In this article
  • Microsoft 365 Admin Center Outlook Security Settings to Prevent Phishing Attacks
  • Exchange Admin Center Settings
  • Services & Add-ins Settings
  • Admin Center- Security & Compliance Settings
  • COVid-19-Themed Phishing Attacks
  • Outlook Security best practices

5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

24 May 2021
|
15 min read
|
Gabby Maletto
twitterlinkedin
Blog Articles

Article at a glance

Outlook security vulnerabilities can expose organizations to phishing attacks, especially with the rise of remote work.

How do we prevent the attacks?

  • Prevent voicemail phishing by creating mail flow rules to block suspicious attachments like .html files.

Read more

As an IT administrator, have you ever thought about Outlook security vulnerabilities?

Did you know that 1 million companies across the world use Office 365? Of these organizations, the US alone accounts for 600,000. As businesses and institutions are adapting to the new normal of working remotely due to the recent pandemic, Outlook email security vulnerabilities can pose a major challenge for IT administrators.

In fact, the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to deal with COVID-19 cyber security challenges.

Data from an AI endpoint security provider SentinelOne has revealed that there was over a 300% spike in  attempted attacks on user accounts between February 23 and March 16!

Microsoft 365 admin center Outlook security settings to prevent phishing attacks

Here are some common phishing attacks, explained in detail along with Outlook security configurations and best practices to help you shield against such attacks.

Exchange admin center settings

Stop voicemail phishing attacks using mail flow rule setting

In October 2019, security firm McAfee observed a new phishing trend where hackers used fake voicemail messages to trick users into giving out their Office 365 account credentials. The attack was targeted on users ranging from middle management to executive levels working in various industries such as finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare, and transportation.

How does it work?

Hackers send out malicious emails containing Microsoft’s logo to users informing that they have a missed call from a particular phone number.
Here is an example of one such email:

Voicemail Phishing Attacks Using Mail Flow Rule Setting

These emails contain HTML attachments which, when opened, redirects users to a phishing page. This page plays a short audio recording of someone talking which increases the legitimacy of the page. According to a McAfee researcher, “What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link.”

Once the recording is played, users are redirected to a fake Office 365 login page that prompts the users to login to hear the full recording. The email address is pre-populated in this fake login page to increase the credibility of the website. Upon entering the password, users receive a successful login message and are redirected to the original Office 365 login page.
The main objective of this attack is to trick as many users as possible into giving out their account credentials. This eventually will help the cybercriminals in accessing organization-related sensitive information and will increase the possibility of name impersonation attacks, damaging the company’s reputation

Solution:

Microsoft 365 has an in-built option for Outlook security which will inspect email attachments by setting up mail flow rules (known as transport rules). Mail flow rules examine email attachments as a part of security and compliance needs.
If an email attachment is found to be suspicious, the admin can either add a disclaimer to the message, block the message from getting delivered, or notify the sender of the issue – if the admin decides to prevent the message from being delivered.

flow chart of voicemail Phishing Attacks

To filter the emails with .html attachment and add an action item on such emails, follow these steps to create a rule:

Step 1: Under  the “Apps” section, select “Admin.”

The all apps screen in Microsoft 365 with the admin center highlighted

Step 2: Click “show all” to view the hidden options.

The side panel of the admin center page with the "show all" option highlighted

Step 3: Under the “Admin centers” section, select “Exchange.”

The exchange option highlighted in the Microsoft 365 admin center side panel

Step 4: Click “mail flow.

Exchange admin center side panel with the mail flow option highlighted

Step 5: Click on the option rules and create a new rule by clicking the “+ Add a rule” icon and selecting "Create a new rule".

Exchange admin center with the option "Rules" highlighted in the side panel and the "Add a new rule" and "Create new rule" option highlighted.

Step 6: Enter a name for the rule.

Step 7: Under the “Apply this rule if…” section, choose “Any attachment…” and select “file extension includes these words.”

The step one of setting new rule condition

Step 8: Enter the type of file extension (ie., ade) that you want to track/filter and click "Add".

Various potentially harmful extensions added to the rule

Step Click "Save".

The extension 'ade' added to the list is selected with the "Save" button highlighted.

Note: There are many other executable file types you can include based on your requirement:

RECOMMENDED HARMFUL EXTENSIONS TO INCLUDE IN MAIL FLOW RULE TRIGGER

1. Executables: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

2. Office files that support macros: doc, xls, docm, xlsm, pptm

Step 9: Under “Do the following…” section, choose “Notify the recipient with a message…”

"Notify the recipient with a message" option selected under the section labeled  "Do the following"

Step 10: Add a message (for reference) and click “OK.”

The message "You have been sent a mail that includes macros. Make sure you know it is safe to open." is higlighted

Step 11: If you want to add any exception for the above-defined rule, under the “Except if…” section and click on “add exception.” Skip steps 12–14 if exceptions are not required.

Step 12: Select option “The sender…” and select “is this person” in the next box.

The options "The Sender" and "Is this person" highlighted

Step 13: Choose the “sender” (for whom you want to except the rule) and click “add->.”

The sender "admin@office365my.com" selected and highlighted

Step 14: Click on “Next.”

Clicking on the option "Next" in creating a new rule

Step 15: Apply any rule settings such as severity and start date and click on “Next”, then review and click on "Finish" to create the new rule.

Set new rule settings such as severity and date
Final review page

Step 16: The “Rule” has been successfully created. You can verify this in the “Create rule” section under “Rules.”

The newly created rule shown under the Rules section

Stop pay raise phishing scan using dkim setting

Confense Phishing Defense Centre recently discovered a new phishing scam targeting Office 365 users. The objective of this scam was to collect Office 365 account credentials of employees who were expecting a salary rise.

How does it work?

Cybercriminals send out malicious emails by manipulating the “from address” to trick the recipients into believing that the email came from their HR department. The email came with an embedded link to what it claimed was a spreadsheet detailing employee’s salary raises, named as “salary-increase-sheet-November2019.xls.” This link redirects users to a fake Microsoft 365 login page. In order to view the spreadsheet, users are forced to log in to their Office 365 account. The email id is pre-populated in this fake login page to increase the legitimacy of the website.

Here is how the email looks like:

Pay raise phishing example

According to Confense Phishing Defense Center, “The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.“ 

To prevent such spoofing attacks, admins should configure DKIM (DomainKeys Identified Mail) for their hosted domains. DKIM is a form of email verification that allows an organization to claim responsibility for a message. DKIM is an Outlook security feature that works by adding a digital signature (private key) to the header of an email message. This signature can be verified by a public cryptographic key in the organization’s Domain Name System (DNS) records. Email servers that receive messages from your domain use the public key to decrypt the message header and verify the message source.

How does pay raise phishing work

Step 1: Under the “Apps” section, click “Admin.”

The all apps screen in Microsoft 365 with the admin center highlighted

Step 2: Click “show all.”

The side panel of the admin center page with the "show all" option highlighted

Step 3: Under the “Admin centers” section, click “Exchange.”

The exchange option highlighted in the Microsoft 365 admin center side panel

Step 4: Click “Other features.” (This feature is being moved to Microsoft Defender) and select the DKIM new location to navigate to the Microsoft Defender page.

the Other apps option shown in Exchange Admin Center and DKIM is highlighted

Step 5: You will be taken to the DKIM option in the "Email authentication settings" page under "Policy and rules" in Microsoft Defender.

 The email authentication settings page

Step 6: Choose the domain to enable DKIM for and toggle the “Enable” option.

Enabling DKIM for a domain

Note: Add the displayed “CNAME” records to the domain from the Registrar site to protect the domain against spoofing before you can enable the domain.

Stop Microsoft Azure custom domain attacks using DKIM setting

Zscaler ThreatLabZ detected a phishing attack that used Microsoft Azure custom domains. Cybercriminals hosted their phishing sites with Microsoft SSL certificates in order to make the website appear legitimate.

Custom domain attack example

How does it work?The attackers sent out spam emails, informing users that some of their emails have been quarantined. In order to view the email, users are prompted to click on the “View Emails” button, which redirects them to a fake Outlook login page that attackers had created using Microsoft SSL certificates.

Custom domain attack

Solution:

Configuring DKIM can prevent such attacks.

how does custom domain attack work

How to set up DKIM to stop Azure custom domain attacks

Click here to view.

Services & add-ins settings

Stop Google redirect phishing attacks using MFA settings

Bleeping Computer reported a phishing campaign in which Google search query redirected users to a fake Microsoft Office login page via encoded URLs. URL encoding – also known as percentage encoding – is a mechanism by which unprintable or special characters are translated to a universally-accepted format by web servers or browsers. This allows the cybercriminals to hide the URL of their phishing page from secure email gateways (SEGs) that blocks malicious emails.

How does it work? Researchers at the Cofense Phishing Defense Center found out that the phishing emails came from a compromised email account of a well-known American brand, informing the users about a new invoice awaiting payment.

redirect phishing attack

The “View Invoice” button was embedded with a URL build comprising two parts. The first part of the URL began with “https://google.lv/url?q=”,  notifying the browser to use Google to question a specific URL. The second part of the URL was encoded with basic URL encoding. It replaces ASCII characters with a “%” followed by two hexadecimal digits.

On clicking the button, users were shown a Google redirect notice informing that they were being sent to the decoded phishing domain and that they can return to the previous page if they don’t want to proceed further. “This is enough to fool basic URL and domain checks by perimeter devices, a simple yet effective way for threat actors to ensure delivery of malicious payloads,” adds Cofense. The malicious URL takes the user to a fake Microsoft login page aimed to collect Office 365 credentials.

Solution: In order to prevent such attacks, it is recommended to enable the Multi-Factor Authentication (MFA) in the Outlook security settings for all users in your domain. Enabling MFA will provide an extra layer of security to your user accounts even when their account credentials are compromised.

how does redirect phishing attack work

How can you set up MFA for your domain?

Step 1: Under the “Apps” section, select “Admin.”

The all apps screen in Microsoft 365 with the admin center highlighted

Step 2: Click “Show all.”

The side panel of the admin center page with the "show all" option highlighted

Step 3: Under the “Settings” section, select “Org settings”

Step 4: Click “Multi-factor authentication" from the list.

Org setting page in Microsoft 365 admin center

Step 5: Click “Configure Multi-factor Authentication.”

Configure the multi-factor authentication option highlighted.

Step 6: Select the required group or individual users for enabling the MFA and click “Enable.”

Enabling MFA for selected users

Admin center- security and compliance settings

Cybercriminals use every possible method to trick users into giving out their account credentials. This will allow the attacker to access the victim’s sensitive data. However, in  this type of phishing attack, it has been identified that instead of targeting employees, cybercriminals were focusing on Microsoft 365 administrators. Gaining access to an admin account will allow attackers to gain control over the Organization’s domain and all other user accounts.

Security and compliance center settings

How does it work?

The attack begins by sending out fake Office 365 alerts to domain administrators, addressing time-sensitive issues like expired licenses or Outlook security issues like unauthorized access alerts.

Fake admin alerts example

Clicking on these links redirects the user to a fake Microsoft 365 login page. This page is hosted on windows.net domain on Azure and is secured using a certificate from Microsoft. These factors add to the credibility of the alerts received and will prompt the users to enter their account credentials.

As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal.” – Bleeping Computer.

Other than enabling MFA, Microsoft 365 also suggests admins to configure the “Enhanced Filtering” option in the Outlook security settings. Enhanced Filtering allows you to filter emails based on their actual source of messages. For advanced protection, businesses using Business Premium, E1, and E3 subscriptions can also choose ATP (Advanced Threat Protection) Safe Links add-on. This Outlook security add-on scans and automatically blocks all malicious links from being accessed by the users.
 How to set up enhanced filtering setting for your domain?

Step 1: Under the “Apps” section, select “Admin.”

The all apps screen in Microsoft 365 with the admin center highlighted

Step 2: Click “show all” to view the hidden options.

The side panel of the admin center page with the "show all" option highlighted

Step 3: Under the “Admin centers” section, select “Security.”

Security option under admin centers

Step 4: This will take you to Microsoft Defender. On the left panel, expand the “Email & Collaboration” option and select “Policy & rules”

Policy and rules option on the left navigation panel of Microsoft Defender

Step 5: Click on "Threat policies" and scroll down to select the “Enhanced Filtering” option under "Rules".

Enhanced filtering option under threat policies highlighted

Step 6: Choose the Connector for configuration.

Note: You need to have a connector configured. Otherwise, you will not see the connector name to click on.

Stop phishing attacks

Step 7: Select “Automatically detect and skip the last IP address.”

IP addresses to skip

Step 8: Choose “Apply to entire organization” and click “Save.”

enable settings

Step 9: “Enhanced Filtering” will be enabled.

Connector

In addition to changing these Outlook security settings, you can also follow the best practices listed below to strengthen your network for remote work.

Outlook security best practices

Whenever you access the internet, make sure that you turn on VPN – A VPN would provide a secure connection through an encrypted tunnel that keeps your data safe whenever you use the internet.

Using only a VPN can no longer guarantee security for your business. You need to combine it with antivirus software and other security best practices. According to Dark Reading, there have been instances where the malware that gained entry into systems – via phishing emails and malicious sites – had launched attacks via the compromised user’s  VPN account. Employees sometimes fall prey to malware (advertised as a VPN software) when they try to set up a VPN on their own to access business applications from home.

Ask employees to use only the organization-provided laptop/system for work. If they use a personal laptop, then ensure that antivirus and VPN are installed on the machine.
Restrict the users from downloading and installing applications without the admin’s permission. Monitor the applications for suspicious activity.
Protect your computer from cyberattacks by using an antivirus to scan attachments and prevent unauthorized access to your system and/or data and also protect against harmful malware installations.
Back up critical data regularly to avoid loss of data due to accidental deletions or ransomware attacks.

Use SysCloud to automatically back up data from OutlookOneDrive, People, Calendar, and SharePoint sites.

In this article
  • Microsoft 365 Admin Center Outlook Security Settings to Prevent Phishing Attacks
  • Exchange Admin Center Settings
  • Services & Add-ins Settings
  • Admin Center- Security & Compliance Settings
  • COVid-19-Themed Phishing Attacks
  • Outlook Security best practices
twitterlinkedin