8 Ways to Secure Your Microsoft 365 Email System

Last year Sandy, a 26-year accounting veteran at a large manufacturing plant in the United States, called to figure how her team accidentally wired $460,000 to a fraudulent vendor. You could tell Sandy was very upset and under a lot of pressure from the board of directors. To make matters worse, her team was just moments away from sending a second wire for $172,500, but thankfully the real vendor called just in time asking why the first wire for $460,000 was never received. That is when Sandy realized they might have fallen victim to wire fraud.

Here is how the attack unfolded:

  1. The accounts payable email had been compromised as follows:
    1. The attacker had full access to the accounts payable mailbox and was reading all email.
    2. A known vendor sent an invoice for $460,000 asking for payment.
    3. Immediately after a second email came in asking to update the bank information before wiring the $460,000.
    4. Unfortunately the accountant didn’t realize the email had an S on the end (jim@myemail.com vs jim@myemails.com)
    5. Because the account did not catch this, they updated the payment information and wired the funds to the wrong account.
    6. The hacker then created a mailbox rule that any emails from that vendor were deleted as to not tip off the accountant.
    7. Almost 30 days went by before they realized what happened and it was to late for the bank to get the money back.

You might be asking yourself, is phishing illegal? How can someone get away with this? The short answer is yes it is illegal, but most phishing attacks come from outside the United States and pursuing legal action is nearly impossible. But hope is not lost. In fact, there were many things Sandy’s company already owned but the IT team never configured the security settings. This was a hard lesson to learn so please use this guide to save you some heart ache.

For those who prefer video, here is the YouTube link to 8 ways to secure your Microsoft 365 email system, otherwise read on!

Steps To Keep Your Increase Your Microsoft 365 Email Security


  1. Do not set up common department mailboxes: Avoid common Microsoft office business mailboxes like accounting@yourcompany.com, ap@yourcompany.com, hr@yourcompany.com. These are easy for attackers to guess and will lead to more phishing attacks. Instead try 801ap@yourcompany.com, sunflower@yourcompany.com, or something unique that a hacker cannot guess.


  1. Reject external email forwarding: Make sure your Microsoft 365 business email is set to not allow your emails to automatically forward to an external mailbox. A common attack is sending HR a fake resume with a virus, or accounting a fake invoice. This installs a virus which creates a rule that all your emails have a copy sent to hackersemail@gmail.com. Once done the hacker waits for the right moment to strike, which is what happened to Sandy.


  1. Email Phishing Protection with IronSCALES: You might be asking, what is IronSCALES? Simply put, it puts a layer of protection between hackers and your employees. IronSCALES would have displayed a bright red banner that reads “CAUTION: You usually email Jim at jim@myemail.com, but this is coming from jim@myemails.com. This might be an attack, proceed with caution!” IronSCALES would have done more analysis, and without about 12 seconds, flagged it as fraud and immediately removed it from the accounts payable mailbox.

    IronSCALES also sends out security training tests to all staff each quarter. If a staff falls for the trick it brings them to a quick training video to learn how to better spot these type of attacks.


  1. Brand your Microsoft 365 Login Page: A branded page with your logo gives your team a visual identifier that they are in the right place. And while a sophisticated attacker could clone your login page, it can help prevent the one-off random attacks and save you a lot of headache.


  1. Enable two factor authentication: When an employee logs into an email for the first time they must use a second factor. This could be a text message (least secure) or the Microsoft Authenticator application (most secure). If your employee falls victim and an attacker gets their password, they still cannot login without the second factor. This is one of the best methods to prevent unauthorized access into your email system.


  1. Configure your SPF record: SPF is a “sender policy framework”. With SPF, 365 can verify that email your employees receive came from a trusted source. This helps prevent fake emails hitting your team and reduces the total amount of times you need to rely on IronSCALES to defend you.


  1. DKIM signatures: DKIM signatures (domain signing) adds a digital signature to the headers in your emails. The signature is validated with the organization’s domain system records. This safety feature also gives your own email a much higher chance of hitting an inbox. It’s a win-win.


  1. Microsoft default settings: There are several go-to settings that are built into Microsoft that your organization should make sure are set up properly within the admin center. Go to the protection setting, then malware feature, and make sure that is “on”.

    Also, make sure that the “enable common attachment type filter” and the “enable malware zero autopurge” are both enabled to make sure that those emails are coming through 365 to scan for spam.

    You can also change your default setting for “bulk”level to 2 to stop junk mail from getting through, but at the risk of good emails going to junk. In all fairness, if a vendor sends you an email and it does go to junk, it is mostly because they are not setup properly.


General Security Strategies

Keeping your email secure raises so many questions. Everyone – not just organizations – wants to feel safe from scams. Here are some common concerns:


  1. How to protect my email account from hackersUse a unique password and do not store this password on any publicly used device. Always log out fully, and use two factor authentication. Be careful logging into public computers and do not click on suspicion links.
  2. What to do if you open a phishing email: Close the email and mark is as spam. If you are using IronSCALES, use the IronSCALES report phishing button. Do not click any attachments or links and simply delete the email. If you accidentally clicked on anything contact your IT department immediately.

  3. Can you get hacked by replying to an email: You cannot get a virus from replying to an email. But responding is dangerous because it gives the hacker additional information about your email security, and gives them a window into your mind which could make you targeted in the future. Never egg-on on attacker, it is best to just ignore them and make your IT department aware.
  4. What to do if you respond to a phishing email: If you accidentally respond to a phishing email, immediately change your passwords and usernames. An attacker can steal your usernames and passwords, your money, your credit card info, and even your bank accounts. Set up new pins and start fresh for safety. 
  5. I opened an email from a hacked account, now what: These days, viruses are everywhere. They are activated when you open attachments or click links. Just opening the email cannot give you a virus, but if you did anything else please let make your IT department aware.

  6. Ironscales vs Proofpoint: what are they?  IronSCALES and Proofpoint are both email security platform tools. Many users think that IronSCALES is easier to use. It’s easy to set up and administer, too. 

  7. I heard that Microsoft will soon block theft. True? Microsoft will be releasing a safety feature soon that will enable a “Microsoft Defender Attack Surface Reduction” (ASR). This rule will be by default in settings. We recommend thorough coverage through multiple layers for complete security for your company. 

  8. Is there a report phishing email Outlook button with IronSCALES? Yes, and when you submit a phishing email, IronSCALES does an investigation and stops the attack from going any further.
  9. What is the more secure alternative to the smtp mail protocol?  Basic authentication from Microsoft 365 is very unsecure as it can bypass multi factor authentication. It is best to use TLS 1.3 along with modern authentication across the board.

Email Security Final Thoughts

You might be asking, are emails secure, or how secure is email? The short answer is, no. Because email relies heavily on humans to make the correct decision, attackers will continue to evolve to take advantage. Anyone can simply Google “how to hack an email address” and be returned with office 365 phishing email examples, email hacker tools, and different ways to try and get into m365 exchange online. It is no wonder why securing email servers have become a full time job.


If you are concerned about email security please contact us through our website. Phishing attacks through email is very real. Taking the steps to stay safe with guards like iron scales email security is not only a great investment, it could save you what Sandy went through. We are experts in m365 online and can provide security against even the best email hacking tools using everything listed in this article but most importantly, IronSCALES email security.