Microsoft 365 Admin Center Outlook Security Settings to Prevent Phishing Attacks

Admin Center- Security & Compliance Settings

Protect Your Cloud Data, Now!

Outlook security vulnerabilities can expose organizations to phishing attacks, especially with the rise of remote work. 

Prevent voicemail phishing by creating mail flow rules to block suspicious attachments like .html files.

Protect against Google redirect phishing by enabling Multi-Factor Authentication (MFA) for all users.

Secure admin accounts by configuring Enhanced Filtering and using ATP Safe Links to block malicious links in emails.

Implement Outlook security best practices such as using VPNs, restricting app installations, using antivirus software, and backing up critical data.

SysCloud offers automated backup solutions for Outlook, OneDrive, and other Microsoft 365 apps, ensuring your data is secure and recoverable in case of phishing attacks or data loss.

As an IT administrator, have you ever thought about Outlook security vulnerabilities?

Did you know that 1 million companies across the world use Office 365? Of these organizations, the US alone accounts for 600,000. As businesses and institutions are adapting to the new normal of working remotely due to the recent pandemic, Outlook email security vulnerabilities can pose a major challenge for IT administrators.

In fact, the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to deal with COVID-19 cyber security challenges.

Data from an AI endpoint security provider SentinelOne has revealed that there was over a 300% spike in  attempted attacks on user accounts between February 23 and March 16!

Here are some common phishing attacks, explained in detail along with Outlook security configurations and best practices to help you shield against such attacks.

In October 2019, security firm McAfee observed a new phishing trend where hackers used fake voicemail messages to trick users into giving out their Office 365 account credentials. The attack was targeted on users ranging from middle management to executive levels working in various industries such as finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare, and transportation.

Hackers send out malicious emails containing Microsoft’s logo to users informing that they have a missed call from a particular phone number.

These emails contain HTML attachments which, when opened, redirects users to a phishing page. This page plays a short audio recording of someone talking which increases the legitimacy of the page. According to a McAfee researcher, “What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link.”

Once the recording is played, users are redirected to a fake Office 365 login page that prompts the users to login to hear the full recording. The email address is pre-populated in this fake login page to increase the credibility of the website. Upon entering the password, users receive a successful login message and are redirected to the original Office 365 login page.

The main objective of this attack is to trick as many users as possible into giving out their account credentials. This eventually will help the cybercriminals in accessing organization-related sensitive information and will increase the possibility of name impersonation attacks, damaging the company’s reputation

Microsoft 365 has an in-built option for Outlook security which will inspect email attachments by setting up mail flow rules (known as transport rules). Mail flow rules examine email attachments as a part of security and compliance needs.

If an email attachment is found to be suspicious, the admin can either add a disclaimer to the message, block the message from getting delivered, or notify the sender of the issue – if the admin decides to prevent the message from being delivered.

To filter the emails with .html attachment and add an action item on such emails, follow these steps to create a rule:

Step 1: Under  the “Apps” section, select “Admin.”

Step 2: Click “show all” to view the hidden options.

Step 3: Under the “Admin centers” section, select “Exchange.”

Step 5: Click on the option rules and create a new rule by clicking the “+ Add a rule” icon and selecting "Create a new rule". 

Step 7: Under the “Apply this rule if…” section, choose “Any attachment…” and select “file extension includes these words.”

Step 8: Enter the type of file extension (ie., ade) that you want to track/filter and click "Add".

Note: There are many other executable file types you can include based on your requirement:

RECOMMENDED HARMFUL EXTENSIONS TO INCLUDE IN MAIL FLOW RULE TRIGGER

1. Executables: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

2. Office files that support macros: doc, xls, docm, xlsm, pptm

Step 9: Under “Do the following…” section, choose “Notify the recipient with a message…”

Step 10: Add a message (for reference) and click “OK.”

Step 11: If you want to add any exception for the above-defined rule, under the “Except if…” section and click on “add exception.” Skip steps 12–14 if exceptions are not required.

Step 12: Select option “The sender…” and select  “is this person” in the next box.

Step 13: Choose the “sender” (for whom you want to except the rule) and click “add->.”

Step 15: Apply any rule settings such as severity and start date and click on “Next”, then review and click on "Finish" to create the new rule. 

Step 16: The “Rule” has been successfully created. You can verify this in the “Create rule” section under “Rules.”

Confense Phishing Defense Centre recently discovered a new phishing scam targeting Office 365 users. The objective of this scam was to collect Office 365 account credentials of employees who were expecting a salary rise.

Cybercriminals send out malicious emails by manipulating the “from address” to trick the recipients into believing that the email came from their HR department. The email came with an embedded link to what it claimed was a spreadsheet detailing employee’s salary raises, named as “salary-increase-sheet-November2019.xls.” This link redirects users to a fake Microsoft 365 login page. In order to view the spreadsheet, users are forced to log in to their Office 365 account. The email id is pre-populated in this fake login page to increase the legitimacy of the website.

According to Confense Phishing Defense Center, “The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.“ 

To prevent such spoofing attacks, admins should configure DKIM (DomainKeys Identified Mail) for their hosted domains. DKIM is a form of email verification that allows an organization to claim responsibility for a message. DKIM is an Outlook security feature that works by adding a digital signature (private key) to the header of an email message. This signature can be verified by a public cryptographic key in the organization’s Domain Name System (DNS) records. Email servers that receive messages from your domain use the public key to decrypt the message header and verify the message source.

Step 1: Under the “Apps” section, click “Admin.”

Step 3: Under the “Admin centers” section, click “Exchange.”

Step 4: Click “Other features.” (This feature is being moved to Microsoft Defender) and select the DKIM new location to navigate to the Microsoft Defender page.

Step 5: You will be taken to the DKIM option in the "Email authentication settings" page under "Policy and rules" in Microsoft Defender. 

Step 6: Choose the domain to enable DKIM for and toggle the “Enable” option.

Note: Add the displayed “CNAME” records to the domain from the Registrar site to protect the domain against spoofing before you can enable the domain.

Zscaler ThreatLabZ detected a phishing attack that used Microsoft Azure custom domains. Cybercriminals hosted their phishing sites with Microsoft SSL certificates in order to make the website appear legitimate.

How does it work?The attackers sent out spam emails, informing users that some of their emails have been quarantined. In order to view the email, users are prompted to click on the “View Emails” button, which redirects them to a fake Outlook login page that attackers had created using Microsoft SSL certificates.

Configuring DKIM can prevent such attacks.

How to set up DKIM to stop Azure custom domain attacks

<a href="/outlook-security#dkim" rel="nofollow">Click here</a> to view.


Bleeping Computer reported a phishing campaign in which Google search query redirected users to a fake Microsoft Office login page via encoded URLs. URL encoding – also known as percentage encoding – is a mechanism by which unprintable or special characters are translated to a universally-accepted format by web servers or browsers. This allows the cybercriminals to hide the URL of their phishing page from secure email gateways (SEGs) that blocks malicious emails.

How does it work? Researchers at the Cofense Phishing Defense Center found out that the phishing emails came from a compromised email account of a well-known American brand, informing the users about a new invoice awaiting payment.

The “View Invoice” button was embedded with a URL build comprising two parts. The first part of the URL began with “https://google.lv/url?q=”,  notifying the browser to use Google to question a specific URL. The second part of the URL was encoded with basic URL encoding. It replaces ASCII characters with a “%” followed by two hexadecimal digits.

On clicking the button, users were shown a Google redirect notice informing that they were being sent to the decoded phishing domain and that they can return to the previous page if they don’t want to proceed further. “This is enough to fool basic URL and domain checks by perimeter devices, a simple yet effective way for threat actors to ensure delivery of malicious payloads,” adds Cofense. The malicious URL takes the user to a fake Microsoft login page aimed to collect Office 365 credentials.

Solution: In order to prevent such attacks, it is recommended to enable the Multi-Factor Authentication (MFA) in the Outlook security settings for all users in your domain. Enabling MFA will provide an extra layer of security to your user accounts even when their account credentials are compromised.

Step 1: Under the “Apps” section, select “Admin.”

Step 3: Under the “Settings” section, select “Org settings” 

Step 4: Click “Multi-factor authentication" from the list.

Step 5: Click “Configure Multi-factor Authentication.”

Step 6: Select the required group or individual users for enabling the MFA and click “Enable.”

Cybercriminals use every possible method to trick users into giving out their account credentials. This will allow the attacker to access the victim’s sensitive data. However, in  this type of phishing attack, it has been identified that instead of targeting employees, cybercriminals were focusing on Microsoft 365 administrators. Gaining access to an admin account will allow attackers to gain control over the Organization’s domain and all other user accounts.

The attack begins by sending out fake Office 365 alerts to domain administrators, addressing time-sensitive issues like expired licenses or Outlook security issues like unauthorized access alerts.

Clicking on these links redirects the user to a fake Microsoft 365 login page. This page is hosted on windows.net domain on Azure and is secured using a certificate from Microsoft. These factors add to the credibility of the alerts received and will prompt the users to enter their account credentials.

“As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal.” – Bleeping Computer.

Other than enabling MFA, Microsoft 365 also suggests admins to configure the “Enhanced Filtering” option in the Outlook security settings. Enhanced Filtering allows you to filter emails based on their actual source of messages. For advanced protection, businesses using Business Premium, E1, and E3 subscriptions can also choose ATP (Advanced Threat Protection) Safe Links add-on. This Outlook security add-on scans and automatically blocks all malicious links from being accessed by the users.

 How to set up enhanced filtering setting for your domain?

Step 3: Under the “Admin centers” section, select “Security.”

Actionable insights, best practices and tips for IT admins to protect SaaS data.

Explore SaaS 
data protection center

Get expert insights on SaaS data and security

5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

I acknowledge cookies need to be deleted from my browser to remove tracking.

Ensure complete tracking removal by deleting cookies from your browser. Click here to learn how.

These cookies are set through our site by a range of third-party social media services that we have added to the site to enable you to share our content with your friends and networks. These cookies are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see the social media sharing tools.

These cookies are necessary for the website to function and allow us to count visits and traffic sources so we can measure and improve the performance of our site. The cookies may be set by us or third-party providers in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. All information these cookies collect is aggregated and therefore anonymous.

This website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.Learn more about how we process personal data in our  Privacy Policy.

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you disable these cookies, you will experience fewer or no targeted advertising. You may still see advertisements.

A Complete Guide to Google Drive Backup

Gmail Backup: How to Backup Gmail Emails for Business (Step-By-Step Guide)

What Is Google Vault? How Is It Different from Backup?

12 Reasons Why You Need Google Workspace Backup

How to Back Up Outlook Emails: A Step-by-Step Guide

An Admin’s Guide to SharePoint Online Backup

10 Critical Reasons to Backup Microsoft 365 Data Immediately!

How to Backup OneDrive for Business: A Complete Guide for Admins

How to Backup Outlook Emails: A Complete Guide (with screenshots)

Microsoft Teams Recovery Wizard

Gmail Recovery Wizard

Google Classroom Recovery Wizard

Google Sites Recovery Wizard

OneDrive Recovery Wizard

SharePoint Recovery Wizard

How to Prevent Cyberbullying in Schools: Strategies, Tips, & Best Practices

Mental Health in Schools – The Ultimate Guide for School Administrators

How to Recover Deleted Emails from Gmail for Business

How to Recover Permanently Deleted Files from Google Drive for Business

How to Recover Deleted Gmail Account – A Complete Guide

How to Recover Permanently Deleted Files from OneDrive for Business

How to Recover Deleted SharePoint Files in Microsoft Office 365?

How to Recover Deleted Outlook Emails in Microsoft 365?

SaaS Backup Buying Guide

How to Transfer Your Google Drive Files to Another Account

Shared Drive for the Confused – Google Drive vs. Shared (Team) Drives

A Complete Guide to Google Organizational Units

How to Use Google Takeout for Business: A Complete Guide

How to Delete a Google and Gmail Account

How to Import MBOX into Gmail: A Step-By-Step Guide

Demystifying Google Drive Document Sharing

Google Vault: The Ultimate Guide for IT Administrators (Updated)

Google G Suite Primary Domain Change Migration Guide

Admin's Guide to Using OneDrive Shared Folder and Files

A Complete Guide to Azure AD Administrative Units

Why do IT Admins Prefer SysCloud for SaaS Backup?

FERPA Compliance: A Complete Guide for Educational Institutions

Ransomware Recovery Guide: How to Recover from a Ransomware Attack

Gmail Security Settings: Strengthen Gmail Security against Phishing and Ransomware

Insider Threats : A Guide to Your Cloud Apps Security

The State of G Suite Third-Party App Security – 2018 Report

14 Types of Phishing Attacks That IT Administrators Should Watch For

16 Top Brands That Scammers Target for Brand Impersonation Attack

How to Prevent a Phishing Attack? 17 Easy Hacks for Administrators

Google Drive Security : 3 Ways to Guarantee Safety

How Compliance to PCI Can Be Achieved in Google G Suite

SOX Compliance in Google Apps

Top 3 Critical Security Mistakes When Configuring a Google Apps Domain

Remote work distance learning due to COVID-19 has led to a huge spike in cyberattacks. Configure Outlook security settings to shield your IT network now!

An in-depth article on how admins can configure Outlook security settings to shield your IT network now.

5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

Microsoft 365 admin center Outlook security settings to prevent phishing attacks

Exchange admin center settings

Stop voicemail phishing attacks using mail flow rule setting

Stop pay raise phishing scan using dkim setting

Stop Microsoft Azure custom domain attacks using DKIM setting

Services & add-ins settings

Stop Google redirect phishing attacks using MFA settings

Admin center- security and compliance settings

Outlook security best practices