The admin account
Go back ten years, and usernames were not email addresses but a letter followed by a few random numbers. Now everything is
The admin account should not be the Head of IT’s general email address but something different so it cannot be guessed easily. For example, do not set the admin account as
Two-factor authentication
With emails being easily guessable, as stated above, phishing or password cracking is a problem. Why? With on-premise, a firewall at times restricted access to OWA (Outlook Web Access), not with Microsoft 365 by default.
Even on the entry-level SaaS offering by Microsoft, 2FA is included, which not everyone knows about. It can authenticate by SMS code, push on the app, or OTP code within the app. Start by enabling 2FA for all admins, then have them test it for a week, and then enforce it for all organisational users.
Consider ATP (Advanced Threat Protection)
Microsoft 365 inbuilt antimalware & antispam protection is decent, but nothing is perfect. By default, links embedded in emails are only checked simply, and files go through a few standard antimalware engines. More advanced and worse, targeted attacks have a chance of getting through.
Microsoft Defender for Office 365 is under two pounds a month and is great value for its functionality. It has two core functions. First, it auto sandboxes files it cannot determine the intent of - it runs the file in a safe environment and delivers it if safe. Second, it re-codes each link so that on click, it is rescanned in the cloud.
Enable SPF (Sender Policy Framework)
Phishing is a big problem, and some emails are simply spoofed. SPF is a free and open-source anti-spoofing technique. When emails come to you, it checks the IP address against a published record and either cans them or flags them as spam. In January 2025, the MikroTik botnet used badly configured SPF records to increase its virality.
With SPF, there are three settings: neutral, which does nothing; hardfail (-), which cans the message; and softfail (~), which usually marks it as spam. A typical hardfail TXT record looks like “v=spf1 include:spf.protection.outlook.com -all”. Make sure you add a TXT record to your DNS and ensure your inbound emails are being checked, too.
Enable DKIM (DomainKeys Identified Mail)
Continuing from a similar topic above, DKIM is an anti-forgery method, which, unlike the above, uses a basic digital signature made up of a private key on the server (or cloud in this case) and a public key which lives in a DNS TXT or CNAME record. The private key is used to sign outbound emails, and the receiver (or a mail server) can look up the public key to see if it came from where it is meant to come from.
This is a little fiddly to set up for cloud or on-premise, though Microsoft 365 handles the key generation for you. Once enabled, you need to add two CNAME (Canonical Name) records rather than the normal TXT records. It will then check to see if the records are present and will do all the work for you, including key generation. It is a bit fiddly to understand how the CNAMEs are entered in DNS.
DMARC (Domain-based Message Authentication, Reporting and Conformance) could be considered as well.
Backup
Cloud computing is intangible and can be seen as putting all your eggs in one. You cannot see your physical hardware nor the backup methods (tapes in the older days) used. If a user deletes a bunch of emails and the 30-day self-recovery is past, you are likely in trouble. What if you delete a mailbox by mistake and it is past 30 days?
Microsoft 365 does offer some form of backup and archiving service for extra monthly fees, but what if Microsoft went bust or their data centres went into thermonuclear meltdown? Various third-party services exist for a few pounds a month to offer true offsite independent backup. Just make sure of their security posture and data centre locations.
File types
Though obvious files such as MSI’s, EXE’s, and SCR’s will unlikely make it through, what about macro-enabled files like DOCM + XLSM and archives (7Zip, WinRar & WinZip)? All sorts of files can be malicious.
You can simply block files coming inbound or outbound. The main ones to consider are ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, der, docm, dotm, enc, exe, fxp, hlp, hta, inf, ins, isp, its, jar, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, potm, ppam, ps1, ppsm, pptm, reg, scr, sct, shb, shs, sldm, vb, vbe, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xlam, xltm and xxe.
Smartphones and tablets
Excluding infants and the elderly, practically everyone has a smartphone these days. A smartphone is similar to a laptop and has extras on it like SMS, contacts and banking apps. The dangers are varied: loss, theft, infection and traffic interception. Email, which is guaranteed to be on a smartphone, can reset passwords and, at times, switch off two-factor authentication.
Smartphones are a massive business enabler if secured correctly. Microsoft 365 has Intune, which is its own MDM (mobile device management). Intune can force security rules, encryption, containerisation, remote wipes, DLP rules, and a lot more. Out of the box, Microsoft 365 can control devices or device types, or just block outright phones from being added to email accounts.
Scoring
With many settings and sub-settings of Microsoft 365, it is easy to forget or get lost. Microsoft 365 has a free, inbuilt scoring method which is quantitative rather than qualitative. Scores are given in numbers and by category.
To read more about it, visit https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide. To see your score while logged in as an administrator, go to https://security.microsoft.com/securescore.
Consider IRM (Information Right Management)/DLP (Data Loss Prevention)
From a user’s point of view, these can be seriously annoying and even go too far. Think about the triad: usability, security and cost. Just like with a laptop, you can disable USB, SD card, and DVD/CD drives. The idea is to stop on-purpose data theft or accidental loss, like forwarding a sensitive email or addressing it to the wrong recipient.
Whatever you do, someone will probably find a way around your control. Taking a photo of the screen, screen capturing, or using a trick I found (pasting the text into Microsoft’s Edge URL bar) will remove wrapper protection. Options include only allowing logins from work-managed devices, blocking forwarding, blocking print, blocking files from being uploaded through a browser, blocking files from going onto external mediums, and blocking or flagging on social security numbers, passports or credit/debit cards.
Review sign-in history
Like with Microsoft Windows, Microsoft 365 stores data relating to successful logins and failed logins. Multiple failures and then a successful login is not good, especially if the IP address/location/device/country/city is not recognised. Data includes time/date, city, country, success or not, operating system, browser type, IP address, and account name. Such data could be exported to an SIEM or SOAR with Azure offer Sentinel, which is totally hosted.
Sign-ins can be seen per account from https://mysignins.microsoft.com/ or https://entra.microsoft.com/#view/Microsoft_AAD_IAM/SignInEventsV3Blade for visibility into the entire tenant. By default, you get seven days of history shown, which can be extended if you take out a Microsoft Entra ID subscription.
Block unused protocols
Microsoft 365 offers the following connection methods: Outlook on the web, Outlook desktop (mapi), Exchange web services, Mobile (Exchange Active Sync), Imap, Pop and Authentication SMTP.
If users only use webmail “Outlook on the web” and not Outlook client nor smartphones then disable all protocols bar the first to reduce the attack surface. Where do you find this setting per user? Click on a user > Mail > Email apps.
Use defaults or configure email policies
Policies & rules > Threat policies let you fine-tune inbound/outbound settings especially if you have Microsoft Defender for Office 365. For the lazy or unskilled, you can use templated policies where you can assign users to either Standard protection or Strict protection. Standard is used for the average company users, and Strict is used for C-suite & folk which are exposed to the public more, i.e. accounts payable.
If you want to customise all settings, disable both default policies and go through each individual setting under the Policies section. One setting to look out for in the ATP subscription is Safe Attachments. Dynamic delivery is a good setting, which means the end user will not receive the file until it has been run in a sandbox.
Impersonation protection
Impersonation protection is not included by default and requires a certain or extra subscription for access. This feature applies to emails coming inbound, which appear similar to listed users or domains in the console. It investigates the inbound email to see if the address or display name is similar to the users/domains defined.
Add in high-risk email addresses of your staff, including aliases and domains you own. External domains should also be added, which include key suppliers or clients. The aim of this is to stop CEO fraud, invoice fraud or just general spear phishing.