Office365 can be seen as a business productivity advantage, but it’s also an excellent opportunity for attackers to compromise data via the Internet. To minimize potential data breaches, Microsoft has released its Office365 best practices guidance. This blog outlines some fundamental protection mechanisms that organizations should configure to protect against common Office365 attacks vectors.

In your quest to begin the process of hardening your Office365 environment, start by logging into the Microsoft’s Secure Score analytics tool. This tool was designed as a roadmap you can use to reduce your risk while leveraging Office365. The tool provides a handful of metrics, including a security score for the currently deployed service, industry comparisons, and a target score that an organization should strive for (details for this tool can be found here).  Use this site as a starting point for securing your Office365 tenant.


Secure Score Overview Window

Protecting Against Phishing Attacks

Office365 has built-in options to protect people from phishing attacks—Advanced Threat Protection (ATP). Enabling this feature will help protect your organization against common phishing attacks.

Spoofing attacks are on the rise, and they can be the perfect vehicle to trick users into clicking on emails. The life cycle for this type of attacks goes as follows: First, the attacker identifies a domain that is slightly mistyped and not registered to the targeted company. Second, the attacker registers the selected domain. Third, the attacker clones a webpage that users commonly log into. Fourth, the attacker sends emails impersonating the helpdesk or any other employee in the organization with a convincing message to entice users to click on embedded links or open attachments in the fake emails. As a countermeasure for each attack step, Office365 ATP provides security policies, such as Anti-phishing, Anti-malware, Safe links, Safe attachments, and Anti-spam (policy availability depends on the tenant subscription level). We will cover policies related to Domain Protection, Anti-malware alerts, and mail-flow to set warning messages from external senders.

Setting Up ATP Anti-Phishing (Domain Protection Policy)

Office365 integrates machine learning processes and anti-impersonation algorithms to detect phishing attacks. Once the Anti-phishing policy is enabled, all incoming emails are evaluated to determine if the emails are trying to impersonate users and/or domains, along with what actions should be taken after detection. Office365 applies a default Anti-phishing policy, but it only offers basic anti-phishing protections (it does not protect domains or specific users). In order to apply advanced protection features, custom policies can be created.

In this section, we will be creating a new custom policy to protect your domain(s) from spoofing attacks and automatically send malicious emails to the users’ junk email folders.

  1. Go to https://protection.office.com and sign in with an admin account >> in the left navigation pane, under Threat management, choose Policy >> choose Anti-phishing >> To add a new policy select “+ Create.”

  1. A wizard will launch to guide you through the settings for a new anti-phishing policy >> Specify the name, and the description for your policy >> Next.

  1. To add a new condition, select “+ Add condition.”

  1. From the list of conditions select “The recipient domains is.”

  1. Select “choose” >> select, “+ Add” to show the available domains.


  1. Select the organization’s domain(s) from the displayed list (custom domains will appear if they are already added to the console)>> After selecting the domain, click “Next.”

  1. Review the policy settings >> Create this policy.

  1. After creating the policy you’ll be taken to the “Edit your policy” page. Other actions can be set on this page (e.g., move messages that match the policy to the users’ Junk Email folder) >> Close.

  1. This new policy will be listed on the Anti-phishing window.

BLUE-TEAM (Defenders) TIP: Conduct regular subdomain enumeration to maintain visibility of the company’s digital footprint. Use https://www.virustotal.com/#/home/search to run a passive DNS enumeration tool against the company’s domain.

RED-TEAM (Offensive testers) TIP: Use https://dnstwister.report/ to craft a list of domains to be used for phishing assessments, then use a homograph attack.

Setting Up ATP Anti-Malware (Alerting Policy):

By default, the Anti-malware protection is enabled on the company policies, but alerting has to be set. Alerting gives visibility about ongoing attacks. Let’s set these alerts:

  1. Go to https://protection.office.com and sign in with an admin account >> in the left navigation pane, under Threat management, choose Policy >> choose Anti-malware >> To edit the default policy select the policy and then click over the edit icon.


  1. Once the default policy is displayed, select “settings” >> Move to the “Administrator Notifications” section >> Check all the notification options and fill out the corresponding information (Custom Subjects and Messages for alerts can be set on this window) >> Save.

  1. The Default policy will be displayed with a “Summary” of the newly applied settings.

BLUE-TEAM (Defenders) TIP: Office365 Security & Compliance provides advance alerts and management options to set-up policies for abnormal activities. For more information, see these resources (https://docs.microsoft.com/en-us/office365/securitycompliance/alerts).

RED-TEAM (Offensive testers) TIP: If your attacks are detected by the Anti-malware polices, try using the SubDocument Reference (subDoc) parameter in Microsoft word documents to compromise target NTLMv2 hashes (https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/).

Setting Up Warning Messages from External Senders (Mail-Flow Policy):

Labeling email messages that originate from outside the organization is a simple security awareness step every organization should implement. Users can quickly identify spoofed emails by identifying emails that did not originate from within the company. Perpending the [External] label to subject lines and/or adding a sentence at the top of the email’s body might help users avoid being tricked by external phishing attacks that attempt to emulate an internal/external sender. Let’s add [External] to subject lines:

  1. Go to https://portal.office.com and sign in with an admin account >> in the left navigation pane, under Admin centers, choose “Exchange.”

  1. Select “mail flow” >> then “rules.”

  1. To add a new rule, select “+” >> “Create new rule…”

  1. Enter the name for the new policy (e.g., External Subject Warning) >> For the “Apply this rule if…” select “The sender is located…” >> then choose “Outside the organization” >> OK.

  1. Select “More options…” >> select, “add condition.”


  1. Select, “The recipient…” >> “is external/internal” >> “inside the Organization” >> OK.


  1. For “Do the following…” >> select, “Prepend the subject of the message with…” >> In the specify subject prefix window type “[External]”>> OK >> Save (Before saving you can add a comment).


  1. The rule will be displayed with a summary for applied settings.


BLUE-TEAM (Defenders) TIP: Enhance and increase security awareness training efforts, and ensure that they include all personnel. The training program should include educating all users on common ways to recognize phishing attacks.

RED-TEAM (Offensive testers) TIP: Craft phishing campaigns using publicly available services that the targeted company might be using (e.g., DocuSign, Dropbox, etc.). Even if the [External] warning is set, users will be tempted to open emails. To identify these types of services, search for the targeted company on URL queries (https://urlquery.net).

Protecting Against Authentication Attacks

Another common way to compromise data in an organization is by having direct access to users’ inboxes. As simple as it sounds, attackers will invest a good amount of time trying to accomplish the task by looking for easily guessed passwords to authenticate against the Office365 portal.

Office365 countermeasures are based on the integration of Azure Active Directory (AD) capabilities. These options provide anti-password spraying options, such as custom smart lockouts and custom banned passwords, along with multi-factor authentication to protect accounts even if a password gets compromised. Please note that these options don’t apply to on-premises AD environments, for more information about on-premises (hybrid deployments) password protections see the following link.

Setting Up Custom Smart Lockouts and Banned Passwords (Settings):

The Custom smart lockouts section in Office365 provides access to the lockout threshold and the lockout duration options. Lockout threshold sets the number of failed sign-ins allowed on accounts before locking-out. The lockout duration option is the time in seconds of each lockout. The custom banned passwords option enforces the list of words that users are not allowed to use. Let’s locate all these options:

  1. Go to https://portal.azure.com and sign in with an admin account >> in the left navigation pane, select “Azure Active Directory” >> “Authentication methods.”


  1. Edit the “Custom smart lockouts” and “Custom banned passwords” according to the passwords security policies implemented by the organization.

BLUE-TEAM (Defenders) TIP: Implement regular audits of password strength, explicitly looking for common easy to guess passwords, such as Password1, Winter2019, Sring2019, etc. Alternatively, use the Office365 attack simulator to identify vulnerable users before a real attack impacts the organization (https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator).

RED-TEAM (Offensive testers) TIP: Use the Ruler tool by Sensepost.com for password spraying attacks against Office365 (https://github.com/sensepost/ruler/wiki/Brute-Force).

Setting Up Multi-Factor Authentication (without On-Premises Active Directory Integration):

Multi-factor authentication is an additional layer of security available in almost all Office365 subscriptions. If a password gets compromised the extra layer of protection offered by the Two-step verification feature will be a deterrent mechanism for unauthorized access. The following steps will only cover how to enable multi-factor authentication for users who already have access to their inboxes through the browser (not the Outlook client) and don’t have any authentication integration with an on-premises Active Directory. For other deployment options visit the following link—Let’s set multi-factor authentication for a test account:

  1. Go to https://protection.office.com and sign in with an administrator account >> in the left navigation pane, under “Services & Add-ins”, choose “Azure multi-factor authentication” >> On the new window select “Manage Multi-factor authentication.”

  1. On the new window, select “Manage Multi-factor authentication.”

  1. In the search option, look for the users you want to enable the multi-factor authentication >> Then, under quick steps select “Enable.”

  1. A new window will be displayed with the enable “multi-factor auth” button >> select that option and then “close.”


  1. After enabling Multi-factor on the selected user, the user will be guided through the Multi-factor registration process on his/her first sign-in. After successful registration, an account summary will be displayed with additional security verification options.


BLUE-TEAM (Defenders) TIP: If multifactor-authentication is already implemented, verify that the multifactor implementation protects the Exchange Web Services (https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/controlling-client-application-access-to-ews-in-exchange). Also, be sure to disable legacy protocols such as IMAP and POP3 that are enabled by default on Office365 (https://docs.microsoft.com/en-us/exchange/clients/pop3-and-imap4/configure-mailbox-access?view=exchserver-2019).

RED-TEAM (Offensive testers) TIP: Use the Mail-Sniper tool to extract data when the multi-factor solution is not protecting the Exchange Web Services interface (https://github.com/dafthack/MailSniper).

At this stage, we have covered some basic protection options for Office365, but there are more available to be used during the deployment journey. For those organizations with a mature security posture, we recommend keeping an eye on the Secure-Score analytics tool for tips on how to improve the security of its users against new threats.

Still need more help? The security experts at LBMC Information Security can help you with your needs, from penetration testing to risk assessments, we are here to help, contact our team today. For questions related specifically to this article, contact Jorge Jaque at jjaque@lbmc.com.