A lot of organizations, when they move to Microsoft 365 (Exchange Online), start noticing an increase flow of phishing emails. Phishing emails are emails which resemble a “Please reset your expired Microsoft 365 password” with a link and then send the user to a page which seems to be a normal office 365 login but isn’t.
The user inputs the credentials, and it either redirects him/her to the actual office portal or says wrong password or username while saving the compromised credentials for a later hack.
The reason why this starts happening when you move to Exchange Online is because it’s a lot easier to check a user stolen credentials against well-known endpoints instead of having to tailor made a solution for a specific organization/domain.
So How to prevent phishing emails?
There are a few main steps which will decrease considerably your risk of having compromised credentials and even if that happens it won’t be danger
- Configure a TXT SPF record. This basically tells the recipient email server which servers are authorized to send messages from a domain. You can check step by step tutorial here but if you’d like the TLDR version: Add a TXT entry to your DNS with host=@ and value=v=spf1 include:spf.protection.outlook.com -all
-
Configure your DKIM (this basically authenticates outgoing emails with a header that makes sure it came from your domain). TLDR version: add to your DNS two CNAME entries:
Host: selector1._domainkey
Type CNAME
Value: selector1-<YOURDOMAIN>._domainkey.<YOURDOMAIN>.onmicrosoft.com
Add another one exactly like this one but instead of selector1 put selector2.
Then go to the your tenant security page -> Email & collaboration -> Policy & Rules -> Email authentication settings
Select your domain and then click on Enable. If there is something wrong it will show you what values you should have on your CNAME entries. - Activate Multi-factor authentication.This one has user experience impact because if you require them to always put a mobile code or use authenticator app they might start complaining. But if you have Multi factor authentication as required for condition access then you have a really good solution
- Activate Conditional Access.Conditional access is actually great when paired with Sign In Risk. Sign In Risk calculates a score for each sign in attempt to caracterize how risky it is. For instance, if the credentials are sent from a country the user rarely or never visits then the Risk Will be High and multi factor authentication would be triggered.
What licenses are required to activate Conditional Access + Multi Factor Authentication ? To activate Mutli Factor authentication for the tenant’s users, the administrator who is activating the feature needs a Microsoft 365 F1 license. For the Conditional Access based on Sign In Risk the administrator needs a Azure Active Directory Premium 2 plan
We recommend doing a quick check on our License Optimizer to get the best price
A step by step tutorial on how to activate Conditional Access can be found here a summary of the steps is:
- Make sure the administrator user has a Microsoft 365 F1 and Azure Activie Directory Premium 2 licenses active
- Go to portal.azure.com and open Active Directory
- Click Security under the left sub menu entry
- Select Conditional Access and create a new Policy
- Under Users or Workloads entities make sure to put a small group for testing
- Under Conditions select “Sign in risk” Medium / High
- On Grant check “Grant access” – “Require multi-factor authentication”
- Save it and test it (use a vpn to make multiple logins for different countries). It should request a second method of identity verification
- Apply to all users
Last important note, if you decide that all users should have multi-factor authentication always on please consider that flows connected to those users might start failing.