Here are some best practices to harden office 365 and ensure your data remains protected.
It is always recommended to use a strong password policy to help secure the data and service access. In
Office 365 for cloud-only users and active directory synced users, passwords expire after 90 days by
default.
Single sign-on is convenient as well as allows password policies to be managed in a centralized place.
Microsoft offers its own single sign-on solution, Azure Active Directory, which allows users to log in using the same password as they do for on premises Microsoft products, as well as cloud products from other providers.
Multi-factor authentication makes it more difficult for a third party to gain access to an account by
requiring an additional authentication measure after submitting the username and password. The
secondary authentication methods supported by Office 365 include the use of mobile app notification, a one-time password generated by a mobile app or sent to the user via a phone call or SMS text message, and per-app passwords used with clients such as Outlook. Some of the MFA solutions are Azure AD, Okta, One Login, Ping Identity, and Centrify.
Reference URL: https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-upmulti-factor-authentication?view=o365-worldwide
A data loss prevention strategy ensures that confidential or personal data can’t be uploaded, shared or
emailed. DLP is available in SharePoint Online and Exchange and can also be integrated into Enterprise
Search. With this, create policies to restrict content being saved to certain locations, such as One Drive
for Business and SharePoint Online sites.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-preventionpolicies
Set up alerts with Office 365 Cloud App Security help admins can review unusual or risky user activity,
such as downloading large amounts of data, multiple failed sign-in attempts, or sign-ins from an
unknown or dangerous IP address. Organizations with an Office 365 Enterprise E5 plan can start using
Office 365 Cloud App Security right away.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/turn-on-office-365-cas
To reduce the risk of account compromise is to disallow extranet access to corporate cloud services such as Office 365. If an attacker were to obtain an account credential, they would be unable to successfully log into the account, unless he or she is on the corporate network or accessing via virtual private network (VPN). Microsoft supports IP filtering, referred to variously as “IP Whitelist” and “Trusted IPs,” for customers using either Azure Active Directory or federating user identity with their on-premises Active Directory.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/configure-theconnection-filter-policy
Creating alert policies in Office 365’s Compliance center can assist in meeting organization’s data
security obligations. For example, alerts can warn about sharing confidential information anytime about
email contacts that aren’t listed as authenticated in the organization’s network. These preemptive
notices can educate employees on data sharing best practices and prevent data leaks. Office 365 offers
several built-in alert policies that help determine permissions abuse, data governance risks, and
malware risks.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies
Message encryption allows to send a message to a recipient encrypted. The recipient receives an email
with a link to a page on a download portal, where users authenticate using their Office login or a onetime passcode to view the message. To use Office 365 Message Encryption (OME), organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/ome
Unlike message encryption, which is based on policies defined by an administrator, S/MIME is controlled by the end user, who decides whether to use it. While message encryption is browser-based, and requires no client software or certificates, S/MIME uses certificates to digitally sign and optionally encrypt the email content itself. Digitally signing the email ensures that the message content is what the sender originally wrote, and that the message hasn’t been altered or tampered with. S/MIME requires users to access their email through a client like Outlook, not a web browser.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/email-encryption
Office 365 has built in mobile device management that is available for both Office 365 for Business and
Office 365 Enterprise. If employees use company-owned devices, admins are able to manage and
revoke access to important data when needed.
Reference URL: https://support.office.com/en-us/article/set-up-mobile-device-management-mdm-inoffice-365-dd892318-bc44-4eb1-af00-9db5430be3cd
Office client deployment keeps client versions of Office up to date through the latest security updates.
There is a lot of flexibility regarding updates, for example; can opt in to feature and bug fixes quarterly.
Also control the Office deployments using an XML-based deployment process called Click2Run (available on Office 365 Pro Plus plans only).
Reference URL: https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
The admin portal offers the option to enable or disable content sharing which allows the admin to turn
sharing on or off for different apps within Office 365, including Sites, Calendar, Skype for Business and
Integrated Apps. Reports are available that show what has been shared with whom, and admin can
revoke sharing directly from the admin center without needing to go directly into the app’s settings.
Reference URL: https://support.office.com/en-us/article/manage-sharing-with-external-users-in-office-365-small-business-2951a85f-c970-4375-aa4f-6b0d7035fe35
Secure Score is a security analytics tool that recommends on what can do to further reduce risk. Secure
Score looks at the Office 365 settings and activities and compares them to a baseline established by
Microsoft. A score is then provided based on the settings and is re-evaluated in an on-going basis.
Note: Settings should be carefully reviewed and exceptions may need to be made to not disrupt mail
flow for legitimate emails which are being spoofed intentionally.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-securescore
In Office 365, administrators should enable mailbox audit logging to record mailbox access activity. By
default, mailbox auditing is disabled. Once audit logging is enabled, the audit log can be searched for
mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by
administrators, delegates, and owners are logged by default.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailboxauditing
Implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) with SPF
(Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is recommended. These features
provide an additional layer of protection against spoofing and phishing emails. They can also help to
reduce the risk of business email compromise attacks. DMARC settings will tell the Exchange servers
what to do with messages that were transmitted with the organization’s domain that fail SPF or DKIM
validation checks. A DMARC TXT Record also helps to prevent spoofing and phishing attacks by verifying the IP address of an email’s author against the alleged owner of the sending domain It is highly recommended the DMARC settings are reviewed and deployed with careful consideration such not to disrupt intended mail flow.
Reference URL:https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validateemail
Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy
of email outside of the organization to a 3rd party email domain. Users may also desire to send copies of
emails to personal email accounts. These forwards reduce the overall security of the organization. A rule can be created in the Exchange Admin Center to reject any messages and include an explanation that client forwarding rules to external domains are not permitted. This rule can be defined if a message is sent ‘outside the organization’ and the message type is ‘auto-forward’ and the email is received from ‘inside the organization.’ It may also be beneficial to configure alert definitions based on these conditions to ensure an account was not compromised. An alert definition can be defined while creating the rule to email a notification to the defined contact upon triggering.
To create or update the (cross-domain) anti-spoofing settings, navigate to the Anti-phishing > Antispoofing settings under the Threat Management > Policy tab in the Security & Compliance Center.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofingprotection
Office 365 Advanced Threat Protection (ATP) helps to protect the organization from malicious attacks by scanning email attachments for malware with ATP Safe Attachments. It helps protect against unknown malware and viruses by providing robust zero-day protection and includes features to safeguard from harmful links in real time. It can perform the following tasks:
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
Zero-hour auto purge (ZAP) is an email protection feature that detects messages with spam or malware
that have already been delivered to the users’ inboxes, and then renders the malicious content
harmless. How ZAP does this depends on the type of malicious content detected. ZAP is available with
the default Exchange Online Protection that is included with any Office 365 subscription that contains
Exchange Online mailboxes. ZAP continuously monitors updates to the Office 365 spam and malware
signatures; therefore, it can find and remove previously delivered messages already in inboxes. For mail
that was already identified as spam, ZAP moves unread messages to the user’s Junk mail folder. For
newly detected malware, ZAP removes the attachments from the email message, regardless of whether
the mail was read or not.
Reference URL: https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge
There is an option to add an email signature, legal disclaimer, or disclosure statement to the email
messages that enter or leave the organization. Also, it is possible to set it up to apply to all incoming and
outgoing messages or can apply it to certain messages like those containing specific words or text.
Reference URL: https://docs.microsoft.com/en-us/office365/admin/setup/create-signatures-anddisclaimers?view=o365-worldwide
The default Office 365 maximum message size for messages is 25MB. It is recommended to change the
maximum message size for an individual mailbox with Office 365 Admin Center or PowerShell according to the business needs. Restrict the users to attached except doc, pdf, xlxs etc. as per the business requirement
Reference URL: https://docs.microsoft.com/en-us/exchange/recipients/user-mailboxes/mailboxmessage-size-limits?view=exchserver-2019
Here are related ways to check on senders spoofing domain and help prevent them from damaging the
organization:
Reference URL’s: https://docs.microsoft.com/en-us/powershell/module/exchange/advancedthreat-protection/Get-PhishFilterPolicy?view=exchange-ps,
https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-spf-in-office-365-tohelp-prevent-spoofing
Author,
Varutra Consulting Pvt. Ltd
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…