Microsoft O365 is a very popular tool that is widely used throughout almost every industry. It is important to make sure that it is as secure as possible, especially when entrusting it with sensitive data. Digital Edge's cybersecurity team came up with a list of a few ways to add protection to your O365.
Here are some tips on securing your O365:
1. Consider adding domains to O365
When you add a domain to Office 365, it’s automatically added as an accepted domain in Exchange Online. When it’s added, the domain type is set to Authoritative, meaning that if an entry doesn’t exist in the Global Address List (GAL) for an email address (user, group, public folder, or other recipients), then it doesn’t exist. The GAL becomes the authoritative list of all the addresses available in the domain.
2. Consider enabling Directory-Based Edge Blocking (DBEB)
Directory Based Edge Blocking (DBEB) lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to your O365 and block all messages sent to email addresses that aren't present in your O365. However, if you have a hybrid Exchange environment or other connected mail environments where all of your protected recipients aren’t synchronized or populated inside of Exchange Online’s directory, you may need to disable DBEB.
3. Sender Policy Framework (SPF)
Using SPF helps to validate outbound email sent from your custom domain. Microsoft outlines how it should be set up: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
4. Domain-Based Messaging and Reporting Conformance (DMARC)
The purpose of DMARC is to provide another layer of authentication. It could help with reducing or eliminating spoofed phishing mail. DMARC is really an extension of the SPF and DKIM. It allows the owner of a domain to configure a policy in their DNS records to specify which mechanism (DKIM, SPF, or both) is used when sending email from that domain. For more information: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide
5. DomainKeys Identified Mail (DKIM)
Consider using it (enabling for each custom domain in your tenant) to validate the outbound email sent from your custom domain. You should use DKIM in addition to SPF and DMARC to help prevent spammers from sending messages that look like they are coming from your domain. More detailed information is here https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
6. Configure in O365 Security and Compliance Center – (very basic but often overlooked things to do)
- Spam filtering
- Connection Filter Policies
- Alert policies
- DLP policies
7. Make sure that IMAP and POP3 access to mailboxes is disabled
8. Configure spoof protection
An easy guide on how to set this up can be found here: (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-worldwide)
9. Ensure that end users have an exact way of identifying mail sent from outside of the managed organization (organizations) – consider adding a banner text.