5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

Article at a glance

Did you know that 1 million companies across the world use Office 365? Of these organizations, the US alone accounts for 600,000. As businesses and institutions are adapting to the new normal of working remotely due to the recent pandemic, Outlook email security vulnerabilities can pose a major challenge for IT administrators.

In fact, the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to deal with COVID-19 cyber security challenges.

Data from an AI endpoint security provider SentinelOne has revealed that there was over a 300% spike in  attempted attacks on user accounts between February 23 and March 16!

Here are some common phishing attacks, explained in detail along with Outlook security configurations and best practices to help you shield against such attacks.

In October 2019, security firm McAfee observed a new phishing trend where hackers used fake voicemail messages to trick users into giving out their Office 365 account credentials. The attack was targeted on users ranging from middle management to executive levels working in various industries such as finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare, and transportation.

How does it work?

These emails contain HTML attachments which, when opened, redirects users to a phishing page. This page plays a short audio recording of someone talking which increases the legitimacy of the page. According to a McAfee researcher, “What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link.”

Solution:

Step 1: Under  the “Apps” section, select “Admin.”

Step 2: Click “show all” to view the hidden options.

Step 3: Under the “Admin centers” section, select “Exchange.”

Step 4: Click “mail flow.“

Step 5: Click on the option rules and create a new rule by clicking the “+ Add a rule” icon and selecting "Create a new rule".

Step 6: Enter a name for the rule.

Step 7: Under the “Apply this rule if…” section, choose “Any attachment…” and select “file extension includes these words.”

Step 8: Enter the type of file extension (ie., ade) that you want to track/filter and click "Add".

Step Click "Save".

1. Executables: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

2. Office files that support macros: doc, xls, docm, xlsm, pptm

Step 9: Under “Do the following…” section, choose “Notify the recipient with a message…”

Step 10: Add a message (for reference) and click “OK.”

Step 11: If you want to add any exception for the above-defined rule, under the “Except if…” section and click on “add exception.” Skip steps 12–14 if exceptions are not required.

Step 12: Select option “The sender…” and select “is this person” in the next box.

Step 13: Choose the “sender” (for whom you want to except the rule) and click “add->.”

Step 14: Click on “Next.”

Step 15: Apply any rule settings such as severity and start date and click on “Next”, then review and click on "Finish" to create the new rule.

Step 16: The “Rule” has been successfully created. You can verify this in the “Create rule” section under “Rules.”

Confense Phishing Defense Centre recently discovered a new phishing scam targeting Office 365 users. The objective of this scam was to collect Office 365 account credentials of employees who were expecting a salary rise.

How does it work?

Cybercriminals send out malicious emails by manipulating the “from address” to trick the recipients into believing that the email came from their HR department. The email came with an embedded link to what it claimed was a spreadsheet detailing employee’s salary raises, named as “salary-increase-sheet-November2019.xls.” This link redirects users to a fake Microsoft 365 login page. In order to view the spreadsheet, users are forced to log in to their Office 365 account. The email id is pre-populated in this fake login page to increase the legitimacy of the website.

According to Confense Phishing Defense Center, “The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.“ 

Step 1: Under the “Apps” section, click “Admin.”

Step 2: Click “show all.”

Step 3: Under the “Admin centers” section, click “Exchange.”

Step 4: Click “Other features.” (This feature is being moved to Microsoft Defender) and select the DKIM new location to navigate to the Microsoft Defender page.

Step 5: You will be taken to the DKIM option in the "Email authentication settings" page under "Policy and rules" in Microsoft Defender.

Step 6: Choose the domain to enable DKIM for and toggle the “Enable” option.

Zscaler ThreatLabZ detected a phishing attack that used Microsoft Azure custom domains. Cybercriminals hosted their phishing sites with Microsoft SSL certificates in order to make the website appear legitimate.

How does it work?The attackers sent out spam emails, informing users that some of their emails have been quarantined. In order to view the email, users are prompted to click on the “View Emails” button, which redirects them to a fake Outlook login page that attackers had created using Microsoft SSL certificates.

Solution:

Bleeping Computer reported a phishing campaign in which Google search query redirected users to a fake Microsoft Office login page via encoded URLs. URL encoding – also known as percentage encoding – is a mechanism by which unprintable or special characters are translated to a universally-accepted format by web servers or browsers. This allows the cybercriminals to hide the URL of their phishing page from secure email gateways (SEGs) that blocks malicious emails.

How does it work? Researchers at the Cofense Phishing Defense Center found out that the phishing emails came from a compromised email account of a well-known American brand, informing the users about a new invoice awaiting payment.

On clicking the button, users were shown a Google redirect notice informing that they were being sent to the decoded phishing domain and that they can return to the previous page if they don’t want to proceed further. “This is enough to fool basic URL and domain checks by perimeter devices, a simple yet effective way for threat actors to ensure delivery of malicious payloads,” adds Cofense. The malicious URL takes the user to a fake Microsoft login page aimed to collect Office 365 credentials.

Solution: In order to prevent such attacks, it is recommended to enable the Multi-Factor Authentication (MFA) in the Outlook security settings for all users in your domain. Enabling MFA will provide an extra layer of security to your user accounts even when their account credentials are compromised.

Step 1: Under the “Apps” section, select “Admin.”

Step 2: Click “Show all.”

Step 3: Under the “Settings” section, select “Org settings”

Step 4: Click “Multi-factor authentication" from the list.

Step 5: Click “Configure Multi-factor Authentication.”

Step 6: Select the required group or individual users for enabling the MFA and click “Enable.”

Cybercriminals use every possible method to trick users into giving out their account credentials. This will allow the attacker to access the victim’s sensitive data. However, in  this type of phishing attack, it has been identified that instead of targeting employees, cybercriminals were focusing on Microsoft 365 administrators. Gaining access to an admin account will allow attackers to gain control over the Organization’s domain and all other user accounts.

How does it work?

“As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal.” – Bleeping Computer.

Step 1: Under the “Apps” section, select “Admin.”

Step 2: Click “show all” to view the hidden options.

Step 3: Under the “Admin centers” section, select “Security.”

Step 4: This will take you to Microsoft Defender. On the left panel, expand the “Email & Collaboration” option and select “Policy & rules”

Step 5: Click on "Threat policies" and scroll down to select the “Enhanced Filtering” option under "Rules".

Step 6: Choose the Connector for configuration.

Step 7: Select “Automatically detect and skip the last IP address.”

Step 8: Choose “Apply to entire organization” and click “Save.”

Step 9: “Enhanced Filtering” will be enabled.

Using only a VPN can no longer guarantee security for your business. You need to combine it with antivirus software and other security best practices. According to Dark Reading, there have been instances where the malware that gained entry into systems – via phishing emails and malicious sites – had launched attacks via the compromised user’s  VPN account. Employees sometimes fall prey to malware (advertised as a VPN software) when they try to set up a VPN on their own to access business applications from home.