The 20 Best Techniques To Improve Exchange Online Protection

The key aim of this article is to improve Exchange Online Protection for a data loss or compromised account by following the best practices of Microsoft security and passing through the actual setup. Microsoft offers two levels of Microsoft 365 email security – Exchange Online Protection (EOP) and Microsoft Defender Advanced Threat Protection. These solutions can enhance the security of the Microsoft platform and alleviate Microsoft 365 email security concerns.

Enable email encryption

Email encryption rules can be added to encrypt a message with a particular keyword in the subject line or body. Most common is to add “secure” as the keyword in the subject to encrypt the message. M365/O365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content.

• In the Microsoft 365 Admin Center, click on Exchange under Admin Centers.

• In the Mail Flow section, click on Rules.

• Click “Add a rule” and select “Apply Microsoft 365 Message Encryption and rights protection to messages.”

• Name your policy, and from the Apply This Rule If section, say “The subject or body includes of these words” and then add your keyword. Here, we are putting in “Encrypt.”

• In the Do the Following section, click select one for the RMS template and chose Encrypt.

• After you click Save, you can test your policy. In this case, we are showing a message sent to a Gmail user.

• Gmail user inbox:

• When the Gmail user saves and opens the attachment (message.html), they can choose to login with their Google credentials or get a one-time passcode sent to their email.

• In this case, we chose a one-time passcode.

• Check Gmail inbox for the passcode.

• Copy the passcode and paste it.

• We can view the encrypted message in the portal and send an encrypted reply.

To verify that your tenant is set up for encryption, use the following command, making sure the sender value is a valid account within your tenant:

Test-IRMConfiguration -Sender someaccount@yourtenant.com

If you see “OVERALL RESULT: PASS” then you are ready to go.

Also read: How to Encrypting Microsoft 365 Emails with ATP?

Enable Client Rules Forwarding Blocks

This is a transport rule to help stop data exfiltration with client created rules that auto-forward email from users’ mailboxes to external email addresses. This is an increasingly common data leakage method in organizations.

Go to the Exchange Admin Center>Mail flow> Rules and click “Add a rule”.

Add the following properties to the rule:

• Name: Block Forwarding
• Apply this rule if “The sender is located InOrganization”
• And “The recipient is located NotInOrganization”
• And “The message type is Auto-Forward”
• Then Reject the message with the explanation, “External email forwarding via client rules is not permitted.”

Click Save when complete. This rule will be enforced immediately. CClients will receive a custom Non-Delivery Receipt (NDR) message that is useful for highlighting external forwarding rules they may not have known existed or that were created by a bad actor on a compromised mailbox. You can create exceptions for certain specified users or groups in the created transport rule.

Powershell

• Powershell script to block auto-forward for one customer.
• Powershell script to block auto-forward for all of your customers.

Do not allow mailbox delegation

• If your users do not delegate mailboxes, it is harder for an attacker to move from one account to another and steal data. Mailbox delegation is the practice of allowing someone else to manage your mail and calendar, which can precipitate the spread of an attack.
• To determine if there are any existing mailbox delegation permissions, run the PowerShell script from Github. When prompted, enter the global admin credentials for the tenant.
• If there are any delegation permissions already in place, you will see them listed. If there are none, you will just get a new command line. Identity is the mailbox that has delegated admin permissions assigned, and user is the person who has those permissions.
• You can run the following command to remove access rights for users:

Remove-MailboxPermission -Identity Test1 -User Test2 -AccessRights FullAccess -InheritanceType All

Connection Filtering

You use connection filtering to identify good or bad source email servers by their IP addresses. The key components of the default connection filter policy are:

IP Allow List: Skip spam filtering for all incoming messages from the source email servers that you specify by IP address or IP address range. For scenarios where spam filtering might still occur on messages from these sources, see the Scenarios where messages from sources in the IP Allow List are still filtered section later in this article. For more information about how the IP Allow List should fit into your overall safe sender strategy, see Create safe sender lists in EOP.

IP Block List: Block all incoming messages from the source email servers that you specify by IP address or IP address range. The incoming messages are rejected, are not marked as spam, and no additional filtering occurs. For more information about how the IP Block List should fit into your overall blocked sender strategy, see Create block sender lists in EOP.

Safe list: The safe list is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources through subscriptions to various third-party lists. You can enable or disable the use of the safe list; you can’t configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list.

Use the Microsoft 365 Security portal to modify the default connection filter policy

• In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section.
• On the Anti-spam policies page, select Connection filter policy (Default) from the list by clicking on the name of the policy.

• Click Edit connection filter policy to allow or block IP addresses.

Spam and malware

Questions to Ask:

1. What actions do we want to take when a message is identified as spam?
   a. Move Message to Junk Folder (Default)
   b. Add X Header (sends the message to the specified recipients, but adds X-header text to the message header to identify it as spam)
   c. Prepend subject line with text (sends the message to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box. Using this text as an identifier, you can optionally create rules to filter or route the messages as necessary.
   d. Redirect message to an email address (sends the message to a designated email address instead of to the intended recipients.)
2. Do we need to add allowed senders/domains or block senders and domains?
3. Do we need to filter messages written in specific language?
4. Do we need to filter messages coming from specific countries and regions?
5. Do we want to configure any end-user spam notifications to inform users when messages intended for them were sent to quarantine instead? (From these notifications, end users can release false positives and report them to Microsoft for analysis.)

• In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section.
• On the Anti-spam policies page, select Anti-spam inbound policy (Default) from the list by clicking on the name of the policy.

• Click “Edit Actions.”

• Navigate through the tabs to configure any of the questions asked previously.

• Click the “Edit allowed and blocked senders and domains” section to allow or block sender email addresses or email domains.

• Click “Edit spam threshold and properties” to get more granular with your policy and tighten the settings on the spam filter.

Malware

This is already set up company-wide via the default anti-malware policy. Do you need to create more granular policies for a certain group of users, such as additional notifications via text or heightened filtering based on file extensions?

• In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-malware in the Policies section.

• Select the default policy to modify.
• Select “Enable the common attachments filter.”
• Select “Enable zero-hour auto purge for malware.”

• Modify notifications accordingly.

• Specify the users, groups or domains for whom this policy applies by creating recipient based rules.
• Review your settings and save.

Anti-Phishing Policy

Microsoft 365 subscriptions come with a default policy for anti-phishing preconfigured but if you have the correct licensing for Microsoft 365 Defender, you can configure additional settings for impersonation attempts within the tenant. We will be configuring those additional settings here.

• In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the Policies section.

• Click the default policy > click on Edit protection settings.
• Add top executives or users within the organization that are most likely to get spoofed.

• Select “Enable domains to protect” and select “Include domains I own.”

• Select Enable mailbox intelligence.”

• In the Actions section, choose what action you want to take if a user or domain is impersonated. We recommend either quarantine or moving to the junk folder.

• Click Save.

Also read: Microsoft Cloud App Security: The Definitive Guide

Configure Enhanced Filtering

• Enhanced email filtering can be set up if you have a connector in 365 (3rd party email filtering service or hybrid configuration) and your MX record does not point to Microsoft 365 or Office 365. This new feature allows you to filter email based on the actual source of messages that arrive over the connector.
• This is also known as skip listing and this feature will allow you to overlook, or skip, any IP addresses that are considered internal to you in order to get the last known external IP address, which should be the actual source IP address.
• If you are using Microsoft 365 Defender, this will enhance its machine learning capabilities and security around safe links, safe attachments, and anti-spoofing from Microsoft’s known malicious list based IP.
• In a way, you are getting a secondary layer of protection by allowing Microsoft to view the IPs of the original email and check against their database.

For enhanced filtering configuration steps, click here.

Safe Attachments Policy

Microsoft 365 Defender allows you to create policies for safe links and safe attachments across Exchange, Teams, OneDrive, and SharePoint. Real-time detonation occurs when a user clicks on any link and the content is contained in a sandbox environment. Attachments are opened inside a sandbox environment before they are fully delivered over email. This allows zero-day malicious attachments and links to be detected.

• In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in the Policies section.

• Click Global settings.

• Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.

• Edit the default policy.
• Add the recipient domain and choose the main domain in the tenant.
• Click “Edit” and Enable redirect.
• Enable “Apply the Safe Attachments detection response if scanning can’t complete (timeout or errors).”

• Click Save.

Safe Links

Safe Links in Microsoft Defender for Office 365 provides URL scanning of inbound email messages in the mail flow and time of click verification of URLs and links in email messages and in other locations. For more information, see Safe Links in Microsoft Defender for Office 365.

In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Safe Links in the Policies section.

• Use the default policy and turn on the necessary settings for email.

• Turn on the settings for Teams and Office 365 Apps.

Turn off “Track user clicks.”

• You can choose to whitelist certain URLs.
• Like the safe attachments policy, apply to all users in the tenant by the domain name.
• Click Save.

Add SPF, DKIM and DMARC

• Do you have SPF records, or DMARC records in place?
• SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain, which helps prevent spoofing.
• DKIM lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if the incoming email that they receive is legitimate.
• DMARC helps receiving mail systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners.

To add records:

• Go to Domains in the Microsoft 365 Admin Center and click on the domain you want to add records to.

• Click “DNS records” and take note of the MX and TXT records listed under Exchange Online.

• Add the TXT record of v=spf1 include:spf.protection.outlook.com -all to your DNS settings for our SPF record.
• For our DKIM records, we need to publish two CNAME records in DNS.

Use the following format for the CNAME record:

Where our primary domain is the prefix of our MX record (ex. domain-com.mail.protection.outlook.com)
= domain.onmicrosoft.com
Example: DOMAIN = techieberry.com

CNAME Record #1:
Host Name: selector1._domainkey.techiebery.com
Points to address or value: selector1-techiebery-com._domainkey.techiebery.onmicrosoft.com
TTL: 3600

CNAME Record #2:
Host Name: selector2._domainkey.techiebery.com
Points to address or value: selector2-techiebery-com._domainkey.techiebery.onmicrosoft.com
TTL: 3600

• After publishing the records and go to the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Email authentication settings in the Rules section.

Select “DKIM” at the top.

• Select the domain for which you want to enable DKIM and click Enable.
• With the SPF and DKIM records in place, we can now set up DMARC. The format for the TXT record we want to add is as follows:

_dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy

Where:
= domain we want to protect
= 3600
= indicates that this rule should be used for 100% of email
= specifies what policy you want the receiving server to follow if DMARC fails.
Note: You can set it to none, quarantine, or reject.

Example:

• _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=none”
• _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=quarantine”
• _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=reject”

Do not allow calendar details sharing

You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.

• In the Microsoft 365 admin center > Settings – Org settings.

• Click on services and select calendar.

• Change the settings to “Calendar free/busy information with time only.”

• Enable this setting on one tenant via PowerShell.
• Enable this setting for all tenants via Partner Center credentials using PowerShell.

Enable Audit Log Search

You should enable audit data recording for your Microsoft 365 to ensure that you have a record of every users and administrators interaction with the service, including Azure AD, Exchange Online, Microsoft Teams and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur. You (or another admin) must turn on audit logging before you can start searching the audit log.

Verify the auditing status of your organization

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn’t turned on.

Turn on auditing

1. Connect to Exchange Online PowerShell.
2. Run the following PowerShell command to turn on auditing.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

A message is displayed saying that it may take up to 60 minutes for the change to take effect.

Enable mailbox auditing for all users

By default, all non-owner access is audited, but you must enable auditing on the mailbox for owner access to also be audited. This will allow you to discover illicit access to Exchange Online activity if a user’s account has been breached. We will need to run a PowerShell script to enable auditing for all users.

NOTE: Use the audit log to search for mailbox activity that has been logged. You can search for activity for a specific user mailbox. The list of mailbox auditing actions listed on the Microsoft website.

Mailbox auditing PowerShell commands

To check a mailbox audit status:

Get-Mailbox admin@techieberry.com | fl *audit*

To search a mailbox auditing:

Search-MailboxAuditLog admin@techieberry.com -ShowDetails -StartDate 01/01/2023 -EndDate 01/31/2023

To export results into a CSV file:

Search-MailboxAuditLog admin@techieberry.com -ShowDetails -StartDate 01/01/2023 -EndDate 01/31/2023 | Export-Csv C:\users\AuditLogs.csv -NoTypeInformation

To view and export logs based on operations:

Search-MailboxAuditLog -Identity admin@techieberry.com -ResultSize 250000 -Operations HardDelete,Move,MoveToDeletedItems,SoftDelete -LogonTypes Admin,Delegate,Owner -StartDate 01/01/2023 -EndDate 01/31/2023 -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation

To view and export logs based on logon types:

Search-MailboxAuditLog admin@techieberry.com -ResultSize 250000 -StartDate 01/01/2023 -EndDate 01/31/2023 -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation

Review role changes weekly

You should do this because you should watch for role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy.

• Go to the Microsoft 365 Defender portal > Audit.
• Type “Role” in the activities tab and select “Added Member to Role” and “Removed a user from a Directory Role.”

Review mailbox forwarding rules weekly

You should review mailbox forwarding rules for external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses for mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ emails are not being exfiltrated. Running the PowerShell script linked below will generate two csv files, “MailboxDelegatePermissions” and “MailForwardingRulesToExternalDomains”, in your System32 folder.

• Monitor a single tenant.
• Monitor external mailbox forwards in all Microsoft 365 customer tenants.

Review mailbox access by non-owners report bi-weekly

This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegated permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time and can help discover malicious insider activity sooner.

• Go to the Microsoft 365 Defender portal > Audit.
• Type “Delegate” in the activities tab and select “Added or Removed user with delegate permissions.”
• Specify a data range and run a search.

Review malware detections report weekly

This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn’t strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations.

• To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports.

• On the Email & collaboration reports page, find Threat protection status and then click View details.

• View the Malware detected emails.

Review your account provisioning activity report weekly

This report includes a history of attempts to provision accounts for external applications. If you don’t usually use a third-party provider to manage accounts, any entry on the list is likely illicit. But if you do, this is a great way to monitor transaction volumes and look for new or unusual third-party applications that are managing users.

• In the Microsoft Entra admin center >Monitoring & health > Audit logs.

• Click Activity.

• In the Activity section, search for “external” and select Invite external user.

That’s how you improve Exchange online protection for better security.

Now I’d like to hear from you:

Which finding from today’s report did you find most interesting? Or maybe you have a question about something that I covered.

Either way, I’d like to hear from you. So go ahead and leave a comment below.