The ultimate guide to securing your Office 365 email

Picture this. The company executive is sent an email that looks legit, with a link in it. Unthinkingly, they click the link which provides all their mailbox credentials to people who know exactly what to do with this information. They remotely sign in, set up rules to cover their tracks, and then email the finance department to pay a new supplier, or email a customer asking to pay an invoice into a new account.

Disaster, right?

office 365 email


This is the reality of phishing and spoofing. At best, they can cost you time and effort, and at worst they can damage your relationship with customers, or cost you a huge amount financially. It’s a confusing world of potential out there, but we have you covered with our guide to email security.

The good news is that Office 365 email security is actually inherent to the platform, and it has a lot of protection built into it. There are also some additional protections that you can configure, and advice on making sure you can protect your Office 365 email.

Contact Us

What’s the big deal with spam?

When it comes to understanding the harm that email spam can cause, it’s important to understand exactly what spam is. Also known as junk mail, these are unsolicited email messages that you get in large quantities. Often they are trying to encourage you to buy something, or seem commercial in nature. Others contain links to phishing websites (which we’ll cover in a little bit) or include malware.

Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software. Generally, malware is used to either disrupt the operation of businesses or corporations, or to get the kind of guarded information you may not want other people to have.

So what is spoofing?

Spoofing, on the other hand, is the creation of email messages with a forged sender address. Spoofers can essentially mask who the sender is because the core email protocols (known as SMTP protocols) do not have any mechanism for authentication. This means that they can lie to the receiver about where the message has come from. This is what enables the bad guys to spoof domains and pretend to be who they want you to think they are. They then include Phishing or malware in these emails that you believe to be from an organisation that you trust.

To help protect yourself and your customers against spoofing you can implement a number of additional email checks and policies that have evolved to address these shortcomings in the core email protocol.

These are known as Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication Reporting and Conformance.

SPF, or Sender Policy Framework, is a record that you publish in your DNS that basically says the services or IP addresses that are allowed to send email for your domain. In simple English, this means the part after the @ in your email address.

DKIM, or Domain Keys Identified Mail, is a digital signature in the message header. This is encrypted and the public key is published in the DNS records for your domain.

DMARC, or Domain-based Message Authentication Reporting and Conformance is a policy that you publish in your Domain’s DNS records that tells a receiving email system what to do with emails that fail the SPF and DKIM tests above.

Don’t worry if you’re a little confused – these capabilities are all included in Office 365, they just require configuring correctly. Securing Office 365 against Spoofing helps you to dramatically reduce the chances of anyone being able to send emails to customers or clients while pretending to be you or someone at your business.

When The Phishing Gets Through

So if an email with a phishing link in it does get through, how can you protect against the consequences of the user clicking on this? At this point, you need to secure your Office 365 against phishing.

This can be done in two ways:

Advanced Threat Protection (ATP) offers Safe Links, to help protect against Phishing. This works by opening every link into a neutral area that can decide whether or not the website is malicious. If it is, it will not let you proceed onto the site. It also offers a Safe Attachments feature, where an email attachment is opened and tested in a virtual environment before the user receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will open as expected when the user clicks on it.

If you implement Office 365 Advanced Threat Protection, then there will be a small delay between an email with an attachment arriving in your inbox and you being able to open the attachment – the time taken for the service to scan it for you.

Multi-Factor Authentication (MFA) provides protection in case a bad guy does obtain your Office 365 password, for example by you clicking on a phishing link. This prompts an additional factor check they have to pass in order to be able to sign in – which they won’t have.

You can configure how you receive this additional factor, so for example it might be a one-time 6 digit code that Microsoft text to your mobile phone, or you might use the Microsoft Authenticator App on your phone.

When you set MFA up, you can configure it to give users the option to remember their device for a period of time, such as 30 days, which means they will only be prompted for the additional factor every 30 days on that device (e.g. their work PC, or smart Phone) rather than every time they used it. If they or anyone else tries to sign in to their Office 365 account from any other device they will be prompted by MFA.

Extra security can mean extra inconvenience for users, so make sure that you explain the benefits of the additional security and the impact on the users before rolling these features out. If you’re feeling concerned or uncertain about the best way to configure your Office 365 email account, or have any concerns about your email security, then contact Compete 366 for a free discussion with one of our Office 365 Consultants on how to maximise your email security.

Contact Us


f Back to Blog posts

Interested in finding out more?

Contact Us FAQs