’s reputation!

More info: https://blog.admindroid.com/configure-outbound-spam-policy-in-microsoft-365/ 

Configure here: https://security.microsoft.com/antispam

8. Require Message Approval in Microsoft Outlook: 

Sometimes, confidential emails require a stage of review; if not, they may slip through the cracks and end up in unintended inboxes. ❌Therefore, it’s particularly crucial to pay attention to emails sent to external recipients; otherwise, it may lead to the disclosure of sensitive information!  

This is where email moderation comes into play! Admins configure moderated recipients in Exchange Online and let them do a round of review and approve emails in Microsoft Outlook. During this process, they can carefully assess email content and either grant approval or make necessary adjustments to maintain confidentiality and security standards. ✅ 

More info: https://blog.admindroid.com/how-to-approve-emails-in-microsoft-outlook/ 

Configure here: https://admin.exchange.microsoft.com/#/transportrules

9. Enable Preset Security Policies in Microsoft 365 Defender: 

Microsoft 365 security can be a real headache because there’s just so much stuff to tweak and turn on. And it’s tough to keep up with all the changes and best practices, right? 😫 

Well, guess what? Microsoft has decided to give us a hand! They’ve rolled out “preset security policies for Exchange Online protection.”  

Basically, a preset security policy bundles together all the security settings for anti-spam, outbound spam filters, anti-malware, anti-phishing, ATP Safe Links, and ATP Safe Attachments. 

Right now, there are two presets to choose from: 

  1. Standard protection: This one is a good-for-most-organization option. It’s your baseline protection that is suitable for most users. 
  1. Strict protection: Now, if you’ve got high-value targets or priority users – this preset is for them. A strong protection profile for those specified users. 

So, with these presets, Microsoft has made it a bit easier to keep your Microsoft 365 security in check without going crazy trying to configure everything yourself! 

More info: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies 

Configure here: https://security.microsoft.com/presetSecurityPolicies

10. Enable Data Loss Prevention in Exchange Online: 

Data loss prevention (DLP) plays a crucial role in safeguarding sensitive information from being leaked or stolen. In Exchange Online, DLP can be used to identify and protect sensitive data in email messages, attachments, and other types of content. 

Let’s see how DLP protects sensitive data from going outside in real-time: Your company has a policy that prohibits employees from sending customer credit card numbers outside the organization. But how will you ensure that they’re not really sending it? 🤔 

Here, DLP can help organizations! DLP can be used to set up a policy that detects and blocks email messages containing customer credit card numbers. This way, administrators can easily monitor and prevent any violations of this rule, helping the company stay in compliance with its policies and safeguard confidential data. 

More info: https://o365reports.com/2022/06/29/protect-office-365-sensitive-data-with-data-loss-prevention-dlp-policy/ 

Configure here: https://compliance.microsoft.com/datalossprevention/policies

11. Encrypt Emails in Outlook and Send Secured Email: 

So, picture this: A legal firm that frequently communicates with clients and other law firms via email, exchanging highly sensitive legal documents, contracts, and client information. Here, protecting the confidentiality of this information is crucial for maintaining client trust and adhering to legal & ethical obligations. 💯 

Can you be 100% sure that the emails we send and receive are truly secure and that you’re the only one reading that message? But the bitter truth is, you can’t be sure of this always! Email security in Microsoft 365 is a real concern that comes with threats like spoofing, spam, and phishing attacks happening all the time.  

But with Microsoft 365 message encryption, they can send and receive confidential email messages both within & outside the company. This makes sure that only authorized recipients can actually read what’s inside the email and access the email’s contents. So, it’s like a super secure way to keep our secrets safe! 😎🔒 

More info: https://m365scripts.com/exchange-online/encrypt-email-in-microsoft-outlook-to-safeguard-your-sensitive-information/ 

12. Configure Domain Allow and Block List in Exchange Online: 

In Microsoft 365, email filters can goof up sometimes – flagging good email as bad (false positives) or letting shady emails slide (false negatives). But don’t worry! The Tenant Allow/Block List in the Microsoft 365 Defender portal can help! It’s like a manual override for the email filter.  

The tenant allow and block list controls which emails enter your organization’s mailboxes and stops your users from sending emails to blocked domains and addresses. 🚫📧 

For example, if you know that a particular domain is not sending spam, you can add it to the Tenant Allow List. This guarantees their emails reach your employees’ inboxes, no matter what the spam filter thinks. So, if your company has a strict no-emails-to-spammy-domains policy, you can easily enforce it using this. Cool, right? 😎 Configure it right now! 

More info: https://o365reports.com/2022/09/27/exchange-online-tenant-allow-and-block-list-management/ 

Configure here: https://security.microsoft.com/tenantAllowBlockList

13. Block Shared Mailboxes Sign-in in Microsoft 365: 

A shared mailbox in Microsoft 365 is accessible to a group of delegated users that they can use to send and receive emails. However, there’s a security concern to be aware of! When you create a shared mailbox in Exchange Online, it comes with an auto-generated password. This password combined with the shared mailbox email address, can be used by anyone as login credentials. That’s where it gets a bit dicey! That auto-generated password can be a real risk, especially if it falls into the wrong hands. 🙅‍♂️ 

Before letting anything happen, it’s best to block sign-in from shared mailboxes in Microsoft 365. 👨‍💻🔒 

More info: https://m365scripts.com/exchange-online/block-shared-mailbox-sign-in-to-protect-your-office-365-environment/ 

Configure here: https://admin.microsoft.com/Adminportal/Home#/users/:/BlockUser/

14. Report Suspicious Messages in Shared Mailboxes and Delegated Mailboxes in Microsoft 365:

Cyberattacks are on the rise and growing more sophisticated by the day. Even though Microsoft provides tools to report suspicious Multi-Factor Authentication (MFA) requests and report messages in Microsoft Teams, hackers still execute phishing and spoofing attacks through email! 

That’s where reporting junk and phishing emails in Outlook comes into play, enhancing Microsoft’s security practices. While initially limited to user mailboxes, it’s now supported for shared and delegated mailboxes too! 📧 

In Outlook Web, there’s a “Report message” button for users to report phishing and junk emails. Admins can configure these reports to be sent to a specific mailbox, Microsoft, or both. This user feedback not only safeguards users but also fine-tunes Microsoft’s security measures.  

More info: https://blog.admindroid.com/reporting-suspicious-messages-in-m365-shared-and-delegated-mailboxes/ 

15. Enable Archive Mailboxes in Microsoft 365:

Enabling archive mailboxes in Microsoft 365 offers a multifaceted approach, starting with efficient data management. 

Archive mailboxes (in-place archiving) in Exchange Online create an associated mailbox along with the user’s primary mailbox. This secondary mailbox serves as a dedicated storage space for older emails and documents. 

It’s a handy way to safeguard crucial communication without overcrowding your primary mailbox. This not only improves data organization but also reduces the risk of accidentally deleting critical emails!  

But that’s not all. Archive mailboxes are your compliance sidekick! They play a crucial role in ensuring you meet regulatory requirements and simplifying legal procedures. When it’s time for audits or legal inquiries, having an organized archive mailbox is a game-changer. No more digging through endless files or worrying about data leaks – everything is neatly stored and easily accessible. Enabling archive mailboxes isn’t just about security; it’s about being efficient in the face of legal challenges. 📦Enable it right now and get more storage space! 

More info: https://m365scripts.com/exchange-online/how-to-enable-or-disable-archive-mailbox-in-office-365-using-powershell/

Configure here: https://admin.exchange.microsoft.com/#/mailboxes/:/MailboxDetails/

Although each of these steps is crucial, malware defense isn’t one-size-fits-all. It’s critical to understand that every organization has unique security vulnerabilities. 💯 

And these 15 best email security practices outlined in this blog post are a great place to start! 😌 But don’t stop there. Security isn’t a simple, one-time thing; you need to stay up to date on the latest threats. So, stay vigilant, alert, and safe! 

Leave a Reply

Your email address will not be published. Required fields are marked *

15 Email Security Best Practices That Every Microsoft 365 Admin Must Configure! 

time to read: 10 min
Follow us!