Our ongoing series on Microsoft 365 administration turns to one of the most important areas every admin faces: email security. Microsoft has several categories of email security policies that are available by default throughout Microsoft 365. You can find them here or by browsing through the Admin center to All admin centers/security/threat protection/policy. This is not just where you create the policies, but it is also where you manage them.
Before we begin looking at the settings I recommend, note the definitions of each policy as Microsoft defines them in the graphic above. It’s important for ongoing management that you understand which policy is responsible for what. Double click each on to configure.
Create a new policy. Add your email domains that the policy will apply to.
Next, configure the impersonation settings.
Here you’ll specify which users are most likely to suffer from impersonation attempts. You can select up to 60 users, but unfortunately, not groups. This is a very manual process.
Pay special attention to the Domains to protect section. You can, of course, protect your own, but you can also protect domains that you email with frequently. Microsoft will then take additional effort to make sure that you are not receiving impersonated email from those domains.
Be sure not to miss turning on the safety tips. These will alert your users to impersonation problems as email is being written or read.
Next, enable the mailbox intelligence features. This will keep an eye on your inbox, and if you suddenly start emailing someone that you’ve communicated with before at a different address, you will be alerted. This is a common redirection technique used in scams.
In the add trusted senders and domains section, you’ll whitelist domains that are falsely getting flagged. Often this occurs because of email misconfiguration on their end that you need to account for. Be sure to save your policy at this point and then come back into your policy to configure the anti-spoofing settings.
Here you are just going to enable the features and choose what to do with the messages that it catches. And finally, under Advanced Features, you select the level of aggressiveness that you want to filter email with.
Until recently, I would have told you to slide this all the way to Most Aggressive. However, Microsoft seems to have reconfigured the scale, and now we find that Standard is more than sufficient and still catches many false positives.
ATP safe attachments
Your first task in this section of Microsoft 365 email security configurations is to check the tiny boxes at the top of the page. Depending on your licensing level, you’ll have one or more to check. These checkboxes enable Microsoft to scan attachments not just in email but also in files in SharePoint, OneDrive, Teams, and Office applications.
Next, you’ll create a policy that determines how you want attachments with potential malware handled.
It would probably never be appropriate to choose Off or Monitor for your setting here. Instead, choose Block, Replace, or Dynamic Delivery. Dynamic Delivery is my choice, but I also have clients that hate it. Dynamic Delivery delivers the email immediately with a placeholder attachment. Then once the scanning process has finished, the placeholder is replaced with the file. It also offers the additional option of allowing the recipient to preview the attachment as a read-only document until scanning has finished. The messaging during the process seems clear enough to me, but it does expose the length of time scanning takes — it can be up to 30 minutes, which makes some people mad. By contrast, if the email isn’t delivered until the scan has finished, then they think it all happened instantly.
ATP safe links
There are two policies in this section. In the first one, you have the option of blocking domains where you never want URLs to be clicked. It’s essentially a domain and URL blocklist. Farther down on that policy page is where you tell Microsoft to also check URLs in Office applications for safety. But how is safety judged? It is judged by domain reputation and Microsoft detonating the links. Since detonation takes some time and won’t be done right away, nor will the URLs be blocked until it is completed, please tell your users to go slow when clicking on URLs. Just because we have this setting turned on doesn’t mean that the URL is safe. It really only means that its reputation has been checked and that it’s in the queue for detonation.
The second policy is in a misnamed section called policies that apply to specific users. I suppose you could do that, but I also select the domain, rather than a subset of users for these settings.
Here we turn the settings on and check the boxes. Further down the policy, you can enter domains where you don’t want the URL rewritten, which essentially means domain URLs not to scan.
Here you’ll see a list of policies. You only need to configure the policy for the domain you use for email. Make sure that that is the first policy in the list. This is one we are going to edit.
Starting at the top of this extensive policy, we’ll tell Microsoft where we want messages it identified as spam or phish to be delivered. There is a high number of false positives right now — this does change over time as Microsoft makes adjustments. We didn’t used to have much in the way of false positives but we do now. So, we send high confidence spam and phish to quarantine but send regular level to the junk folder in Outlook. Here I also set the quarantine retention to 30 days. You’ll want to set this level to just exceed holiday/vacation time of the users.
Finally, we’ll turn Safety tips and Zero-hour purge. Zero-hour purge is a feature that removes email after delivery if Microsoft later discovered that the content was malicious. It could be that the domain reputation got really bad, a URL has been redirected to a bad site, etc. At any rate, the email was later found to be bad, and Microsoft will go back in and pull it from your inbox after delivery.
Allow and blocklists
These are self-explanatory places where you can manually choose to list a domain or email address as “allowed” or “blocked always.”
This section is a straight-up block of languages, countries, and regions. Although it is easy to understand, do not underestimate the power this section has to reduce the amount of malicious mail received to your domain. I recommend blocking all that the business does not have a business relationship with. I typically use the countries and regions rather than language settings, but you can use either or both as required.
My special tip for you on selecting countries is to skip this for now, then go into the Exchange Admin Center, select Spam policy, and add your blocked countries from that screen instead. Why? Because here you have to select counties one by one and there you can shift-click to select the whole of them.
This seems to conclude the policy configuration, but there is one more hidden in the policy summary. It’s the highlighted link below. When viewing your policy summary, you need to click that link that I’ve highlighted in yellow.
Here is where you’ll enter in a number, in days, for how often a quarantine email should be delivered. Most people want to see what’s in their quarantine every day, some people want to check on it once a day and on-demand, but I’ve never met the person who wants to check on the quarantine less often.
For those that want to review the quarantine more frequently, they should bookmark this URL.
Enhanced filtering and DKIM
Enhanced filtering is a feature for special cases where your email is delivered first to another location before going through Microsoft’s filtering. We covered DKIM in another article on DNS configuration.
The anti-malware policy is similar to the others in that you have things to turn on. The first is Malware detection response, and here you decide whether the user can release a message with malware or whether it requires an administrator. In my practice, we DO require an admin to release any message that was flagged as containing malware, and we write a short custom message to them so the user knows what’s going on.
Under Common attachment types filter, you’ll want to select all of them unless you have a specific reason not to. If you’re familiar with the outlook blocklist, then you’ll recognize this list. Microsoft did expand the list considerably recently. So, even if you’ve set this previously, you’ll want to revisit it to select all of the news identified potentially malicious extensions.
Finally, you’ll turn on zero-hour purge again and select whether to notify internal, external, or administrative users.
Among the office add-ins is an email reporting tool that lets users report any email that was missed by this extensive list of filtering.
By selecting to enable the Report Message feature, this add-in will be deployed. In the admin settings, you can choose to have the reported messages sent to Microsoft, to your messaging admin or both. If you have previously deployed the add-in but want to remove it, you can also disable the feature here.
Microsoft 365 administration email security: More to come
By no means have we exhausted the email security settings available in Microsoft 365. What we’ve done is set up the basic spam, malware, and phishing protections. This will get you off to a good start in Microsoft 365 email security, and later we’ll add to our email security with Exchange transport rules and alerting policies.
Featured image: Business vector created by Freepik