Protecting your M365 service from Phishing and Business Email Compromise Attacks

This is the first in a series of four blog posts where we delve deeper into the themes discussed in our previous post where we highlighted the top 4 attacks that hackers are using when they try to compromise your M365 service. Regrettably Phishing and Business Email Compromise (BEC) remain amongst the most significant cyber threats facing UK organisations today. With the email and collaboration capabilities of M365 being critical to so many businesses’ communications, it’s vital to utilise a robust, layered approach to defend against these attacks. In this article we dive into what we can all do to reduce the risk of suffering from a phishing attack or being the victim of Business Email Compromise.

Leverage Microsoft 365’s Built-In Anti-Phishing Protections

Microsoft 365 comes equipped with a suite of features, designed to detect and block malicious emails before they reach users’ inboxes. The key features to help defend against phishing and BEC include:

  • Exchange Online Protection (EOP): Provides baseline anti-phishing, anti-spam, and anti-malware protection for all M365 users.
  • Microsoft Defender for Office 365: Offers advanced capabilities such as impersonation protection, machine learning-based detection, and campaign views to spot coordinated attacks.
  • Spoof Intelligence: Identifies and blocks emails that attempt to impersonate trusted senders or domains.
  • Safe Links and Safe Attachments: Automatically scans links and attachments in emails for malicious content, quarantining threats before they can do harm.

Actions:

  • Ensure anti-phishing policies are enabled and regularly reviewed.
  • Configure impersonation protection for high-risk users, such as decision makers, finance staff, and IT administrators.
  • Use the “Aggressive” or “Most Aggressive” anti-phishing thresholds for users most likely to be targeted.

Enforce Multi-Factor Authentication (MFA) for All Users

MFA is one of the most effective defences against account compromise. By requiring a second form of verification (such as a code sent to a mobile device), MFA makes it significantly harder for attackers to access accounts, even if they have stolen a password.

  • Industry statistics show that over 99% of successful BEC attacks occur on accounts without MFA enabled.
  • MFA can be enforced across all users on M365 service by using basic service configuration or conditional access policies.

Actions:

  • Mandate MFA for all users, especially those with access to sensitive data, financial systems or IT admin access.
  • Use app-based authenticators or hardware tokens rather than SMS where possible, as these are less susceptible to interception.

Educate and Train Staff to Recognise Phishing Attempts

Human error remains a leading cause of successful phishing and BEC attacks. Regular security awareness training tailored for your organisation is essential:

  • Teach staff to spot common phishing tactics, such as urgent requests, mismatched email addresses, and suspicious links.
  • Highlight the language and psychological tricks used by attackers, such as invoking panic or urgency (“Action required”, “Invoice attached”, “Verification needed”).
  • Run simulated phishing campaigns to test and reinforce learning.
  • Encourage users to report even if unsure, as its better to report a false positive than be compromised because they were scared to report in the first place.

Actions:

  • Schedule regular training sessions and phishing simulations.
  • Deploy Microsoft’s built-in attack simulation tools.
  • Encourage a “think before you click” culture, where staff feel comfortable reporting suspicious emails without fear of reprisal.

Harden Email Authentication and Domain Protections

Preventing attackers from spoofing your domain is crucial in stopping phishing and BEC:

  • Implement SPF, DKIM, and DMARC against your email domains: These email authentication protocols help ensure only authorised senders can use your domain, and that spoofed emails are rejected or quarantined.
  • Regularly review and update DNS records to include all legitimate email sources, including third-party services.

Actions:

  • Set DMARC to “quarantine” or “reject” to prevent unauthorised use of your domain.
  • Check that only authorised domains are able to send emails on your behalf by correctly configuring your SPF and DKIM DNS records.
  • Use Microsoft’s spoof intelligence insights to identify and address any gaps in your domain’s protection.

Disable Legacy Authentication and Restrict External Forwarding

Legacy authentication protocols (such as IMAP and POP3) do not support MFA and are frequently exploited by attackers:

  • Disable legacy authentication across your M365 environment to ensure all logins require modern, secure methods.
  • Block automatic external forwarding of emails, a common tactic used by attackers to exfiltrate data unnoticed.

Actions:

  • Audit your environment for legacy authentication usage, document any, and phase it out if possible.
  • Set mail flow rules to prevent or tightly control external forwarding.

Monitor, Respond, and Continuously Improve

No defence is perfect, so it’s essential to monitor for suspicious activity and respond swiftly:

  • Use Microsoft 365’s Threat Explorer and reporting tools to investigate and respond to incidents.
  • Encourage staff to report phishing attempts, and submit suspicious emails to Microsoft or NSCS’s anti-phishing service to improve filtering for all users.
  • Regularly review and tune anti-phishing policies based on the latest threat intelligence and incident learnings.

Bringing it all together

Taking a step back and looking at the bigger picture when it comes to preventing phishing and Business Email Compromise on the M365 service, involves considering blending technology controls, policies, and your teams working practices. However by leveraging M365’s advanced security features, enforcing MFA, educating staff, hardening domain protections (DNS), and if possible, monitoring for these sorts of threats, you can reduce the risk of your M365 service being compromised. Staying proactive, keeping your defences (and software) up to date, and encouraging your users to become the first line of defence will pay dividends over the long term.

By engaging with Somniac Security we can help you to secure your M365 service leaving you safe in the knowledge that you won’t suffer from these common attacks.  Contact us at info@somniacsecurity.com today to help safeguard your business against tomorrow’s challenges!