Best Practices to Harden Office 365
1. Password Policy
It is always recommended to use a strong password policy to help secure the data and service access. In
Office 365 for cloud-only users and active directory synced users, passwords expire after 90 days by
2. Single Sign-On
Single sign-on is convenient as well as allows password policies to be managed in a centralized place.
Microsoft offers its own single sign-on solution, Azure Active Directory, which allows users to log in using the same password as they do for on premises Microsoft products, as well as cloud products from other providers.
3. Use Multi-Factor Authentication (MFA)
Multi-factor authentication makes it more difficult for a third party to gain access to an account by
requiring an additional authentication measure after submitting the username and password. The
secondary authentication methods supported by Office 365 include the use of mobile app notification, a one-time password generated by a mobile app or sent to the user via a phone call or SMS text message, and per-app passwords used with clients such as Outlook. Some of the MFA solutions are Azure AD, Okta, One Login, Ping Identity, and Centrify.
Reference URL: https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-upmulti-factor-authentication?view=o365-worldwide
4. Configure Data Loss Prevention (DLP)
A data loss prevention strategy ensures that confidential or personal data can’t be uploaded, shared or
emailed. DLP is available in SharePoint Online and Exchange and can also be integrated into Enterprise
Search. With this, create policies to restrict content being saved to certain locations, such as One Drive
for Business and SharePoint Online sites.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-preventionpolicies
5. Turn on Office 365 Cloud App Security
Set up alerts with Office 365 Cloud App Security help admins can review unusual or risky user activity,
such as downloading large amounts of data, multiple failed sign-in attempts, or sign-ins from an
unknown or dangerous IP address. Organizations with an Office 365 Enterprise E5 plan can start using
Office 365 Cloud App Security right away.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/turn-on-office-365-cas
6. IP Filtering
To reduce the risk of account compromise is to disallow extranet access to corporate cloud services such as Office 365. If an attacker were to obtain an account credential, they would be unable to successfully log into the account, unless he or she is on the corporate network or accessing via virtual private network (VPN). Microsoft supports IP filtering, referred to variously as “IP Whitelist” and “Trusted IPs,” for customers using either Azure Active Directory or federating user identity with their on-premises Active Directory.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/configure-theconnection-filter-policy
7. Configure Alert Policies
Creating alert policies in Office 365’s Compliance center can assist in meeting organization’s data
security obligations. For example, alerts can warn about sharing confidential information anytime about
email contacts that aren’t listed as authenticated in the organization’s network. These preemptive
notices can educate employees on data sharing best practices and prevent data leaks. Office 365 offers
several built-in alert policies that help determine permissions abuse, data governance risks, and
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies
8. Office 365 Message Encryption
Message encryption allows to send a message to a recipient encrypted. The recipient receives an email
with a link to a page on a download portal, where users authenticate using their Office login or a onetime passcode to view the message. To use Office 365 Message Encryption (OME), organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/ome
9. Use S/MIME Protocol to Secure Connection to the Server and Prevent Data Interception
Unlike message encryption, which is based on policies defined by an administrator, S/MIME is controlled by the end user, who decides whether to use it. While message encryption is browser-based, and requires no client software or certificates, S/MIME uses certificates to digitally sign and optionally encrypt the email content itself. Digitally signing the email ensures that the message content is what the sender originally wrote, and that the message hasn’t been altered or tampered with. S/MIME requires users to access their email through a client like Outlook, not a web browser.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/email-encryption
10. Mobile Device Management (MDM)
Office 365 has built in mobile device management that is available for both Office 365 for Business and
Office 365 Enterprise. If employees use company-owned devices, admins are able to manage and
revoke access to important data when needed.
Reference URL: https://support.office.com/en-us/article/set-up-mobile-device-management-mdm-inoffice-365-dd892318-bc44-4eb1-af00-9db5430be3cd
11. Office Client Deployment
Office client deployment keeps client versions of Office up to date through the latest security updates.
There is a lot of flexibility regarding updates, for example; can opt in to feature and bug fixes quarterly.
Also control the Office deployments using an XML-based deployment process called Click2Run (available on Office 365 Pro Plus plans only).
Reference URL: https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
12. Sharing Content
The admin portal offers the option to enable or disable content sharing which allows the admin to turn
sharing on or off for different apps within Office 365, including Sites, Calendar, Skype for Business and
Integrated Apps. Reports are available that show what has been shared with whom, and admin can
revoke sharing directly from the admin center without needing to go directly into the app’s settings.
Reference URL: https://support.office.com/en-us/article/manage-sharing-with-external-users-in-office-365-small-business-2951a85f-c970-4375-aa4f-6b0d7035fe35
13. Use Office 365 Secure Score and Compare Security
Secure Score is a security analytics tool that recommends on what can do to further reduce risk. Secure
Score looks at the Office 365 settings and activities and compares them to a baseline established by
Microsoft. A score is then provided based on the settings and is re-evaluated in an on-going basis.
Note: Settings should be carefully reviewed and exceptions may need to be made to not disrupt mail
flow for legitimate emails which are being spoofed intentionally.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-securescore
14. Enable Mailbox Auditing
In Office 365, administrators should enable mailbox audit logging to record mailbox access activity. By
default, mailbox auditing is disabled. Once audit logging is enabled, the audit log can be searched for
mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by
administrators, delegates, and owners are logged by default.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailboxauditing
15. Configure DMARC and SPF Records to Validate Email
Implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) with SPF
(Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is recommended. These features
provide an additional layer of protection against spoofing and phishing emails. They can also help to
reduce the risk of business email compromise attacks. DMARC settings will tell the Exchange servers
what to do with messages that were transmitted with the organization’s domain that fail SPF or DKIM
validation checks. A DMARC TXT Record also helps to prevent spoofing and phishing attacks by verifying the IP address of an email’s author against the alleged owner of the sending domain It is highly recommended the DMARC settings are reviewed and deployed with careful consideration such not to disrupt intended mail flow.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validateemail
16. Define Data Exfiltration Rule Restrictions
Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy
of email outside of the organization to a 3rd party email domain. Users may also desire to send copies of
emails to personal email accounts. These forwards reduce the overall security of the organization. A rule can be created in the Exchange Admin Center to reject any messages and include an explanation that client forwarding rules to external domains are not permitted. This rule can be defined if a message is sent ‘outside the organization’ and the message type is ‘auto-forward’ and the email is received from ‘inside the organization.’ It may also be beneficial to configure alert definitions based on these conditions to ensure an account was not compromised. An alert definition can be defined while creating the rule to email a notification to the defined contact upon triggering.
17. Changing Anti-Spoofing Settings
To create or update the (cross-domain) anti-spoofing settings, navigate to the Anti-phishing > Antispoofing settings under the Threat Management > Policy tab in the Security & Compliance Center.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofingprotection
18. Use Office 365 Advanced Threat Protection
Office 365 Advanced Threat Protection (ATP) helps to protect the organization from malicious attacks by scanning email attachments for malware with ATP Safe Attachments. It helps protect against unknown malware and viruses by providing robust zero-day protection and includes features to safeguard from harmful links in real time. It can perform the following tasks:
- Scanning web addresses (URLs) in email messages and Office documents with ATP Safe Links
- Identifying and blocking malicious files in online libraries with ATP for SharePoint, OneDrive, and
- Checking email messages for unauthorized spoofing with spoof intelligence
- Detecting when someone attempts to impersonate the users and organizations custom domains
with ATP anti-phishing capabilities in Office 365
19. Zero-hour Auto Purge – Protection Against Spam and Malware
Zero-hour auto purge (ZAP) is an email protection feature that detects messages with spam or malware
that have already been delivered to the users’ inboxes, and then renders the malicious content
harmless. How ZAP does this depends on the type of malicious content detected. ZAP is available with
the default Exchange Online Protection that is included with any Office 365 subscription that contains
Exchange Online mailboxes. ZAP continuously monitors updates to the Office 365 spam and malware
signatures; therefore, it can find and remove previously delivered messages already in inboxes. For mail
that was already identified as spam, ZAP moves unread messages to the user’s Junk mail folder. For
newly detected malware, ZAP removes the attachments from the email message, regardless of whether
the mail was read or not.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge
20. Create Organization-Wide Signatures and Disclaimers
There is an option to add an email signature, legal disclaimer, or disclosure statement to the email
messages that enter or leave the organization. Also, it is possible to set it up to apply to all incoming and
outgoing messages or can apply it to certain messages like those containing specific words or text.
Reference URL: https://docs.microsoft.com/en-us/office365/admin/setup/create-signatures-anddisclaimers?view=o365-worldwide
21. Configure Message Size Limit and Restrict Attachment Type for a Mailbox
The default Office 365 maximum message size for messages is 25MB. It is recommended to change the
maximum message size for an individual mailbox with Office 365 Admin Center or PowerShell according to the business needs. Restrict the users to attached except doc, pdf, xlxs etc. as per the business requirement
Reference URL: https://docs.microsoft.com/en-us/exchange/recipients/user-mailboxes/mailboxmessage-size-limits?view=exchserver-2019
22. Other Ways to Manage Spoofing and Phishing with Office 365
Here are related ways to check on senders spoofing domain and help prevent them from damaging the
- Check the Exchange Online Protection spoof mail report as part of the routine. Use this report
often to view and help manage spoofed senders.
- Review the Sender Policy Framework (SPF) configuration.
- Review the DomainKeys Identified Mail (DKIM) configuration. Use DKIM in addition to SPF and
DMARC to help prevent receiving messages that look like they are coming from the
- Use the Get-PhishFilterPolicy Windows PowerShell cmdlet to gather detailed data on spoofed
senders, generate allow and block lists, and determine how to generate more comprehensive
SPF, DKIM, and DMARC DNS records without having the legitimate email get caught in external
Varutra Consulting Pvt. Ltd