In the previous article we covered disabling legacy authentication, and configuring SPF, DKIM and DMARC. This article will cover Exchange Online Protection, Microsoft Defender for Office 365 Plan 1, and external email tagging.
As always, these are recommendations which may impact a live environment. If you are starting from scratch within a new tenant then you can more easily adopt more restrictive policies. Although email is still one of the highest risk areas regarding malware, and social engineering, it is also generally an organisations most vital system and severely impacting the flow of emails can be as impactful as some cyber attacks. Therefore we should ensure users are well-informed of any upcoming changes, and have a good rollback plan in place. That said, small improvements regarding email security can reap exponential returns so this is a worthwhile exercise. We talk about continual incremental improvements in our blog here.
Exchange Online Protection (EOP).
EOP is included with all Exchange Online Mailboxes and provides the basic protection level. For access to more advanced controls we require one of the below.
- Microsoft Defender for Office 365 Plan 1 (Defender for Office 365 P1).
- Microsoft Defender for Office 365 Plan 2 (Defender for Office 365 P2).
Throughout all our blogs we have been using Microsoft 365 for Business Premium licencing which includes Defender for Office 365 P1.
Preset Security Policies
In the same way Microsoft provides Security Defaults for other products, they also provide Preset Security Policies within Exchange Online. This allows us to set Microsoft recommended configurations across either all, or selected mailboxes, which will also automatically update when improvements are added to these policies. These configurations incorporate settings across EOP and Defender for O365.
Microsoft also provides a “Configuration Analyser” which provides insight and recommendations related to our current policies. You can find this by going to https://security.microsoft.com > Email and Collaboration > Policies and Rules > Threat Policies > Configuration Analyser. It’s useful to run a before and after comparison as this improves our understanding of the changes we are making.
We should also note our secure score which is visible at https://security.microsoft.com in our Microsoft Defender portal. Being able to see progress is important so we don’t feel like we are making improvements in a vacuum. Yes, we understand there is no finishing line to cross where we can relax, but it’s important to understand the progress we are making.
NOTE: The Microsoft recommended settings for Preset Security Policies are available here.
The table which shows the difference between the Core, Standard, and Strict Preset Security Policies can be viewed here in the official Microsoft documentation.
To enforce a Preset Security Policy we head over to https://security.microsoft.com > Email and Collaboration > Policies and Rules > Threat Policies > Preset Security Policies. For this example we will be selecting the “Standard” policy.
Before we enable the standard preset policy, we can have a look at the current Anti-Phishing Policies by selecting “Anti-phishing” from the options. Below we can see that we only have the default policy enabled currently.
Go back to the previous screen and select the top option “Preset Security Policies” > then “Manage protection settings” as shown below.
Now let’s walk through the configurable options. First up, we want to apply EOP to all users,
Next we want to apply Defender for Office 365 protection to all users.
We will apply Impersonation protection to high profile accounts which are more likely to be spoofed. This protection is in addition to “Priority Account Protection” which we covered previously here.
We can also add external email addresses, which means if we have an external company processing our payroll for example, we can add the email accounts in here and Defender will provide additional protection if these addresses are spoofed or impersonated.
We can add the names and email addresses in the next page.
In the same way we can add external email addresses in the previous page, we can add entire domains during this step. If you have suppliers you regularly interact with or exchange payment information or invoices then this can help reduce the likelihood of impersonation and social engineering attacks impacting your organisation.
Next we add any trusted email addresses or domains that we want to exclude from impersonation protection, however these addresses and domains will still be subject to the scanning and spam filters.
Now we can either save the configuration and leave the policy turned off, or we can enable it immediately. In this guide we are going to immediately enable the policy. In a production environment we may wish to test.
We get a chance to check our configuration before confirming.
We can see here that our policy is now enabled.
Let’s go back to the “policies and rules” page and check the Anti-phishing policies. We can see the new policy above the existing Default policy we saw earlier.
Default Anti-Spam Policy
We can find this by going to https://security.microsoft.com > Email and Collaboration > Policies and Rules > Threat Policies > Anti-spam policies >
We select the Anti-spam inbound policy (Default)
Then select “Edit spam threshold and properties”.
First we change bulk email threshold from 7 to 6 and save our changes to this section.
We scroll down the options and select “Edit Actions”.
Then we change the Quarantine retention period from 15 to 30 days. We do this as we are going to tighten the rules around which emails are sent to quarantine and so we want to extend the retention period to give us ample time to retrieve any emails which are incorrectly flagged before they are deleted.
As explained above we make the changes to the highlighted options.
We are finished within this section so we can save and move to the next.
We now want to make a change to the “Anti-spam outbound policy (Default)” to prevent users being able to set up the auto-forwarding of emails to external addresses. Select the policy and then click the “Edit protection settings” option.
Make the change as shown below, then save and close.
Default Anti-Phishing Policy
Although some of these settings have been configured within our Preset Security Policy and that supersedes the default policy Microsoft still recommends making the following changes to the default policy when Preset Security Policies are enabled. Let’s now head over to https://security.microsoft.com > Email and Collaboration > Policies and Rules > Threat Policies > Anti-phishing and select the “Office365 AntiPhish Default (Default)”. Then from the side menu select “Edit protection settings”.
We are going to increase the phishing email threshold from 1 (which is “standard”) to 3 (which is “more Aggressive”) and this relates to the machine learning engine and the actions to take based on the ML models determination.
We then enable “Enable intelligence for impersonation protection (Recommended)”.
We save the changes then scroll down to the bottom of the side menu and select “Edit Actions”.
From here we configure the below highlighted settings as shown.
This will quarantine the described messages and notify users via quarantine email notifications for emails quarantined due to the corresponding threat policy.
We then configure for detected “impersonated user” emails to be moved to the recipients Junk folder.
Then we ensure all “notify user” tick boxes are selected to enable all features.
We then hit Save, and close and we’re all done with this policy.
External Email Tagging
External tags show recipients that a message came from an external sender. Microsoft 365 uses native client-side integration to clearly identify mail from external senders. This identification allows you to train users to be more suspicious about mail sent from external senders.
To enable this configuration we need to run the following PowerShell cmd
Set-ExternalInOutlook -Enabled $true
The Exchange Online PowerShell module has been depreciated so this may require some prep before you can enable this. This is beyond the scope of this guide however you can find guidance using the links below.
We can also use mail flow rules within Exchange online to prepend the word “External” to all incoming external email subject fields. This provides a visible marker to the recipient that this is from an external source and can assist with spotting phishing emails.
To use this method we need to head over the the new Exchange Admin Centre at https://admin.exchange.microsoft.com/ > Mail Flow > Rules > + Add a rule > then “Create a new rule”.
We fill in the details as shown below.
We now select to enforce the rule, and the start date is today. We don’t want to stop processing other rules, and we do not want to defer the message. Remember this is just to provide a visual aid to users, and is part of a layered defence. Hit next, then review and save.
Below shows what this looks like.
We can also add a disclaimer which displays in HTML and so is more visible however this can break message preview on smaller devices as all that is visible in the preview Window is the disclaimer, so do some real world testing before rolling out. You can use both rules together or chose the one you believe will be the most effective.
To Prepend a disclaimer the process is mostly the same as for the above rule, however we chose the option to add a disclaimer, and configure as below. Our example contains just one word and uses basic HTML to make it stand out.
The below screen shot shows both being used and highlights the difference between the methods. The disclaimer can also be configured to appear at the bottom of the email and can contain a full sentence if you wish to include more text.
That’s the end of part 2, and this guide. We’ll revisit Exchange at some point in the future, until then, stay frosty.
@2codemonte 