The key aim of this article is to improve exchange online protection for a data loss or compromised account by following best practices of Microsoft security and passing through the actual setup. Microsoft offers two levels of Microsoft 365 email security – Exchange Online Protection (EOP) and Microsoft Defender Advanced Threat Protection. These solutions can enhance the security of the Microsoft platform and alleviate Microsoft 365 email security concerns.
Enable Email Encryption
Email encryption rules can be added to encrypt a message with a particular keyword in the subject line or body. Most common is to add “Secure” as the keyword in the subject to encrypt the message. M365/O365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content.
- In the Microsoft 365 Admin Center, click on Exchange under Admin Centers
- In the Mail Flow section, click on Rules
- Click on the plus sign and click Apply Microsoft 365 Message Encryption (allows you to define multiple conditions)
- Name your policy and from the Apply This Rule If section, say “the subject or body includes…” and then add your keyword. Here, we are putting in “Encrypt”
- In the Do the Following section, click the select one for the RMS template and chose Encrypt
- After you click Save you can test your policy. In this case, we are showing a message sent to a Gmail user
- Gmail user inbox:
- When the Gmail user save and open the attachment (message.html), they can choose to login with their Google credentials or get a one-time passcode sent to their email.
- In this case, we chose one-time passcode.
- Check Gmail inbox for the passcode
- Copy the passcode and paste it
- We can view the encrypted message in the portal and send an encrypted reply
To verify that your tenant is set up for encryption, use the following command, making sure the Sender value is a valid account within your tenant:
Test-IRMConfiguration -Sender email@example.com
If you see “OVERALL RESULT: PASS” then you are ready to go
Enable Client Rules Forwarding Blocks
This is a transport rule to help stop data exfiltration with client created rules that auto-forwards email from users’ mailboxes to external email addresses. This is an increasingly common data leakage method in organizations.
Go to the Exchange Admin Center>Mail flow> Rules
Click on the plus sign and select Apply Microsoft 365 Message Encryption and rights protection to the messages…
Add the following Properties to the rule:
- IF The Sender is located ‘Inside the organization’
- AND IF The Recipient is located ‘Outside the organization’
- AND IF The message type is ‘Auto-Forward’
- THEN Reject the message with the explanation ‘External Email Forwarding via Client Rules is not permitted’.
Tip 1: For the 3rd condition, you need to select Message Properties >Include this message type to get the Auto-forward option to populate
Tip 2: For the 4th condition, you need to select Block the message …> reject the message and include an explanation to populate
- Click Save when complete. This rule will be enforced immediately. Clients will receive a custom Non-Delivery Receipt (NDR) message that is useful for highlighting external forwarding rules they may have not known existed, or that were created by a bad actor on a compromised mailbox. You can create exceptions for certain specified users or groups in the created transport rule.
- Powershell script to block Auto-Forward for one customer.
- Powershell script to block Auto-Forward for all of your customers via Partner Center credentials.
Do not allow mailbox delegation
- If your users do not delegate mailboxes, it is harder for an attacker to move from one account to another and steal data. Mailbox delegation is the practice of allowing someone else to manage your mail and calendar, which can precipitate the spread of an attack.
- To determine if there are any existing mailbox delegation permissions, run the PowerShell script from Github. When prompted, enter the global admin credentials for the tenant.
- If there are any delegation permissions existing, you will see them listed. If there are none, you will just get a new command line. Identity is the mailbox who has delegated admin permissions assigned and user is the person who has those permissions.
- You can run the following command to remove the access rights for users:
Remove-MailboxPermission -Identity Test1 -User Test2 -AccessRights FullAccess -InheritanceType All
You use connection filtering in EOP to identify good or bad source email servers by their IP addresses. The key components of the default connection filter policy are:
IP Allow List: Skip spam filtering for all incoming messages from the source email servers that you specify by IP address or IP address range. For more information about how the IP Allow List should fit into your overall safe senders strategy, see Create safe sender lists in EOP.
IP Block List: Block all incoming messages from the source email servers that you specify by IP address or IP address range. The incoming messages are rejected, are not marked as spam, and no additional filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see Create block sender lists in EOP.
- In the Exchange Admin Center > Protection > Connection Filter > Click on the pencil icon to modify the default policy.
- Click Connection Filtering
- Here you can allow\block IP address.
Spam and Malware
Questions to Ask:
- What actions do we want to take when a message is identified as spam?
a. Move Message to Junk Folder (Default)
b. Add X Header (Sends the message to the specified recipients, but adds X-header text to the message header to identify it as spam)
c. Prepend Subject line with text (Sends the message to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box. Using this text as an identifier, you can optionally create rules to filter or route the messages as necessary.)
d. Redirect message to email address (Sends the message to a designated email address instead of to the intended recipients.)
- Do we need to add allowed senders/domains or block senders/domains?
- Do we need to filter messages written in specific language?
- Do we need to filter message coming from specific countries/regions?
- Do we want to configure any end-user spam notifications to inform users when messages intended for them were sent to quarantine instead? (From these notifications, end users can release false positives and report them to Microsoft for analysis.)
- Go to the Microsoft 365 Admin Center > Select Security from Admin Centers > Threat management > Policy > Anti-spam
- Edit the default policy
- Navigate through the tabs to configure any of the questions asked previously
- Expand the Allow lists section to configure message senders by email address or email domain that are allowed to skip spam filtering.
- Expand the Block lists section to configure message senders by email address or email domain that will always be marked as high confidence spam.
- The Spam properties tab allows you to get more granular with your policy and tighten the settings on the spam filter
This is already set up company-wide via default anti-malware policy. Do you need to create more granular policies for a certain group of users such as additional notifications via text or heightened filtering based on file extensions?
- Go to the security portal > Threat management > Policy > Anti-malware
- Select the default policy to modify
- Select No for the malware detection response
- Turn Off the feature to block attachment types that may harm your computer
- Turn On malware zero-hour auto purge
- Modify notifications accordingly
- Specify the users, groups or domains for whom this policy applies by creating recipient based rules
- Review your settings and save.
Microsoft 365 subscriptions come with a default policy for anti-phishing preconfigured but if you have the correct licensing for ATP, you can configure additional setting for impersonation attempts within the tenant. We will be configuring those additional settings here.
- Go to the security portal > Threat management > Policy > ATP anti-phishing
- Click the default policy > Click on Edit in the Impersonation section
- In the first section toggle the switch to on and add top executives or users within the organization that are most likely to get spoofed
- In the Add Domains to Protect section, toggle the switch to automatically include domains I own
- In the Actions section, choose what action you want to take if a user or domain is impersonated. We recommend either quarantine or moving to Junk folder.
- In the Mailbox Intelligence section, toggle on the protection and chose what action to take, like in the previous step
- The final section allows you to whitelist senders and domains. Refrain from adding generic domains here like gmail.com.
- After you review your settings, you can choose to Save
Configure Enhanced Filtering
- Enhanced email filtering can be set up if you have a connector in 365 (3rd party email filtering service or hybrid configuration) and your MX record does not point to Microsoft 365 or Office 365. This new feature allows you to filter email based on the actual source of messages that arrive over the connector.
- This is also known as skip listing and this feature will allow you to overlook, or skip, any IP addresses that are considered internal to you in order to get the last known external IP address, which should be the actual source IP address.
- If you are using Microsoft Defender ATP, this will enhance its machine learning capabilities and security around safe links/safe attachments/anti-spoofing from Microsoft’s known malicious list based off IP.
- In a way, you are getting a secondary layer of protection by allowing Microsoft to view the IPs of the original email and check against their database.
For enhanced filtering configuration steps: click here
Configure ATP Safe Links and Safe Attachments Policy
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) allows you to create policies for safe links and safe attachments across Exchange, Teams, OneDrive, and SharePoint. Real-time detonation occurs when a user clicks on any link and the content is contained in a sandbox environment. Attachments are opened inside a sandbox environment as well before they are fully delivered over email. This allows zero-day malicious attachments and links to be detected.
- Go to the security portal > Threat management > Policy > ATP safe attachments
- Click Global settings
- Turn on ATP for SharePoint, OneDrive and Microsoft Teams
- Create a new policy
- Add Name, Description, and choose Dynamic Delivery. For more on delivery methods, click here.
- Select the action as Dynamic Delivery
- Add the recipient domain and chose the main domain in the tenant.
- Click Next to review your settings and click Finish
- For Safe Links, go back to Threat management > Policy > ATP Safe Links
- Use the default policy or create a new policy and turn on the necessary settings displayed below.
- You can choose to whitelist certain URLs
- Like the safe attachments policy, apply to all users in the tenant by the domain name.
- Click Next to review your settings and click Finish
Add SPF, DKIM and DMARC
- Do you have SPF records/DKIM records/DMARC in place?
- SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain which helps prevent spoofing.
- DKIM lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if incoming email that they receive is legitimate.
- DMARC helps receiving mail systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners.
To add records:
- Go to Domains in the Microsoft 365 Admin center and click on the domain you want to add records to.
- Click “DNS records” and Take note of the MX and TXT record listed under the Exchange Online
- Add the TXT record of v=spf1 include:spf.protection.outlook.com -all to your DNS settings for our SPF record
- For our DKIM records we need to publish two CNAME records in DNS
Use the following format for the CNAME Record:
= our primary domain = The prefix of our MX record (ex. domain-com.mail.protection.outlook.com)
Example: DOMAIN = techieberry.com
CNAME Record #1:
Host Name: selector1._domainkey.techiebery.com
Points to address or value: selector1-techiebery-com._domainkey.techiebery.onmicrosoft.com
CNAME Record #2:
Host Name: selector2._domainkey.techiebery.com
Points to address or value: selector2-techiebery-com._domainkey.techiebery.onmicrosoft.com
- After publishing the records, go to the security portal > Threat management > Policy > DKIM
- Select the Domain for which you want to enable DKIM and click Enable.
- With the SPF and DKIM records in place, we can now set up DMARC. The format for the TXT record we want to add is as follows:
_dmarc.domain TTL IN TXT “v=DMARC1; pct=100; p=policy
= domain we want to protect
= indicates that this rule should be used for 100% of email
= specifies what policy you want the receiving server to follow if DMARC Fails.
NOTE: You can set to none, quarantine, or reject
- _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=none”
- _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=quarantine”
- _dmarc.pax8.com 3600 IN TXT “v=DMARC1; p=reject”
Do not Allow Calendar Details Sharing
You should not allow your users to share calendar details with external users. This feature allows your users to share the full details of their calendars with external users. Attackers will very commonly spend time learning about your organization (performing reconnaissance) before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and determine when specific users may be more vulnerable to an attack, such as when they are traveling.
- In the Microsoft 365 admin center > Settings – Org settings
- Click on services and select calendar
- Change the settings to “Calendar free/busy information with time only”
- Enable this setting on one tenant via PowerShell
- Enable this setting in all tenants via Partner Center credentials using the PowerShell
Enable Audit Log Search
You should enable audit data recording for your Microsoft 365 or Office 365 service to ensure that you have a record of every user and administrator’s interaction with the service, including Azure AD, Exchange Online, Microsoft Teams and SharePoint Online/OneDrive for Business. This data will make it possible to investigate and scope a security breach, should it ever occur. You (or another admin) must turn on audit logging before you can start searching the audit log.
- Go to security portal>Search>Audit Log search
- Make sure you do not get the following:
- After you turn on Auditing, you will see the following:
- You can create a custom search based off activity, date range., users and file\folder\site
- Create a New Alert Policy based off a certain event
- If want to search the audit log via PowerShell you would use the commands below:
$auditlog = Search-UnifiedAuditLog -StartDate 01/01/2021 -EndDate 01/31/2021 -RecordType SharePointFileOperation
- You could use the following command to export certain properties to a CSV file:
$auditlog | Select-Object -Property CreationDate,UserIds,RecordType,AuditData | Export-Csv -Append -Path c:\AuditLogs\PowerShellAuditlog.csv -NoTypeInformation
Enable Mailbox Auditing for All Users
By default, all non-owner access is audited, but you must enable auditing on the mailbox for owner access also to be audited. This will allow you to discover illicit access of Exchange Online activity if a user’s account has been breached. We will need to run a PowerShell script to enable auditing for all users.
NOTE: Use the audit log to search for mailbox activity that has been logged. You can search for activity for a specific user mailbox.
- Go to security portal>Search>Audit Log search
Mailbox auditing powershell commands
To check a mailbox audit status:
Get-Mailbox firstname.lastname@example.org | fl *audit*
To search a mailbox auditing:
Search-MailboxAuditLog email@example.com -ShowDetails -StartDate 01/01/2021 -EndDate 01/31/2021
To export results into a csv file:
Search-MailboxAuditLog firstname.lastname@example.org -ShowDetails -StartDate 01/01/2021 -EndDate 01/31/2021 | Export-Csv C:\users\AuditLogs.csv -NoTypeInformation
To view and export logs based on operations:
Search-MailboxAuditLog -Identity email@example.com -ResultSize 250000 -Operations HardDelete,Move,MoveToDeletedItems,SoftDelete -LogonTypes Admin,Delegate,Owner -StartDate 01/01/2021 -EndDate 01/31/2021 -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation
To view and export logs based on logon types:
Search-MailboxAuditLog firstname.lastname@example.org -ResultSize 250000 -StartDate 01/01/2021 -EndDate 01/31/2021 -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation
Review Role Changes Weekly
You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy.
- Go to Security portal>Search>Audit Log search
- Type “Role” in the search and select “Added Member to Role” and “Removed a user from a Directory Role”
Review Mailbox Forwarding Rules Weekly
You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users’ email is not being exfiltrated. Running the PowerShell script linked below will generate two csv files, “MailboxDelegatePermissions” and “MailForwardingRulesToExternalDomains”, in your System32 folder.
- Monitor on a single tenant
- Monitor External Mailbox Forwards in all Microsoft 365/Office 365 Customer tenants
Review the Mailbox Access by Non-Owners Report Bi-Weekly
This report shows which mailboxes have been accessed by someone other than the mailbox owner. While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time and can help discover malicious insider activity sooner.
- In the Exchange Admin Center, go to Compliance Management>Auditing
- Click on “Run a non-owner mailbox access report…”
- Specify a data range and run a search
Review the Malware Detections Report Weekly
This report shows specific instances of Microsoft blocking a malware attachment from reaching your users. While this report isn’t strictly actionable, reviewing it will give you a sense of the overall volume of malware being targeted at your users, which may prompt you to adopt more aggressive malware mitigations
- Go to security portal>Reports>Dashboard
- Scroll to the bottom and click on Malware detected in email
- View the Detection Report and click + Create schedule
- Create a weekly report schedule and send it to the appropriate email address
Review your Account Provisioning Activity Report Weekly
This report includes a history of attempts to provision accounts to external applications. If you don’t usually use a third-party provider to manage accounts, any entry on the list is likely illicit. But, if you do, this is a great way to monitor transaction volumes, and look for new or unusual third-party applications that are managing users.
- In the Microsoft 365 Admin center>Azure Active Directory from Admin Centers>Azure Active Directory>Audit Logs
- In the Activity section, search for “external” and select Invite external user
That’s how you improve exchange online protection for a better security.
Now I’d like to hear from you:
Which finding from today’s report did you find most interesting? Or maybe you have a question about something that I covered.
Either way, I’d like to hear from you. So go ahead and leave a comment below.