Picture this. The company executive is sent an email that looks legit, with a link in it. Unthinkingly, they click the link which provides all their mailbox credentials to people who know exactly what to do with this information. They remotely sign in, set up rules to cover their tracks, and then email the finance department to pay a new supplier, or email a customer asking to pay an invoice into a new account.

Disaster, right?

office 365 email


This is the reality of phishing and spoofing. At best, they can cost you time and effort, and at worst they can damage your relationship with customers, or cost you a huge amount financially. It’s a confusing world of potential out there, but we have you covered with our guide to email security.

The good news is that Office 365 email security is actually inherent to the platform, and it has a lot of protection built into it. There are also some additional protections that you can configure, and advice on making sure you can protect your Office 365 email.

Contact us


What’s the big deal with spam?

When it comes to understanding the harm that email spam can cause, it’s important to understand exactly what spam is. Also known as junk mail, these are unsolicited email messages that you get in large quantities. Often they are trying to encourage you to buy something, or seem commercial in nature. Others contain links to phishing websites (which we’ll cover in a little bit) or include malware.

Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software. Generally, malware is used to either disrupt the operation of businesses or corporations, or to get the kind of guarded information you may not want other people to have.

So what is spoofing?

Spoofing, on the other hand, is the creation of email messages with a forged sender address. Spoofers can essentially mask who the sender is because the core email protocols (known as SMTP protocols) do not have any mechanism for authentication. This means that they can lie to the receiver about where the message has come from. This is what enables the bad guys to spoof domains and pretend to be who they want you to think they are. They then include Phishing or malware in these emails that you believe to be from an organisation that you trust.

To help protect yourself and your customers against spoofing you can implement a number of additional email checks and policies that have evolved to address these shortcomings in the core email protocol.

These are known as Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication Reporting and Conformance.

SPF, or Sender Policy Framework, is a record that you publish in your DNS that basically says the services or IP addresses that are allowed to send email for your domain. In simple English, this means the part after the @ in your email address.

DKIM, or Domain Keys Identified Mail, is a digital signature in the message header. This is encrypted and the public key is published in the DNS records for your domain.

DMARC, or Domain-based Message Authentication Reporting and Conformance is a policy that you publish in your Domain’s DNS records that tells a receiving email system what to do with emails that fail the SPF and DKIM tests above.

Don’t worry if you’re a little confused – these capabilities are all included in Office 365, they just require configuring correctly. Securing Office 365 against Spoofing helps you to dramatically reduce the chances of anyone being able to send emails to customers or clients while pretending to be you or someone at your business.

When The Phishing Gets Through

So if an email with a phishing link in it does get through, how can you protect against the consequences of the user clicking on this? At this point, you need to secure your Office 365 against phishing.

This can be done in two ways:

Advanced Threat Protection (ATP) offers Safe Links, to help protect against Phishing. This works by opening every link into a neutral area that can decide whether or not the website is malicious. If it is, it will not let you proceed onto the site. It also offers a Safe Attachments feature, where an email attachment is opened and tested in a virtual environment before the user receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will open as expected when the user clicks on it.

If you implement Office 365 Advanced Threat Protection, then there will be a small delay between an email with an attachment arriving in your inbox and you being able to open the attachment – the time taken for the service to scan it for you.

Multi-Factor Authentication (MFA) provides protection in case a bad guy does obtain your Office 365 password, for example by you clicking on a phishing link. This prompts an additional factor check they have to pass in order to be able to sign in – which they won’t have.

You can configure how you receive this additional factor, so for example it might be a one-time 6 digit code that Microsoft text to your mobile phone, or you might use the Microsoft Authenticator App on your phone.

When you set MFA up, you can configure it to give users the option to remember their device for a period of time, such as 30 days, which means they will only be prompted for the additional factor every 30 days on that device (e.g. their work PC, or smart Phone) rather than every time they used it. If they or anyone else tries to sign in to their Office 365 account from any other device they will be prompted by MFA.

Extra security can mean extra inconvenience for users, so make sure that you explain the benefits of the additional security and the impact on the users before rolling these features out. If you’re feeling concerned or uncertain about the best way to configure your Office 365 email account, or have any concerns about your email security, then contact Compete 366 for a free discussion with one of our Office 365 Consultants on how to maximise your email security.

Contact us


Published On: January 25th, 2019 / Categories: M365 /

Contact our Microsoft specialists

Phone or email us to find out more – or book a free, no-obligation call with our technical consultants using the contact form.

“It’s great to work with the Compete366 team, the team members are really knowledgeable, helpful and responsive. No question is too difficult for them. They have really helped us to manage our Azure costs and ensure we have the right environment. When we bring a new customer on-board we can scale up immediately via the Azure portal and quickly make environments available to our customers.”

“We also find that there’s never a heavy sales pitch from them – they are technically focused and recommend what’s right for us.”

Paul Coyne, Rusada

“We had great support from the Compete366 AVD expert, who was really helpful, and guided me through options to tackle issues that arose.”

“The great thing about our AVD set up is that we have a custom set up for each project which Compete366 showed me how to do. And with the scalability and flexibility of AVD – we can meet clients’ expectations and get project users up and running more quickly.”

Amir Dangol, Senior IT Manager, Integrity

“We were immediately impressed with the advice that the Compete366 specialists in Azure Architecture were able to provide. This was all new to us and we really needed some external expertise that we could use to get our questions answered. The beauty of working with Compete366 is that we transferred our Azure consumption to them, and at the same time received all of their advice and guidance free of charge.”

Tim Entwistle, Head of Software Development, Herrco

“Working with Compete366 has been like extending our own team – they are extremely and easy to work with. Right from the outset, it was clear what was on offer – everything was presented to us in a straightforward and uncomplicated way. They also provided just the right level of challenge to our developers and saved us time and money by suggesting better ways to implement our infrastructure.”

Oliver Mackereth, Project Director, Hanse

“Compete366 were able to help us leverage some useful contacts in Microsoft. We really value the expert advice and guidance that they have offered us in setting up a highly scalable infrastructure. We are also setting in place a regular monthly meeting which will allow us to further refine our architecture and ensure we keep on track as our requirements grow and change.”

Matt Brocklehurst, Technical Director - AWOL Adventure

“I have been delighted with the migration, where my team worked very hard, supported by expert advice from Compete366, and achieved everything in the timescale we had set out. Compete 366 made sure that we didn’t make any expensive mistakes, and guided us through the process”

Darrell Cann, Managing Director, APEX
Jon Milward

By submitting your details, you agree to be contacted.